LiuMangMang/SmartUp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: object URL leak, CDP before goto, limit raw secrets in extract

Browse Source 
- AuthCaptureDialog: revokeObjectURL on each frame to prevent memory leak
- CDP Network capture starts before initial page.goto, not after
- /extract defaults to candidates-only; pass ?include_raw=true for full data
This commit is contained in:
SmartUp Developer
2026-05-18 14:25:56 +08:00
parent c7b33983d6
commit 7cb0ff1608
3 changed files with 15 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/routers/auth_capture.py
+7 -3
View File
@@ -89,12 +89,13 @@ async def create_capture_session(
@router.get("/sessions/{session_id}/extract", response_model=CaptureExtractResponse)
async def extract_credentials(
session_id: str,
include_raw: bool = Query(default=False, description="Include full cookies/storage/headers in response"),
_=Depends(get_current_user),
):
"""Extract all auth credentials from the browser session.
"""Extract auth credentials from the browser session.
Returns cookies, localStorage, sessionStorage, and curated candidates.
Candidate values are masked in logs.
By default only returns curated candidates (typed, scored, with masked preview).
Pass include_raw=true to also get full cookies, localStorage, and headers.
"""
try:
session = browser_sessions.get_session(session_id)
@@ -106,6 +107,9 @@ async def extract_credentials(
except Exception as exc:
raise _browser_error(exc)
if not include_raw:
# Strip raw data — only keep curated candidates
return CaptureExtractResponse(candidates=result.get("candidates", []))
return CaptureExtractResponse(**result)
backend/app/services/browser_session_service.py
+3 -2
View File
@@ -387,10 +387,11 @@ class BrowserSessionService:
captured_headers=[],
)
self._sessions[session.id] = session
# Start CDP network capture BEFORE the initial page load,
# so we capture login redirects and auth headers from the start.
await self._start_cdp_capture(session)
try:
await page.goto(url, wait_until="domcontentloaded", timeout=45000)
# Start CDP network capture immediately — so we don't miss login requests
await self._start_cdp_capture(session)
except Exception:
await self.close(session.id)
raise