feat: cache login state across browser restarts

Recently we got reports about missing SSO in case the browser is
not already running when opening the Entra SSO page. This happens
because the login flow takes some time (in case of broker dbus
activation a couple of seconds) and only after it is completed we enable
the request filtering and try to acquire PRTs.

We now change this by caching the last logged-in user in the local
browser storage. By that, the extension can already request PRTs before
the login completed, as we already have the needed account information
to request the PRT. A nice side effect of that change is that we now
track the disabled / enabled state across browser restarts as well.

As this change requires the use of the local storage API, we also need
to grant permission in the manifests.

Signed-off-by: Felix Moessbauer <[email protected]>

background.js

@@ -65,11 +65,16 @@ function is_operational() {
  * Update the UI according to the current state
  */
 function update_ui() {
-    if (state_active && accounts.active) {
-        chrome.action.enable();
+    chrome.action.enable();
+    if (is_operational()) {
         let imgdata = {};
         let icon_title = "EntraID SSO: " + accounts.active.username;
         let color = null;
+        chrome.action.setTitle({
+            title: icon_title,
+        });
+        // we do not yet have the avatar image
+        if (!accounts.active.avatar_imgdata) return;
         if (!broker_online) {
             color = "#cc0000";
             icon_title += " (offline)";
@@ -84,9 +89,6 @@ function update_ui() {
         chrome.action.setIcon({
             imageData: imgdata,
         });
-        chrome.action.setTitle({
-            title: icon_title,
-        });
         return;
     }
     /* inactive states */
@@ -111,6 +113,21 @@ function update_ui() {
     chrome.action.setTitle({ title: title });
 }
 
+/*
+ * Store the current state in the local storage.
+ * To not leak account data in disabled state, we clear the account object.
+ */
+function update_storage() {
+    let default_account = { ...accounts.registered[0] };
+    // remove non serializable properties
+    delete default_account.avatar_imgdata;
+    let ssostate = {
+        state: state_active,
+        account: state_active ? default_account : null,
+    };
+    chrome.storage.local.set({ ssostate });
+}
+
 function update_handlers_firefox() {
     if (!is_operational()) {
         chrome.webRequest.onBeforeSendHeaders.removeListener(
@@ -313,6 +330,7 @@ async function load_accounts() {
     } else {
         ssoLog("Warning: Could not get profile picture.");
     }
+    update_storage();
 }
 
 async function get_or_request_prt(ssoUrl) {
@@ -456,6 +474,7 @@ async function on_message_menu(request) {
     } else if (request.command == "disable") {
         state_active = false;
     }
+    update_storage();
     notify_state_change();
 }
 
@@ -489,6 +508,20 @@ function on_startup() {
             port_menu = null;
         });
     });
+
+    chrome.storage.local.get("ssostate", (data) => {
+        if (data.ssostate) {
+            state_active = data.ssostate.state;
+            if (state_active) {
+                accounts.active = { ...data.ssostate.account };
+                ssoLog(
+                    "temporarily using last-known account: " +
+                        accounts.active.username,
+                );
+            }
+            notify_state_change();
+        }
+    });
 }
 
 // use this API to prevent the extension from being disabled

platform/chrome/manifest.json

@@ -23,7 +23,8 @@
     "permissions": [
         "alarms",
         "nativeMessaging",
-        "declarativeNetRequest"
+        "declarativeNetRequest",
+        "storage"
     ],
     "host_permissions": [
         "https://login.microsoftonline.com/*"

platform/firefox/manifest.json

@@ -27,7 +27,8 @@
     "permissions": [
         "nativeMessaging",
         "webRequest",
-        "webRequestBlocking"
+        "webRequestBlocking",
+        "storage"
     ],
     "host_permissions": [
         "https://login.microsoftonline.com/*"