I’m writing a Chrome extension that connects to an API. When a user installs the extension, a client ID is generated and stored in local storage:
function getRandomToken() {
var randomPool = new Uint8Array(32);
crypto.getRandomValues(randomPool);
var hex = '';
for (var i = 0; i < randomPool.length; ++i) {
hex += randomPool[i].toString(16);
}
return hex;
}
Each API request to the backend includes this client ID. The backend uses the client ID to figure out what information to update.
The problem I’m running into is this: with very simple dev tools, one can see what endpoint is being hit. They can then manually send requests to this endpoint with fake client IDs.
Any ideas on how I can prevent this kind of abuse? I added an IP address rate limit on the server-side but wondering how to solve this properly.