This implementation uses a Service Worker to securely handle GitHub API authentication, preventing token exposure in browser DevTools Network tab.
- GitHub access tokens (Personal Access or fine-grained tokens) are stored in IndexedDB within the Service Worker context
- Token is never accessible from the main application thread after initial setup
- Token is encrypted at rest using browser's IndexedDB security
- Service Worker intercepts all requests to
https://api.github.com - Adds
Authorization: Bearer <token>header to intercepted requests - Main application makes requests without auth headers
- Network Tab Protection: Authorization headers are not visible in DevTools
- Token Isolation: Token exists only in Service Worker scope
- Automatic Cleanup: Token cleared on logout
- CSP Compliance: Requests are made through controlled proxy
Service Worker that handles request interception and token storage.
Manager class for Service Worker registration and token management.
GitHub API client (modified to not include auth headers directly).
Configuration with token validation and Service Worker initialization.
- Registration: Service Worker registers automatically on app start
- Token Setup: Token is sent to Service Worker on app initialization
- API Calls: All GitHub API calls are intercepted and authenticated
- Cleanup: Token cleared from storage on user logout
- Service Worker code is public but token is stored securely in IndexedDB
- Token is never logged or exposed in error messages
- All network requests are sanitized
- CSP headers prevent unauthorized script execution
- Modern browsers with Service Worker support
- IndexedDB for secure token storage
- Fallback to direct requests if Service Worker fails