Extension auth: Firebase primary, license-key fallback
Extension auth: Firebase primary, license-key fallback
Decision
Extensions authenticate users via Firebase Auth as the primary path. A license-key fallback exists for users who refuse Firebase (privacy-paranoid users, regions where Google services are blocked): they pay once, receive a license key, paste it into the extension, and the extension verifies the key against the umbrella Hono Worker.
Why
Firebase Auth via chrome.identity.launchWebAuthFlow() bouncing
through auth.oriz.in is the cheapest, fastest, most-recognized
auth pattern for extensions, and reuses the family's single Firebase
project. But some users explicitly reject Google-tied auth or live
where the auth domain doesn't reliably resolve. A license-key
fallback removes Firebase as a hard dependency for paying users
without compromising the primary path.
Implications
- Primary path:
chrome.identity.launchWebAuthFlow()opensauth.oriz.in, ID token returned to extension, stored inchrome.storage.local. Same Firebase user works on every site and every extension. - License-key path: user pays via Razorpay (or whichever billing provider), receives a key by email, pastes into the extension settings. Extension calls
apps/api/routes/auth/verify-licenseto validate. - Firestore stores both:
users/{uid}/subscriptionfor Firebase users, andlicenses/{key}for license-key holders. Same entitlement check covers both via the API. - The license-key flow does NOT support cross-device sync (no Firestore user attached) — paranoid users accept that trade-off.
- Extension UI shows both options at sign-in: "Sign in with Google" (default) and "Use license key" (advanced).