fix(auth): send Origin+Referer + full cookie set to defeat 403 on UserByRestId

Live test on macOS hit a hard 403 from UserByRestId even with a valid
session pinned via --profile. Two missing pieces vs what a real Chrome
sends, both fixed:

1. Origin and Referer headers were never set.

   x-cli already declared `sec-fetch-site: same-origin` but didn't send
   the actual Origin header. X's gateway uses Origin as its same-origin
   CSRF check on top of x-csrf-token, and rejects the request when it
   can't validate where it came from. Real browsers add Origin/Referer
   automatically; Go's net/http does not.

   api/client.go applyHeaders now sets:

     Origin:  https://x.com
     Referer: https://x.com/

   on every request. Authenticated and unauthenticated alike — every
   request x-cli makes is to x.com, so this is unconditionally correct.

2. We were filtering the imported cookie set down to 6 names.

   The browser-import path used a cookieNamesWanted allowlist
   (auth_token, ct0, twid, kdt, att, guest_id). Real browsers send the
   ENTIRE cookie set on every request — typically 25-50 cookies for
   x.com. Dropping personalization_id, gt, _twitter_sess, lang, etc.
   lets X's anti-abuse model fingerprint us as "non-browser" because
   no real Chrome would ever omit them.

   cmd/auth.go now imports every cookie kooky returns for x.com (no
   filter), and only enforces that auth_token + ct0 are present
   (the cookieNamesRequired set, renamed from Wanted).

   Verbose output prints the imported cookie names (not values) so
   the user can see what we have to work with.

   summarizeCookieNames + a tiny sortStrings helper for that.

Net result: same hosting overhead, ~1KB more in the keychain blob,
but the wire matches what Chrome sends and the same-origin check
should now pass.

If the 403 persists after this, the next layer is TLS fingerprinting
(JA3/JA4 from Go stdlib != Chrome) which needs `refraction-networking
/utls`. That was on the v0.1 plan; this commit does not yet wire it.

Author: lroolle

api/client.go

@@ -213,6 +213,13 @@ func (c *Client) applyHeaders(req *http.Request, opts requestOpts) {
 	req.Header.Set("x-twitter-active-user", "yes")
 	req.Header.Set("x-twitter-client-language", "en")
 
+	// Origin + Referer are required for X's same-origin CSRF check.
+	// Without them the gateway treats the call as cross-site and 403s
+	// authenticated reads. Real browsers add these automatically; Go's
+	// net/http does not, so we set them ourselves.
+	req.Header.Set("Origin", "https://x.com")
+	req.Header.Set("Referer", "https://x.com/")
+
 	// Client-hint headers matched to the UA. Pinned, not rotated per-request.
 	req.Header.Set("sec-ch-ua", `"Not_A Brand";v="8", "Chromium";v="120", "Google Chrome";v="120"`)
 	req.Header.Set("sec-ch-ua-mobile", "?0")

cmd/auth.go

@@ -125,11 +125,12 @@ func runAuthBrowsers(cmd *cobra.Command, _ []string) error {
 	return nil
 }
 
-// cookieNamesWanted is the subset of browser cookies x-cli imports.
-// auth_token and ct0 are required; twid carries the user id so we can
-// skip a UserByScreenName roundtrip on `auth status`; the others are
-// helpful for stable header building but not strictly required.
-var cookieNamesWanted = []string{"auth_token", "ct0", "twid", "kdt", "att", "guest_id"}
+// cookieNamesRequired must be present after import or x-cli refuses
+// to save the session. Everything else kooky reads from the browser
+// store is also imported — real browsers send the full cookie set on
+// every request, and dropping minor cookies (personalization_id, gt,
+// _twitter_sess) confuses X's same-origin CSRF check on some routes.
+var cookieNamesRequired = []string{"auth_token", "ct0"}
 
 func runAuthImport(cmd *cobra.Command, _ []string) error {
 	cmdutil.Warn("Reminder: x-cli uses your real logged-in session. Automation can get")
@@ -258,12 +259,17 @@ func readBrowserCookies(browser, profile string, softMiss bool) (string, error)
 		return "", err
 	}
 
-	raw := browsercookies.FormatCookieHeader(res.Cookies, cookieNamesWanted)
-	if raw == "" {
-		return "", fmt.Errorf("required cookies (auth_token, ct0) not in %s/%s — are you logged in to x.com on that profile?", res.Browser, res.Profile)
+	// Send everything the browser stores for x.com. Filtering down to
+	// a "wanted" subset breaks X's same-origin checks on some routes.
+	raw := browsercookies.FormatCookieHeader(res.Cookies, nil)
+	for _, name := range cookieNamesRequired {
+		if v, ok := res.Cookies[name]; !ok || v == "" {
+			return "", fmt.Errorf("required cookie %q not present in %s/%s — are you logged in to x.com on that profile?", name, res.Browser, res.Profile)
+		}
 	}
 
 	cmdutil.Success("using %s / %s (%s)", res.Browser, res.Profile, res.Source)
+	cmdutil.Info("imported %d cookie(s): %s", len(res.Cookies), summarizeCookieNames(res.Cookies))
 	if len(res.Alternatives) > 0 {
 		cmdutil.Warn("also found x.com sessions in:")
 		for _, a := range res.Alternatives {
@@ -274,20 +280,27 @@ func readBrowserCookies(browser, profile string, softMiss bool) (string, error)
 	return raw, nil
 }
 
-func promptCookiePaste() (string, error) {
-	return cmdutil.ReadSecret("Paste cookie header (auth_token=...; ct0=...): ")
+// summarizeCookieNames returns a comma-separated, sorted list of cookie
+// names — values are never logged.
+func summarizeCookieNames(cookies map[string]string) string {
+	names := make([]string, 0, len(cookies))
+	for k := range cookies {
+		names = append(names, k)
+	}
+	sortStrings(names)
+	return strings.Join(names, ", ")
 }
 
-// countCookies returns how many of the wanted names are present in the
-// cookie map. Used only for the friendly log line.
-func countCookies(cookies map[string]string, wanted []string) int {
-	n := 0
-	for _, k := range wanted {
-		if v, ok := cookies[k]; ok && v != "" {
-			n++
+func sortStrings(s []string) {
+	for i := 1; i < len(s); i++ {
+		for j := i; j > 0 && s[j] < s[j-1]; j-- {
+			s[j], s[j-1] = s[j-1], s[j]
 		}
 	}
-	return n
+}
+
+func promptCookiePaste() (string, error) {
+	return cmdutil.ReadSecret("Paste cookie header (auth_token=...; ct0=...): ")
 }
 
 func runAuthStatus(cmd *cobra.Command, _ []string) error {