Skip to content

Fix desktop CF Access cookie pairing#93

Open
wizzoapp[bot] wants to merge 3 commits into
mainfrom
wizzo/cf-access-pairing-cookie
Open

Fix desktop CF Access cookie pairing#93
wizzoapp[bot] wants to merge 3 commits into
mainfrom
wizzo/cf-access-pairing-cookie

Conversation

@wizzoapp

@wizzoapp wizzoapp Bot commented Jul 6, 2026

Copy link
Copy Markdown

Summary

  • bind the Cloudflare Access sign-in window to Electron.session.defaultSession so capture and pairing use the same cookie jar
  • install the captured CF_Authorization value into the desktop webRequest header hook so the Add Environment descriptor/OAuth requests carry it deterministically
  • cover default-session sign-in, stale CF_Authorization replacement, and pre-request pairing credential installation

Tests

  • ./node_modules/.bin/vp test apps/desktop/src/ipc/methods/cloudflareAccess.test.ts packages/client-runtime/src/connection/onboarding.test.ts
  • ./node_modules/.bin/vp run --filter @t3tools/desktop --filter @t3tools/client-runtime typecheck
  • factory pre-commit gate on 3bfeeb8: PASS (static checks + Codex gpt-5.5 autoreview clean)

@wizzoapp wizzoapp Bot marked this pull request as ready for review July 6, 2026 18:10
@wizzoapp wizzoapp Bot marked this pull request as draft July 6, 2026 18:34
@wizzoapp wizzoapp Bot marked this pull request as ready for review July 6, 2026 18:34

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3bfeeb8faa

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

...filteredHeaders(headers),
...(cookieHeader
? {
[CLOUDFLARE_ACCESS_COOKIE_HEADER_NAME]: cookieHeader,

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Clear stale Access cookie rules before sign-in

When a saved desktop Cloudflare Access cookie has been installed for an origin, this persists that exact cookie in the session-wide webRequest rule. Later, if the user follows the existing re-authenticate path for the same origin, authenticateCloudflareAccess clears Electron cookies but does not delete this rule, and the auth window uses Electron.session.defaultSession, so onBeforeSendHeaders injects the stale CF_Authorization cookie right back into the sign-in navigation. In that expired/stale-cookie scenario the user cannot get a clean Access login; clear or suspend the rule for the origin while capturing a replacement cookie.

Useful? React with 👍 / 👎.

@wizzoapp wizzoapp Bot marked this pull request as draft July 6, 2026 20:55
@wizzoapp wizzoapp Bot marked this pull request as ready for review July 6, 2026 20:55
@wizzoapp wizzoapp Bot marked this pull request as draft July 6, 2026 20:55
@wizzoapp wizzoapp Bot marked this pull request as ready for review July 6, 2026 20:55
@wizzoapp wizzoapp Bot marked this pull request as draft July 6, 2026 21:00
@wizzoapp wizzoapp Bot marked this pull request as ready for review July 6, 2026 21:00
@wizzoapp wizzoapp Bot marked this pull request as draft July 6, 2026 21:05
@wizzoapp wizzoapp Bot marked this pull request as ready for review July 6, 2026 21:05
@wizzoapp wizzoapp Bot marked this pull request as draft July 6, 2026 21:11
@wizzoapp wizzoapp Bot marked this pull request as ready for review July 6, 2026 21:11
@wizzoapp wizzoapp Bot marked this pull request as draft July 6, 2026 21:16
@wizzoapp wizzoapp Bot marked this pull request as ready for review July 6, 2026 21:16

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0484a9d4c9

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

await clearAccessCookies(session, origin);
}
configureCloudflareAccessHeaders(session, origin, input.headers);
configureCloudflareAccessHeaders(session, origin, input.headers, cookieValue);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Roll back header rules when cookie install fails

When input.cookieValue is non-empty, this configures the webRequest rule before installAccessCookie runs. If session.cookies.set rejects, installCloudflareAccessCredentials reports failure but the in-memory rule remains and will still inject that rejected CF_Authorization value on later requests to the origin (and stale cookies may already have been cleared). Move the rule update after a successful cookie install or restore the previous rule in the catch path so a failed install does not leave active credentials behind.

Useful? React with 👍 / 👎.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a2dd90d784

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

try {
if (!capturedReplacementCookie) {
await restoreAccessCookies(session, options.origin, previousAccessCookies);
restoreCloudflareAccessHeaders(suspendedAccessHeaders);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Restore headers even when cookie rollback fails

When a failed or cancelled reauth has suspended an existing Cloudflare Access header rule, this restore only runs after restoreAccessCookies completes. If Electron rejects any session.cookies.set while rolling back the previous cookies, the function exits before restoring the in-memory webRequest rule, leaving saved Access transport disabled for that origin even though the login failed. Restore the suspended headers in a finally around the cookie rollback so this rollback path is independent of cookie-store failures.

Useful? React with 👍 / 👎.

Comment on lines +336 to +340
cloudflareAccessHeaderRules.delete(requestOriginKey);
return {
requestOriginKey,
headers: previousHeaders,
version: bumpCloudflareAccessHeaderRuleVersion(requestOriginKey),

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Preserve suspended headers across overlapping attempts

When two cookie installs or reauths for the same origin overlap, the first call records the existing rule, but the second call reaches this path after the map is already empty and bumps the version with headers: undefined. If both attempts then fail or are cancelled without installing a replacement, the second restore has nothing to restore and the first restore is skipped by the version mismatch, so the saved Cloudflare Access header rule is permanently lost for that origin. Track nested suspensions per origin, or avoid invalidating the original suspension when there was no rule to suspend.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants