feat(ext): verify cookies in-browser before uploading (1.0.7) #57
Reference in New Issue
Block a user
Delete Branch "dev"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Operator hit a 401 from HentaiFoundry today — the browser's HF session had expired, the extension faithfully captured the stale cookie jar, FC stored it, gallery-dl tried to use it, HF said no. The extension has no cookie cache between clicks (every export is a live read from
browser.cookies.getAll), so the only place to catch a stale jar is to actually use it against the platform before pushing it to FC.This change adds a pre-upload verify request from the extension's background context. With
host_permissionsfor the platform domain, the browser auto-attaches the user's current cookies tofetch()— same set gallery-dl will later use.lib/platforms.js—verifyconfig per cookie-auth platform:HEAD /?enterAgree=1(mirrors gallery-dl's_init_site_filters; same 401 path the operator hit)GET /api/current_user(clean 401 when logged out)lib/cookies.js—verifyCookiesForPlatform(key)returns tri-state{ok: true | false | null}.null= no verify config, caller proceeds (legacy behavior);false= explicit fail with reasonbackground.js—EXPORT_COOKIES+EXPORT_ALL_COOKIESgate the upload on verify; on fail, error bubbles up without overwriting FC-side credentialspopup.js— success message appends "(verified ✓)" when applicablemanifest.json+package.json— 1.0.6 → 1.0.7 (triggersbuild.yml'ssign-extensionon this merge so the new XPI lands in:latest)Test plan
extension.ymllint green (run 351)ci.ymlgreen (run 350) — backend untouchedbuild.ymlsigns v1.0.7 via AMO →build-webbundles it into:latestRelated: scribe task #590 (today's ML normalization, also shipped).
Pre-upload verify request: after capturing the live browser cookies, hit a known authenticated endpoint with credentials:'include' from the extension's background context. If the platform reports we're not logged in, abort the upload so we don't overwrite FC-side credentials with stale data. - platforms.js: add `verify` config per cookie-auth platform - hentaifoundry: HEAD /?enterAgree=1 (mirrors gallery-dl's HF _init_site_filters; same 401 path the operator hit 2026-06-03) - patreon: GET /api/current_user (clean 401 when logged out) - subscribestar, deviantart: no stable auth endpoint, skip verify - cookies.js: verifyCookiesForPlatform() returns {ok, status, reason}. ok=true/false/null tri-state — null = verify not configured, caller treats as "proceed". - background.js EXPORT_COOKIES + EXPORT_ALL_COOKIES: verify gates the upload; failures bubble up with the platform's name + reason. - popup.js: success message now appends "(verified ✓)" when applicable. - manifest + package.json: 1.0.6 → 1.0.7.