Securing chrome extension API Calls with tokens

问题

I'm trying to secure API calls from my chrome extension to my website hosted on AWS. The SO posts I've so far were quite dated & not effective ways. The most recent & best tutorial I've found so far is from Very Good Software where it requires for user's google OAuth access token via:

Background.js:

chrome.identity.getAuthToken({ 'interactive': true }, function(token) {
  if (token){alert('token is ' + token)}
  else{alert('token not present')}
});

manifest.json

{
    "manifest_version": 2,
    "name": "To be named",
    "description": "This extension helps...",
    "version": "0.1.0",
    "browser_action":{
        "default_popup":"popup.html"
    },
    "permissions": [
        "storage",
        "identity",
        "identity.email",
        "http://127.0.0.1:5000/Time"
    ],

    "oauth2":{
        "client_id":"1097711......apps.googleusercontent.com",
        "scopes":["https://www.googleapis.com/auth/userinfo.profile"]
    },
    "background": {
        "scripts": ["background.js"],
        "persistent": false
    },  
    "content_scripts": [{
        "matches": ["https://www.blank.org/"], 
        "js": ["content.js"],
        "css": ["styles.css"]
    }]
}

where the access_token gets passed to your server for you server to decrypt via:

@blueprint.route('/verification') 
def verification():
    from firebase_admin import auth, credentials   
    import firebase_admin

    cred = credentials.Certificate("Firebase.json")
    firebase_admin.initialize_app(cred)
    decoded_token = auth.verify_id_token("ya29.a0AfH6...AY")
    uid = decoded_token['uid']
    print(uid)
    return str(uid)

While the token gets generated, I realized the firebase-sdk requires a verify_id & not access token. Therefore, I'd like to know if this way can be corrected to use for protecting API calls with chrome extension? if not what's the most recent & best way to protect API calls from chrome extension as of now? Given that the source code can be viewed.

Also, I don't think I can POST the access token & see if it matches my server login access token of User, as I believe they change everytime.

Also, rate limiting doesn't really help at all with my problem, as the service is personal and can't be shared and if attacker were to break in, it only needs few calls anyway to lunch a malicious attack.

来源：https://stackoverflow.com/questions/65756808/securing-chrome-extension-api-calls-with-tokens