Security Improvement: Dedicated API Key System for Browser Extension

[kubbot]

Current Implementation

The browser extension currently uses the same JWT token that's used for web authentication (surfsense_bearer_token). This token has full access to all user account capabilities and is stored in localStorage.

Security Concerns

1. Elevated Privileges: The extension uses a token with complete account access, following the principle of least privilege.
2. Revocation Challenges: There's no way to revoke just the extension's access without logging out all sessions.
3. No Scope Limitation: The token cannot be restricted to only perform extension-specific operations.
4. Limited Auditability: Cannot track which tokens are being used by which applications.

Suggested Improvement

Implement a dedicated API key system that:

• Allows generating separate keys for the extension with limited scope
• Supports individual key revocation without affecting user sessions
• Includes expiration control and usage logging
• Permits users to see which API keys are active

Benefits

• Improved security posture
• Enhanced user control over access
• Better auditability
• Alignment with security best practices for external applications

Implementation Ideas

1. Create a new database table for API keys with scopes and metadata
2. Add API key generation/management endpoints
3. Modify the browser extension to use these dedicated keys
4. Update the dashboard to show active API keys with revocation options

Would you consider this enhancement for a future release? Happy to provide more details if needed.