Add Linux v11 gnome-keyring/libsecret cookie and token decryption#56
Open
IvoryKir wants to merge 2 commits intodevxoul:mainfrom
Open
Add Linux v11 gnome-keyring/libsecret cookie and token decryption#56IvoryKir wants to merge 2 commits intodevxoul:mainfrom
IvoryKir wants to merge 2 commits intodevxoul:mainfrom
Conversation
On modern Linux desktops with gnome-keyring, Chromium-based apps encrypt cookies/tokens with a v11 prefix using a password stored in the keyring via libsecret. The v10 code path only handles the hardcoded 'peanuts' password, causing auth extraction to fail on most GNOME desktops. - Slack: add decryptV11CookieLinux() that looks up the keyring password via secret-tool for app names ['Slack', 'slack'], derives the AES key with PBKDF2(password, 'saltysalt', 1, 16, sha1), and falls back to the v10 peanuts key if the keyring is unavailable - Discord: add decryptV11LinuxToken() with the same pattern for app names ['discord', 'Discord'], extracted into decryptLinuxToken() which now checks the v11 prefix before falling back to peanuts - Both methods share a private getLinuxKeyringPassword() helper to make the keyring lookup easily testable via spyOn - Tests cover: keyring-available decryption and peanuts fallback path Builds on PR devxoul#35 which added v10 Linux support. Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
|
@IvoryKir is attempting to deploy a commit to the devxoul Team on Vercel. A member of the Team first needs to authorize it. |
…h >24 char base64 segments
Discord user IDs created ~2023+ produce base64-encoded first segments
longer than 24 characters (e.g. user ID 1295726388820709399 encodes to
'MTI5NTcyNjM4ODgyMDcwOTM5OQ' = 26 chars). The previous regex {24} matched
exactly 24 chars, causing the match to start 2 chars late and return a
truncated token that fails API auth with 401.
Change {24} to {24,} so the regex greedily matches the full first segment
regardless of length. Also add a test covering the >24 char case.
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes two separate auth extraction failures on Linux:
Fix 1 — Linux v11 gnome-keyring/libsecret cookie and token decryption
On modern Linux desktops with gnome-keyring, Chromium-based apps (Slack, Discord) encrypt cookies/tokens with a
v11version prefix using a password stored in the system keyring via libsecret. The existing v10 code path (PR #35) uses a hardcoded'peanuts'password, butv11-prefixed data was never handled — it fell through toreturn null, causing auth extraction to fail on most GNOME desktops.Changes:
token-extractor.ts:decryptV11CookieLinux()looks up the keyring password viasecret-tool lookup xdg:schema chrome_libsecret_os_crypt_password_v2 application <AppName>for app names['Slack', 'slack']. SamePBKDF2(password, 'saltysalt', 1, 16, sha1)+AES-128-CBCas v10. Falls back to peanuts if keyring is unavailable.token-extractor.ts:decryptV11LinuxToken()with the same pattern for['discord', 'Discord'].decryptLinuxToken()now checks thev11prefix first.getLinuxKeyringPassword(appName)helper (testable viaspyOn).Fix 2 — TOKEN_REGEX widened to support newer Discord user IDs
Discord user IDs created ~2023+ produce base64-encoded first token segments longer than 24 characters. Example:
1295726388820709399→ base64MTI5NTcyNjM4ODgyMDcwOTM5OQ= 26 charsThe previous regex
[\w-]{24}(exactly 24) matched starting 2 chars late, returning a truncated token that fails API validation with 401. Fixed by changing{24}→{24,}.Tests
4 new tests across both platforms:
All 904 tests pass,
bun typecheckandbun lintclean.Related
Builds on #35 which added v10 Linux support.