SmartUp Developer
4c71148ff9
- Add linked_upstream_id to CustomPage model with DB migration
- New POST /api/custom-pages/{pid}/refresh-auth endpoint extracts
credentials from active remote browser and updates linked upstream
- PageViewer toolbar shows key icon button when page has linked upstream
- CustomPages form adds upstream dropdown for remote_browser pages
- Auth capture extracts New-Api-User from localStorage uid/user/self API
- Upstream client sends New-Api-User header in cookie auth mode
- Fix auth capture dialog: transparent background, field persistence,
login URL defaults to base_url/login, focus on click for keyboard input
- Fix upstream test ASCII encoding with non-header characters validation
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
264 lines
9.1 KiB
Python
264 lines
9.1 KiB
Python
"""Auth credential extraction from remote browser sessions."""
|
|
from __future__ import annotations
|
|
|
|
import json
|
|
import logging
|
|
from typing import Any
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
# Keys likely to contain auth tokens in storage
|
|
TOKEN_KEYS = frozenset({
|
|
"token", "access_token", "accessToken", "jwt", "auth_token", "authToken",
|
|
"refresh_token", "refreshToken", "id_token", "session_token",
|
|
})
|
|
SECRET_KEYS = frozenset({
|
|
"secret", "api_key", "apiKey", "apikey",
|
|
})
|
|
SESSION_COOKIE_NAMES = frozenset({
|
|
"session", "token", "jwt", "sid", "auth", "connect.sid",
|
|
"gin_session", "tdc_itoken", "sessionid",
|
|
"access_token", "refresh_token",
|
|
})
|
|
|
|
|
|
async def extract_cookies(session: Any) -> list[dict[str, Any]]:
|
|
"""Extract all cookies from the browser context."""
|
|
cookies = await session.context.cookies()
|
|
return [
|
|
{
|
|
"name": c.get("name", ""),
|
|
"value": c.get("value", ""),
|
|
"domain": c.get("domain", ""),
|
|
"httpOnly": c.get("httpOnly", False),
|
|
"secure": c.get("secure", False),
|
|
}
|
|
for c in cookies
|
|
]
|
|
|
|
|
|
async def extract_local_storage(page: Any) -> dict[str, str]:
|
|
try:
|
|
raw = await page.evaluate("() => JSON.stringify(window.localStorage)")
|
|
if isinstance(raw, str):
|
|
return json.loads(raw)
|
|
return raw or {}
|
|
except Exception as exc:
|
|
logger.debug("localStorage extraction failed: %s", exc)
|
|
return {}
|
|
|
|
|
|
async def extract_session_storage(page: Any) -> dict[str, str]:
|
|
try:
|
|
raw = await page.evaluate("() => JSON.stringify(window.sessionStorage)")
|
|
if isinstance(raw, str):
|
|
return json.loads(raw)
|
|
return raw or {}
|
|
except Exception as exc:
|
|
logger.debug("sessionStorage extraction failed: %s", exc)
|
|
return {}
|
|
|
|
|
|
async def extract_new_api_user_id(page: Any) -> str:
|
|
try:
|
|
value = await page.evaluate("""
|
|
async () => {
|
|
const uid = localStorage.getItem('uid')
|
|
if (uid) return uid
|
|
const userRaw = localStorage.getItem('user')
|
|
if (userRaw) {
|
|
try {
|
|
const user = JSON.parse(userRaw)
|
|
if (user?.id) return String(user.id)
|
|
} catch {}
|
|
}
|
|
const response = await fetch('/api/user/self', { credentials: 'include' })
|
|
if (!response.ok) return ''
|
|
const payload = await response.json()
|
|
const data = payload?.data || payload
|
|
return data?.id ? String(data.id) : ''
|
|
}
|
|
""")
|
|
return str(value or "").strip()
|
|
except Exception as exc:
|
|
logger.debug("New-API user id extraction failed: %s", exc)
|
|
return ""
|
|
|
|
|
|
async def extract_request_headers(session: Any) -> list[dict[str, str]]:
|
|
"""Return Authorization / API-Key headers captured continuously by CDP.
|
|
|
|
The CDP Network listener is started when the ephemeral session is created
|
|
(in BrowserSessionService.create_ephemeral), so headers from the login
|
|
flow are captured in real-time without needing a fresh CDP attach.
|
|
"""
|
|
if hasattr(session, "captured_headers") and session.captured_headers:
|
|
logger.debug("auth-capture: returning %d cached headers", len(session.captured_headers))
|
|
return list(session.captured_headers)
|
|
return []
|
|
|
|
|
|
async def extract_all(session: Any) -> dict[str, Any]:
|
|
"""Extract all auth credentials from a browser session.
|
|
|
|
Returns:
|
|
cookies, storage, session_storage, auth_headers, candidates
|
|
"""
|
|
page = session.page
|
|
cookies = await extract_cookies(session)
|
|
local_storage = await extract_local_storage(page)
|
|
session_storage = await extract_session_storage(page)
|
|
auth_headers = await extract_request_headers(session)
|
|
new_api_user = _find_new_api_user(local_storage, session_storage) or await extract_new_api_user_id(page)
|
|
candidates = _curate_candidates(cookies, local_storage, session_storage, auth_headers, new_api_user)
|
|
|
|
return {
|
|
"cookies": cookies,
|
|
"storage": local_storage,
|
|
"session_storage": session_storage,
|
|
"auth_headers": auth_headers,
|
|
"candidates": candidates,
|
|
}
|
|
|
|
|
|
def _curate_candidates(
|
|
cookies: list[dict[str, Any]],
|
|
local_storage: dict[str, str],
|
|
session_storage: dict[str, str],
|
|
auth_headers: list[dict[str, str]],
|
|
new_api_user: str = "",
|
|
) -> list[dict[str, Any]]:
|
|
"""Scan extracted data for likely credentials with confidence scoring."""
|
|
candidates: list[dict[str, Any]] = []
|
|
|
|
# 1. CDP-captured network headers (highest confidence)
|
|
seen = set()
|
|
for h in auth_headers:
|
|
dedup_key = h["value"]
|
|
if dedup_key in seen:
|
|
continue
|
|
seen.add(dedup_key)
|
|
htype = h.get("type", "authorization")
|
|
preview = _preview(h["value"])
|
|
if htype == "api_key":
|
|
_add(candidates, "api_key", f"network:{h['url'][:60]}", h["value"], preview,
|
|
f"X-API-Key — {h['url'][:40]}", 95)
|
|
else:
|
|
_add(candidates, "bearer_token", f"network:{h['url'][:60]}", h["value"], preview,
|
|
f"Authorization — {h['url'][:40]}", 95)
|
|
|
|
# 2. localStorage/sessionStorage items
|
|
for store_name, store in [("localStorage", local_storage), ("sessionStorage", session_storage)]:
|
|
for key, val in store.items():
|
|
if not isinstance(val, str) or not val:
|
|
continue
|
|
key_lower = key.lower()
|
|
|
|
# Explicit auth-named keys
|
|
if any(k in key_lower for k in TOKEN_KEYS):
|
|
preview = _preview(val)
|
|
score = 85 if "token" in key_lower and val.count(".") >= 2 else 75
|
|
_add(candidates, "bearer_token", f"{store_name}.{key}", val, preview,
|
|
f"{store_name}.{key}", score)
|
|
elif any(k in key_lower for k in SECRET_KEYS):
|
|
_add(candidates, "credential", f"{store_name}.{key}", val, _preview(val),
|
|
f"{store_name}.{key}", 70)
|
|
|
|
# Looks like a JWT (xx.yy.zz format)
|
|
if val.count(".") >= 2 and 20 < len(val) < 5000:
|
|
if dedup_key := val not in seen:
|
|
seen.add(val)
|
|
_add(candidates, "bearer_token", f"{store_name}.{key}", val, _preview(val),
|
|
f"{store_name}.{key} (JWT)", 80)
|
|
|
|
# sk-xxx API key pattern
|
|
if val.startswith("sk-") and len(val) > 10:
|
|
_add(candidates, "bearer_token", f"{store_name}.{key}", val, _preview(val),
|
|
f"{store_name}.{key} (API Key)", 90)
|
|
|
|
if not new_api_user:
|
|
new_api_user = _find_new_api_user(local_storage, session_storage)
|
|
|
|
# 3. Session cookies
|
|
for c in cookies:
|
|
cname = c["name"].lower()
|
|
if any(k in cname for k in SESSION_COOKIE_NAMES):
|
|
preview = _preview(c["value"])
|
|
cookie_val = f"{c['name']}={c['value']}"
|
|
confidence = 99 if cname == "session" else 85
|
|
extra = {"cookie_name": c["name"], "cookie_value": c["value"]}
|
|
if cname == "session" and new_api_user:
|
|
extra["new_api_user"] = new_api_user
|
|
_add(candidates, "cookie", f"cookie:{c['name']}", cookie_val, preview,
|
|
f"Cookie {c['name']} ({c['domain']})", confidence,
|
|
extra=extra)
|
|
|
|
candidates.sort(key=lambda item: (
|
|
0 if item.get("type") == "cookie" and item.get("cookie_name") == "session" else
|
|
1 if item.get("type") == "cookie" else
|
|
2,
|
|
-int(item.get("confidence") or 0),
|
|
))
|
|
return candidates
|
|
|
|
|
|
def _find_storage_value(*stores: dict[str, str], key: str) -> str:
|
|
for store in stores:
|
|
value = store.get(key)
|
|
if isinstance(value, str) and value.strip():
|
|
return value.strip()
|
|
return ""
|
|
|
|
|
|
def _find_new_api_user(*stores: dict[str, str]) -> str:
|
|
uid = _find_storage_value(*stores, key="uid")
|
|
if uid:
|
|
return uid
|
|
user_raw = _find_storage_value(*stores, key="user")
|
|
if not user_raw:
|
|
return ""
|
|
try:
|
|
user = json.loads(user_raw)
|
|
except Exception:
|
|
return ""
|
|
if isinstance(user, dict):
|
|
for key in ("id", "user_id", "userId"):
|
|
value = user.get(key)
|
|
if value is not None:
|
|
return str(value).strip()
|
|
return ""
|
|
|
|
|
|
def _add(
|
|
candidates: list[dict[str, Any]],
|
|
ctype: str,
|
|
source: str,
|
|
value: str,
|
|
preview: str,
|
|
label: str,
|
|
confidence: int,
|
|
extra: dict | None = None,
|
|
) -> None:
|
|
"""Add a candidate entry. Value is masked in logs."""
|
|
logger.debug("auth-capture candidate: type=%s source=%s confidence=%d", ctype, source, confidence)
|
|
entry: dict[str, Any] = {
|
|
"type": ctype,
|
|
"source": source,
|
|
"value": value,
|
|
"preview": preview,
|
|
"label": label,
|
|
"confidence": confidence,
|
|
}
|
|
if extra:
|
|
entry.update(extra)
|
|
candidates.append(entry)
|
|
|
|
|
|
def _preview(value: str) -> str:
|
|
"""Generate a masked preview of a credential."""
|
|
if not value or len(value) <= 8:
|
|
return "***"
|
|
if len(value) <= 16:
|
|
return value[:4] + "…" + value[-4:]
|
|
return value[:8] + "…" + value[-6:]
|