|
| 1 | +# Authentication Patterns |
| 2 | + |
| 3 | +Login flows, session persistence, OAuth, 2FA, and authenticated browsing. |
| 4 | + |
| 5 | +**Related**: [session-management.md](session-management.md) for state persistence details, [SKILL.md](../SKILL.md) for quick start. |
| 6 | + |
| 7 | +## Contents |
| 8 | + |
| 9 | +- [Import Auth from Your Browser](#import-auth-from-your-browser) |
| 10 | +- [Persistent Profiles](#persistent-profiles) |
| 11 | +- [Session Persistence](#session-persistence) |
| 12 | +- [Basic Login Flow](#basic-login-flow) |
| 13 | +- [Saving Authentication State](#saving-authentication-state) |
| 14 | +- [Restoring Authentication](#restoring-authentication) |
| 15 | +- [OAuth / SSO Flows](#oauth--sso-flows) |
| 16 | +- [Two-Factor Authentication](#two-factor-authentication) |
| 17 | +- [HTTP Basic Auth](#http-basic-auth) |
| 18 | +- [Cookie-Based Auth](#cookie-based-auth) |
| 19 | +- [Token Refresh Handling](#token-refresh-handling) |
| 20 | +- [Security Best Practices](#security-best-practices) |
| 21 | + |
| 22 | +## Import Auth from Your Browser |
| 23 | + |
| 24 | +The fastest way to authenticate is to reuse cookies from a Chrome session you are already logged into. |
| 25 | + |
| 26 | +**Step 1: Start Chrome with remote debugging** |
| 27 | + |
| 28 | +```bash |
| 29 | +# macOS |
| 30 | +"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --remote-debugging-port=9222 |
| 31 | + |
| 32 | +# Linux |
| 33 | +google-chrome --remote-debugging-port=9222 |
| 34 | + |
| 35 | +# Windows |
| 36 | +"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 |
| 37 | +``` |
| 38 | + |
| 39 | +Log in to your target site(s) in this Chrome window as you normally would. |
| 40 | + |
| 41 | +> **Security note:** `--remote-debugging-port` exposes full browser control on localhost. Any local process can connect and read cookies, execute JS, etc. Only use on trusted machines and close Chrome when done. |
| 42 | +
|
| 43 | +**Step 2: Grab the auth state** |
| 44 | + |
| 45 | +```bash |
| 46 | +# Auto-discover the running Chrome and save its cookies + localStorage |
| 47 | +agent-browser --auto-connect state save ./my-auth.json |
| 48 | +``` |
| 49 | + |
| 50 | +**Step 3: Reuse in automation** |
| 51 | + |
| 52 | +```bash |
| 53 | +# Load auth at launch |
| 54 | +agent-browser --state ./my-auth.json open https://app.example.com/dashboard |
| 55 | + |
| 56 | +# Or load into an existing session |
| 57 | +agent-browser state load ./my-auth.json |
| 58 | +agent-browser open https://app.example.com/dashboard |
| 59 | +``` |
| 60 | + |
| 61 | +This works for any site, including those with complex OAuth flows, SSO, or 2FA -- as long as Chrome already has valid session cookies. |
| 62 | + |
| 63 | +> **Security note:** State files contain session tokens in plaintext. Add them to `.gitignore`, delete when no longer needed, and set `AGENT_BROWSER_ENCRYPTION_KEY` for encryption at rest. See [Security Best Practices](#security-best-practices). |
| 64 | +
|
| 65 | +**Tip:** Combine with `--session-name` so the imported auth auto-persists across restarts: |
| 66 | + |
| 67 | +```bash |
| 68 | +agent-browser --session-name myapp state load ./my-auth.json |
| 69 | +# From now on, state is auto-saved/restored for "myapp" |
| 70 | +``` |
| 71 | + |
| 72 | +## Persistent Profiles |
| 73 | + |
| 74 | +Use `--profile` to point agent-browser at a Chrome user data directory. This persists everything (cookies, IndexedDB, service workers, cache) across browser restarts without explicit save/load: |
| 75 | + |
| 76 | +```bash |
| 77 | +# First run: login once |
| 78 | +agent-browser --profile ~/.myapp-profile open https://app.example.com/login |
| 79 | +# ... complete login flow ... |
| 80 | + |
| 81 | +# All subsequent runs: already authenticated |
| 82 | +agent-browser --profile ~/.myapp-profile open https://app.example.com/dashboard |
| 83 | +``` |
| 84 | + |
| 85 | +Use different paths for different projects or test users: |
| 86 | + |
| 87 | +```bash |
| 88 | +agent-browser --profile ~/.profiles/admin open https://app.example.com |
| 89 | +agent-browser --profile ~/.profiles/viewer open https://app.example.com |
| 90 | +``` |
| 91 | + |
| 92 | +Or set via environment variable: |
| 93 | + |
| 94 | +```bash |
| 95 | +export AGENT_BROWSER_PROFILE=~/.myapp-profile |
| 96 | +agent-browser open https://app.example.com/dashboard |
| 97 | +``` |
| 98 | + |
| 99 | +## Session Persistence |
| 100 | + |
| 101 | +Use `--session-name` to auto-save and restore cookies + localStorage by name, without managing files: |
| 102 | + |
| 103 | +```bash |
| 104 | +# Auto-saves state on close, auto-restores on next launch |
| 105 | +agent-browser --session-name twitter open https://twitter.com |
| 106 | +# ... login flow ... |
| 107 | +agent-browser close # state saved to ~/.agent-browser/sessions/ |
| 108 | + |
| 109 | +# Next time: state is automatically restored |
| 110 | +agent-browser --session-name twitter open https://twitter.com |
| 111 | +``` |
| 112 | + |
| 113 | +Encrypt state at rest: |
| 114 | + |
| 115 | +```bash |
| 116 | +export AGENT_BROWSER_ENCRYPTION_KEY=$(openssl rand -hex 32) |
| 117 | +agent-browser --session-name secure open https://app.example.com |
| 118 | +``` |
| 119 | + |
| 120 | +## Basic Login Flow |
| 121 | + |
| 122 | +```bash |
| 123 | +# Navigate to login page |
| 124 | +agent-browser open https://app.example.com/login |
| 125 | +agent-browser wait --load networkidle |
| 126 | + |
| 127 | +# Get form elements |
| 128 | +agent-browser snapshot -i |
| 129 | +# Output: @e1 [input type="email"], @e2 [input type="password"], @e3 [button] "Sign In" |
| 130 | + |
| 131 | +# Fill credentials |
| 132 | +agent-browser fill @e1 "user@example.com" |
| 133 | +agent-browser fill @e2 "password123" |
| 134 | + |
| 135 | +# Submit |
| 136 | +agent-browser click @e3 |
| 137 | +agent-browser wait --load networkidle |
| 138 | + |
| 139 | +# Verify login succeeded |
| 140 | +agent-browser get url # Should be dashboard, not login |
| 141 | +``` |
| 142 | + |
| 143 | +## Saving Authentication State |
| 144 | + |
| 145 | +After logging in, save state for reuse: |
| 146 | + |
| 147 | +```bash |
| 148 | +# Login first (see above) |
| 149 | +agent-browser open https://app.example.com/login |
| 150 | +agent-browser snapshot -i |
| 151 | +agent-browser fill @e1 "user@example.com" |
| 152 | +agent-browser fill @e2 "password123" |
| 153 | +agent-browser click @e3 |
| 154 | +agent-browser wait --url "**/dashboard" |
| 155 | + |
| 156 | +# Save authenticated state |
| 157 | +agent-browser state save ./auth-state.json |
| 158 | +``` |
| 159 | + |
| 160 | +## Restoring Authentication |
| 161 | + |
| 162 | +Skip login by loading saved state: |
| 163 | + |
| 164 | +```bash |
| 165 | +# Load saved auth state |
| 166 | +agent-browser state load ./auth-state.json |
| 167 | + |
| 168 | +# Navigate directly to protected page |
| 169 | +agent-browser open https://app.example.com/dashboard |
| 170 | + |
| 171 | +# Verify authenticated |
| 172 | +agent-browser snapshot -i |
| 173 | +``` |
| 174 | + |
| 175 | +## OAuth / SSO Flows |
| 176 | + |
| 177 | +For OAuth redirects: |
| 178 | + |
| 179 | +```bash |
| 180 | +# Start OAuth flow |
| 181 | +agent-browser open https://app.example.com/auth/google |
| 182 | + |
| 183 | +# Handle redirects automatically |
| 184 | +agent-browser wait --url "**/accounts.google.com**" |
| 185 | +agent-browser snapshot -i |
| 186 | + |
| 187 | +# Fill Google credentials |
| 188 | +agent-browser fill @e1 "user@gmail.com" |
| 189 | +agent-browser click @e2 # Next button |
| 190 | +agent-browser wait 2000 |
| 191 | +agent-browser snapshot -i |
| 192 | +agent-browser fill @e3 "password" |
| 193 | +agent-browser click @e4 # Sign in |
| 194 | + |
| 195 | +# Wait for redirect back |
| 196 | +agent-browser wait --url "**/app.example.com**" |
| 197 | +agent-browser state save ./oauth-state.json |
| 198 | +``` |
| 199 | + |
| 200 | +## Two-Factor Authentication |
| 201 | + |
| 202 | +Handle 2FA with manual intervention: |
| 203 | + |
| 204 | +```bash |
| 205 | +# Login with credentials |
| 206 | +agent-browser open https://app.example.com/login --headed # Show browser |
| 207 | +agent-browser snapshot -i |
| 208 | +agent-browser fill @e1 "user@example.com" |
| 209 | +agent-browser fill @e2 "password123" |
| 210 | +agent-browser click @e3 |
| 211 | + |
| 212 | +# Wait for user to complete 2FA manually |
| 213 | +echo "Complete 2FA in the browser window..." |
| 214 | +agent-browser wait --url "**/dashboard" --timeout 120000 |
| 215 | + |
| 216 | +# Save state after 2FA |
| 217 | +agent-browser state save ./2fa-state.json |
| 218 | +``` |
| 219 | + |
| 220 | +## HTTP Basic Auth |
| 221 | + |
| 222 | +For sites using HTTP Basic Authentication: |
| 223 | + |
| 224 | +```bash |
| 225 | +# Set credentials before navigation |
| 226 | +agent-browser set credentials username password |
| 227 | + |
| 228 | +# Navigate to protected resource |
| 229 | +agent-browser open https://protected.example.com/api |
| 230 | +``` |
| 231 | + |
| 232 | +## Cookie-Based Auth |
| 233 | + |
| 234 | +Manually set authentication cookies: |
| 235 | + |
| 236 | +```bash |
| 237 | +# Set auth cookie |
| 238 | +agent-browser cookies set session_token "abc123xyz" |
| 239 | + |
| 240 | +# Navigate to protected page |
| 241 | +agent-browser open https://app.example.com/dashboard |
| 242 | +``` |
| 243 | + |
| 244 | +## Token Refresh Handling |
| 245 | + |
| 246 | +For sessions with expiring tokens: |
| 247 | + |
| 248 | +```bash |
| 249 | +#!/bin/bash |
| 250 | +# Wrapper that handles token refresh |
| 251 | + |
| 252 | +STATE_FILE="./auth-state.json" |
| 253 | + |
| 254 | +# Try loading existing state |
| 255 | +if [[ -f "$STATE_FILE" ]]; then |
| 256 | + agent-browser state load "$STATE_FILE" |
| 257 | + agent-browser open https://app.example.com/dashboard |
| 258 | + |
| 259 | + # Check if session is still valid |
| 260 | + URL=$(agent-browser get url) |
| 261 | + if [[ "$URL" == *"/login"* ]]; then |
| 262 | + echo "Session expired, re-authenticating..." |
| 263 | + # Perform fresh login |
| 264 | + agent-browser snapshot -i |
| 265 | + agent-browser fill @e1 "$USERNAME" |
| 266 | + agent-browser fill @e2 "$PASSWORD" |
| 267 | + agent-browser click @e3 |
| 268 | + agent-browser wait --url "**/dashboard" |
| 269 | + agent-browser state save "$STATE_FILE" |
| 270 | + fi |
| 271 | +else |
| 272 | + # First-time login |
| 273 | + agent-browser open https://app.example.com/login |
| 274 | + # ... login flow ... |
| 275 | +fi |
| 276 | +``` |
| 277 | + |
| 278 | +## Security Best Practices |
| 279 | + |
| 280 | +1. **Never commit state files** - They contain session tokens |
| 281 | + ```bash |
| 282 | + echo "*.auth-state.json" >> .gitignore |
| 283 | + ``` |
| 284 | + |
| 285 | +2. **Use environment variables for credentials** |
| 286 | + ```bash |
| 287 | + agent-browser fill @e1 "$APP_USERNAME" |
| 288 | + agent-browser fill @e2 "$APP_PASSWORD" |
| 289 | + ``` |
| 290 | + |
| 291 | +3. **Clean up after automation** |
| 292 | + ```bash |
| 293 | + agent-browser cookies clear |
| 294 | + rm -f ./auth-state.json |
| 295 | + ``` |
| 296 | + |
| 297 | +4. **Use short-lived sessions for CI/CD** |
| 298 | + ```bash |
| 299 | + # Don't persist state in CI |
| 300 | + agent-browser open https://app.example.com/login |
| 301 | + # ... login and perform actions ... |
| 302 | + agent-browser close # Session ends, nothing persisted |
| 303 | + ``` |
0 commit comments