fix(browse): log decrypt failures behind GSTACK_DEBUG in cookie-import#1114
Open
mvanhorn wants to merge 1 commit intogarrytan:mainfrom
Open
fix(browse): log decrypt failures behind GSTACK_DEBUG in cookie-import#1114mvanhorn wants to merge 1 commit intogarrytan:mainfrom
mvanhorn wants to merge 1 commit intogarrytan:mainfrom
Conversation
cookie-import-browser silently drops cookies that fail to decrypt, leaving users unable to tell which cookies failed or why. The Keychain entry behind Arc's Safe Storage can rotate, invalidating older encrypted_value blobs while newer ones still decrypt, producing the partial-import symptom reported. Keep the existing failed counter, but surface per-row detail when GSTACK_DEBUG=1 or DEBUG=1 is set. Log host_key and cookie name plus the error code and message to stderr. Never log cookie values. Closes garrytan#1057
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The decrypt loop in
importCookiesuses a barecatch {}that swallows the error. Thefailedcounter is surfaced in CLI output, but users have no visibility into which cookies failed or why, so partial-import bugs like #1057 become hard to diagnose.Keep the counter, but log per-row detail on stderr when
GSTACK_DEBUG=1orDEBUG=1is set. Output is byte-identical for the default path.Changes
browse/src/cookie-import-browser.ts:282- replacecatch {}with a typed catch that logshost_key/nameplus the error code and message when the debug env var is set.importCookiesViaCdphas no parallel bare-catch and is unchanged.Testing
bun test browse/test/cookie-import-browser.test.ts- 22 pass, 0 failbun run build- cleanThe manual repro the reporter describes (
browse cookie-import-browser arc --domain slack.com --profile "Profile 14") needs a macOS keychain state that rotated at some point. WithGSTACK_DEBUG=1set, every decrypt failure in that run will now print a line like:which is enough to distinguish Keychain rotation, v20 App-Bound Encryption, DB corruption, or a per-cookie format edge case.
Closes #1057
This contribution was developed with AI assistance (Codex).