dewemoji/legacy-credentials-and-config.md

Legacy Credentials and Config (Retraced)

Source folders used

• ../dewemoji-api
• ../dewemoji-chrome-ext
• ../dewemoji-site

1) Extension auth and credential flow

From dewemoji-chrome-ext/panel.js:

• User enters license key in settings.
• Extension verifies via POST https://api.dewemoji.com/v1/license/verify.
• License key is sent as payload and reused in headers for data requests.

Headers used on licensed requests:

• Authorization: Bearer <licenseKey>
• X-License-Key: <licenseKey>
• X-Account-Id: <hashedAccountId>
• X-Dewemoji-Frontend: ext-v1 (always sent)

2) Local/sync storage keys (extension)

Local storage keys observed:

• theme
• licenseValid
• licenseKey
• lastLicenseCheck
• actionMode
• searchCache
• accountId
• accountLabel
• profileUUID
• usage key pattern: usage_YYYYMMDD

Sync storage keys observed:

• preferredSkinTone
• toneLock

3) Backend (dewemoji-api) auth status

From helpers/auth.php:

• Reads license from query key or bearer token.
• Validation hooks exist (isValidGumroad, isValidMayar) but are stubs returning false.
• Effective behavior in current code: fallback to free tier.

4) dewemoji-site credential/config status

• Site folder currently scaffold/empty files.
• No active credential logic currently implemented there.

5) Hardcoded secrets check result

In inspected source files:

• No committed private API secrets/tokens/passwords found.
• License key is user-provided at runtime (extension).

6) Rebuild config recommendations

For new NativePHP app, add env-managed secrets for:

• License provider API credentials
• Internal signing/app secrets
• Any DB credentials

And keep backward compatibility during migration for:

• Authorization bearer auth
• legacy X-License-Key
• X-Account-Id