Skip to content

feat: Windows DPAPI cookie decryption + v20 fallback#392

Open
getabsolutehealth wants to merge 4 commits intogarrytan:mainfrom
getabsolutehealth:claude/windows-cookie-import
Open

feat: Windows DPAPI cookie decryption + v20 fallback#392
getabsolutehealth wants to merge 4 commits intogarrytan:mainfrom
getabsolutehealth:claude/windows-cookie-import

Conversation

@getabsolutehealth
Copy link

@getabsolutehealth getabsolutehealth commented Mar 23, 2026

Summary

  • Windows DPAPI cookie decryption — cookie import now works on Windows via DPAPI + AES-256-GCM for v10 cookies. Supports Chrome, Edge, Brave, Arc, Comet with multi-profile detection.
  • v20 App-Bound Encryption fallback — when Chrome 127+ v20 cookies can't be decrypted, the picker UI shows a console-script fallback (paste one line in DevTools).
  • New /cookie-picker/import-raw endpoint — accepts pre-decrypted cookies for the fallback flow.
  • Platform-aware browser open — picker now opens correctly on Windows.
  • 5 review-driven fixescmd /c start title arg, dangling setTimeout, short buffer protection, SQLITE_CANTOPEN handling, empty domain filter.

Test Coverage

23 tests pass (0 fail). 5 new AES-256-GCM tests: round-trip, special chars, empty value, tampered auth tag, tampered ciphertext.

Pre-Landing Review

1 issue found, auto-fixed (empty domain cookies in import-raw endpoint). Adversarial review found 5 additional fixable issues — all auto-fixed.

Test plan

  • Cookie import tests pass (23 tests, 0 failures)
  • Windows AES-256-GCM round-trip decryption verified
  • Auth tag tamper detection verified
  • Pre-existing test failures triaged (unrelated: missing diff package, browse binary)

🤖 Generated with Claude Code

Anthony Pellegrino and others added 4 commits March 23, 2026 11:38
feat: Windows DPAPI cookie decryption support
4286dee 
Add cross-platform cookie extraction for Windows Chromium browsers:
- Platform-aware path resolution (LOCALAPPDATA + windowsDataDir)
- DPAPI key extraction via PowerShell for v10 cookies
- AES-256-GCM decryption (Windows) alongside existing AES-128-CBC (macOS)
- Multi-profile detection (Default + Profile N directories)
- Network/Cookies path support for newer Chromium
- SQLITE_CANTOPEN handling for Windows exclusive file locks
- Informative v20 App-Bound Encryption error message
- Short buffer protection in decryptWindows
- Dangling timeout fix in DPAPI PowerShell call
- 5 new AES-256-GCM round-trip and tamper-detection tests
feat: v20 cookie fallback — import-raw endpoint and picker UI
ea40563 
When Windows v20 App-Bound Encryption prevents direct decryption:
- New /cookie-picker/import-raw POST endpoint accepts pre-decrypted cookies
- Picker UI shows console-script fallback with copy button
- Script captures document.cookie and sends to gstack's import-raw endpoint
- Domain validation skips cookies without a domain
fix: platform-aware browser open command for cookie picker
df578ec 
- Windows: cmd /c start '' <url> (with empty title arg)
- macOS: open <url>
@claude
chore: bump version and changelog (v0.11.6.0)
a7ee0b5 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@johnbanr johnbanr mentioned this pull request Mar 23, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@getabsolutehealth