salesforce
diff --git a/‎app/controllers/auth_controller.rb‎
Lines changed: 44 additions & 5 deletions b/‎app/controllers/auth_controller.rb‎
Lines changed: 44 additions & 5 deletions
diff --git a/‎app/views/auth/callback.html.erb‎
Lines changed: 47 additions & 0 deletions b/‎app/views/auth/callback.html.erb‎
Lines changed: 47 additions & 0 deletions
diff --git a/‎app/views/auth/get_token.html.erb‎
Lines changed: 34 additions & 25 deletions b/‎app/views/auth/get_token.html.erb‎
Lines changed: 34 additions & 25 deletions
diff --git a/‎chrome-extension/README.md‎
Lines changed: 22 additions & 12 deletions b/‎chrome-extension/README.md‎
Lines changed: 22 additions & 12 deletions
diff --git a/‎chrome-extension/auth-content.js‎
Lines changed: 36 additions & 6 deletions b/‎chrome-extension/auth-content.js‎
Lines changed: 36 additions & 6 deletions
@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 class AuthController < ApplicationController
-  skip_before_action :verify_authenticity_token, only: [:get_token, :validate_token]
-  skip_before_action :require_login, only: [:get_token, :validate_token]
+  skip_before_action :verify_authenticity_token, only: %i[get_token validate_token callback]
+  skip_before_action :require_login, only: %i[get_token validate_token callback]
 
   # GET /auth/get_token
   # Return user email for authenticated SSO user (for Chrome extensions)
@@ -11,13 +11,31 @@ def get_token
     Rails.logger.info "Session user_id: #{session[:user_id]}"
     Rails.logger.info "Current user: #{current_user&.email || 'NOT AUTHENTICATED'}"
     Rails.logger.info "Request path: #{request.fullpath}"
+    Rails.logger.info "Redirect URI param: #{params[:redirect_uri]}"
 
-    # User is authenticated via SSO session, return email
+    # User is authenticated via SSO session
     if current_user
       Rails.logger.info "✅ User authenticated successfully: #{current_user.email}"
-      # Render the page with current_user available
+
+      # Check if redirect_uri is provided (Chrome extension flow)
+      if params[:redirect_uri].present?
+        # Chrome extension flow - redirect back with token
+        redirect_uri = params[:redirect_uri]
+        token = current_user.email # Using email as the token
+
+        # Construct redirect URL with token parameter
+        separator = redirect_uri.include?('?') ? '&' : '?'
+        redirect_url = "#{redirect_uri}#{separator}token=#{CGI.escape(token)}"
+
+        Rails.logger.info "Redirecting to Chrome extension: #{redirect_url}"
+        redirect_to redirect_url, allow_other_host: true
+      else
+        # Legacy flow - render page with token (for old content script approach)
+        Rails.logger.info 'No redirect_uri provided, rendering token page'
+        # Render the page with current_user available
+      end
     else
-      Rails.logger.info "❌ User not authenticated, redirecting to login"
+      Rails.logger.info '❌ User not authenticated, redirecting to login'
       # User not authenticated, redirect to login with return URL
       redirect_to new_session_path(redirect_to: request.fullpath)
     end
@@ -27,6 +45,27 @@ def get_token
     redirect_to root_path, alert: 'Authentication failed. Please try again.'
   end
 
+  # GET /auth/callback
+  # OAuth callback for Chrome extension (development mode)
+  # This page is used with chrome.identity.launchWebAuthFlow for localhost development
+  def callback
+    Rails.logger.info '=== AUTH CALLBACK CALLED ==='
+    Rails.logger.info "Current user: #{current_user&.email || 'NOT AUTHENTICATED'}"
+
+    if current_user
+      @token = current_user.email
+      Rails.logger.info "✅ Callback with token: #{@token}"
+      # Render the callback view
+    else
+      Rails.logger.info '❌ User not authenticated in callback'
+      redirect_to new_session_path(redirect_to: request.fullpath)
+    end
+  rescue StandardError => e
+    Rails.logger.error "Callback error: #{e.message}"
+    Rails.logger.error e.backtrace.join("\n")
+    redirect_to root_path, alert: 'Authentication callback failed. Please try again.'
+  end
+
   # GET /auth/validate
   # Validate current token and return user info
   def validate_token
 
@@ -0,0 +1,47 @@
+<% content_for :title, "Authentication Callback" %>
+
+<div class="flex items-center justify-center py-12 px-4">
+  <div class="bg-white p-10 rounded-xl shadow-lg text-center max-w-lg w-full">
+    <div class="text-5xl text-blue-500 mb-5 animate-pulse">⟳</div>
+    <h1 class="text-gray-800 mb-5 text-2xl font-semibold">Authentication Successful</h1>
+    <p class="text-gray-600">
+      Completing authentication...<br>
+      <span class="text-sm mt-2 inline-block">This window will close automatically.</span>
+    </p>
+    
+    <!-- Debug info (remove in production) -->
+    <div class="bg-gray-100 border border-gray-300 rounded p-3 mt-5 text-xs text-gray-600">
+      <strong>Debug:</strong> Token ready for Chrome extension capture
+    </div>
+  </div>
+</div>
+
+<script>
+  // For chrome.identity.launchWebAuthFlow to work, we need to redirect to 
+  // the same URL with the token as a query parameter
+  (function() {
+    const currentUrl = new URL(window.location.href);
+    
+    // Check if token is already in URL (to prevent redirect loop)
+    if (currentUrl.searchParams.has('token')) {
+      console.log('Token already in URL, Chrome extension should capture this');
+      // chrome.identity.launchWebAuthFlow will intercept and close the window
+      // If window doesn't close after 2 seconds, show a message
+      setTimeout(() => {
+        document.body.innerHTML = '<div class="flex items-center justify-center py-12"><div class="text-center"><p class="text-gray-600">You can close this window now.</p></div></div>';
+      }, 2000);
+      return;
+    }
+    
+    // Token not in URL yet, add it and redirect once
+    const token = '<%= j @token %>';
+    if (token) {
+      console.log('Adding token to URL for Chrome extension capture');
+      currentUrl.searchParams.set('token', token);
+      window.location.href = currentUrl.toString();
+    } else {
+      console.error('No token available');
+    }
+  })();
+</script>
+
@@ -2,43 +2,52 @@
 
 <div class="flex items-center justify-center py-12 px-4">
   <div class="bg-white p-10 rounded-xl shadow-lg text-center max-w-lg w-full">
-    <div class="text-5xl text-green-500 mb-5">✓</div>
-    <h1 class="text-gray-800 mb-5 text-2xl font-semibold">Authentication Successful</h1>
-    
-    <p class="mb-5">Your user email for the Chrome extension:</p>
-    
-    <div class="bg-gray-50 border-2 border-dashed border-gray-300 rounded-lg p-5 my-5 break-all font-mono text-sm min-h-15 flex items-center justify-center">
-      <div id="token-display" data-token="<%= current_user&.email %>" class="text-sky-600 font-semibold">
-        <%= current_user&.email || 'No email available. Please try again.' %>
+    <% if params[:redirect_uri].present? %>
+      <!-- Modern flow: automatic redirect via chrome.identity.launchWebAuthFlow -->
+      <div class="text-5xl text-blue-500 mb-5 animate-pulse">⟳</div>
+      <h1 class="text-gray-800 mb-5 text-2xl font-semibold">Redirecting...</h1>
+      <p class="text-gray-600">
+        Authentication successful! Redirecting back to your extension...<br>
+        <span class="text-sm mt-2 inline-block">This window will close automatically.</span>
+      </p>
+    <% else %>
+      <!-- Legacy flow: content script captures token -->
+      <div class="text-5xl text-green-500 mb-5">✓</div>
+      <h1 class="text-gray-800 mb-5 text-2xl font-semibold">Authentication Successful</h1>
+      
+      <p class="mb-5">Your user email for the Chrome extension:</p>
+      
+      <div class="bg-gray-50 border-2 border-dashed border-gray-300 rounded-lg p-5 my-5 break-all font-mono text-sm min-h-15 flex items-center justify-center">
+        <div id="token-display" data-token="<%= current_user&.email %>" class="text-sky-600 font-semibold">
+          <%= current_user&.email || 'No email available. Please try again.' %>
+        </div>
       </div>
-    </div>
+      
+      <div class="text-gray-600 text-sm leading-relaxed mt-5">
+        <strong>Instructions:</strong><br>
+        Your email above will be automatically captured by your Chrome extension.<br>
+        You can safely close this window after the email is captured.
+      </div>
+    <% end %>
 
-    <div class="text-gray-600 text-sm leading-relaxed mt-5">
-      <strong>Instructions:</strong><br>
-      Your email above will be automatically captured by your Chrome extension.<br>
-      You can safely close this window after the email is captured.
-    </div>
     <!-- Debug info (remove in production) -->
     <div class="bg-gray-100 border border-gray-300 rounded p-3 mt-3 text-xs text-gray-600">
       <strong>Debug:</strong> User: <%= current_user&.email || 'NOT AUTHENTICATED' %> | 
-      Session: <%= session[:user_id] || 'NO SESSION' %>
+      Session: <%= session[:user_id] || 'NO SESSION' %> |
+      Redirect URI: <%= params[:redirect_uri].present? ? 'Yes' : 'No' %>
     </div>
   </div>
 </div>
 
+<% unless params[:redirect_uri].present? %>
 <script>
   console.log('Auth page loaded - email should be captured by Chrome extension content script');
   console.log('Email in data-token:', document.getElementById('token-display')?.getAttribute('data-token'));
 
-  // Auto-close window after extension captures token
+  // Redirect to root after extension captures token (5 seconds)
   setTimeout(() => {
-    console.log('Auto-closing window...');
-    if (window.opener || window.parent !== window) {
-      try {
-        window.close();
-      } catch (e) {
-        console.log('Could not close window automatically');
-      }
-    }
-  }, 5000); // Reduced to 5 seconds
+    console.log('Redirecting to root...');
+    window.location.href = '/';
+  }, 5000);
 </script>
+<% end %>
@@ -40,11 +40,21 @@ A Chrome extension that provides a persistent AI chat interface through a side p
 
 ### 2. Authentication
 
+The extension uses Chrome's secure `chrome.identity.launchWebAuthFlow()` API for authentication:
+
 1. Configure API URLs if needed (defaults to localhost:3000)
 2. Click "🔐 Authenticate with SSO" 
-3. Complete SSO login in the opened tab
-4. Extension automatically captures and stores your API token
-5. Authentication section disappears, showing clean chat interface
+3. Complete SSO login in a secure Chrome authentication window
+4. Extension automatically captures and stores your API token via redirect
+5. Authentication window closes automatically
+6. Authentication section disappears, showing clean chat interface
+
+**Authentication Flow:**
+- Extension generates a secure Chrome extension redirect URI
+- Opens your Rails SSO login page with the redirect URI
+- After successful authentication, Rails redirects to the extension URI with the token
+- Chrome automatically captures the token and closes the auth window
+- More secure than tab-based authentication (no content script required)
 
 ### 3. Chat with AI
 
@@ -68,10 +78,13 @@ The extension makes calls to these endpoints:
 
 ## Security Features
 
+- **Chrome Identity API**: Uses secure `chrome.identity.launchWebAuthFlow()` for authentication
 - **Secure Token Storage**: Uses Chrome's encrypted local storage
-- **Origin Verification**: Validates message origins during authentication
+- **No Content Script Injection**: Token capture happens via secure redirect (no DOM access needed)
+- **Automatic Window Closure**: Auth window closes automatically after token capture
 - **Automatic Token Cleanup**: Clears invalid/expired tokens
 - **HTTPS Support**: Ready for production HTTPS deployment
+- **Legacy Fallback**: Maintains backward compatibility with content script flow
 
 ## Development
 
@@ -128,17 +141,14 @@ The AI chat interface provides:
 
 ## Troubleshooting
 
-**"window is not defined" Error:**
-- This was fixed by replacing `window.open()` with `chrome.tabs.create()` in the service worker
-- The extension now opens a new tab instead of a popup window for authentication
-- Added dedicated auth content script to capture tokens from the auth page
-
 **Authentication Issues:**
-- Check browser console for messages from the auth content script
-- Ensure CORS is configured on your Rails server
+- Check browser console for Chrome Identity API errors
+- Ensure `redirect_uri` is properly handled by Rails controller
 - Check that `/auth/get_token` endpoint is accessible
 - Verify SSO/SAML configuration is working
-- Look for "Auth content script loaded" message in the auth tab's console
+- Check for "Chrome Identity Redirect URL" in background service worker console
+- Ensure CORS is configured if using cross-origin requests
+- If Chrome Identity API fails, extension falls back to legacy tab-based flow
 
 **API Call Failures:**
 - Check browser console for network errors
 
@@ -1,38 +1,68 @@
 // Content script specifically for the auth/token pages
-// This script captures the token from the auth page and forwards it to the service worker
+// 
+// NOTE: This is a LEGACY FALLBACK flow. The primary authentication method now uses
+// chrome.identity.launchWebAuthFlow() which is more secure and doesn't require this content script.
+// 
+// This script is kept for backward compatibility and will only run when the auth page
+// is accessed WITHOUT the redirect_uri parameter (legacy flow).
+// 
+// New flow (chrome.identity.launchWebAuthFlow):
+//   1. Extension calls chrome.identity.getRedirectURL() to get redirect URI
+//   2. Opens auth page with redirect_uri parameter
+//   3. After auth, Rails redirects to chrome-extension:// URI with token
+//   4. launchWebAuthFlow intercepts and extracts token
+//
+// Legacy flow (this script):
+//   1. Opens auth page in a tab without redirect_uri
+//   2. This content script captures token from page
+//   3. Sends token to service worker via chrome.runtime.sendMessage
 
-console.log('Auth content script loaded for:', window.location.href);
+console.log('🔵 Auth content script loaded for:', window.location.href);
+console.log('🔵 Document ready state:', document.readyState);
 
 let tokenSent = false;
 
 // Function to extract token from the page
 function extractTokenFromPage() {
-  if (tokenSent) return null;
+  if (tokenSent) {
+    console.log('🔵 Token already sent, skipping');
+    return null;
+  }
 
   // Check for token in data attribute (this contains the user email)
   const tokenDisplay = document.getElementById('token-display');
+  console.log('🔵 Looking for token-display element:', tokenDisplay);
+  
   if (tokenDisplay) {
     const token = tokenDisplay.getAttribute('data-token');
+    console.log('🔵 Token from data-token attribute:', token);
+    
     if (token && token.length > 0) {
-      console.log('Found token in data attribute');
+      console.log('✅ Found valid token:', token);
       return token;
     }
   }
 
+  console.log('❌ No token found on page');
   return null;
 }
 
 // Function to send token to service worker
 function sendTokenToServiceWorker(token) {
-  if (tokenSent) return;
+  if (tokenSent) {
+    console.log('🔵 Token already sent, not sending again');
+    return;
+  }
 
-  console.log('Sending token to service worker');
+  console.log('🚀 Sending token to service worker:', token);
   tokenSent = true;
 
   chrome.runtime.sendMessage({
     type: 'FACK_AUTH_TOKEN',
     success: true,
     token: token
+  }, (response) => {
+    console.log('✅ Message sent to background, response:', response);
   });
 }