agent-messenger 2.1.0 → 2.2.0

package/src/platforms/teams/commands/auth.ts

@@ -2,6 +2,7 @@ import { Command } from 'commander'
 
 import { handleError } from '@/shared/utils/error-handler'
 import { formatOutput } from '@/shared/utils/output'
+import { debug } from '@/shared/utils/stderr'
 
 import { TeamsClient } from '../client'
 import { TeamsCredentialManager } from '../credential-manager'
@@ -35,7 +36,7 @@ export async function extractAction(options: { pretty?: boolean; debug?: boolean
     }
 
     if (options.debug) {
-      console.error('[debug] Extracting Teams tokens from all accounts...')
+      debug('[debug] Extracting Teams tokens from all accounts...')
     }
 
     const extracted = await extractor.extract()
@@ -54,7 +55,7 @@ export async function extractAction(options: { pretty?: boolean; debug?: boolean
     }
 
     if (options.debug) {
-      console.error(`[debug] Found ${extracted.length} account(s)`)
+      debug(`[debug] Found ${extracted.length} account(s)`)
     }
 
     const credManager = new TeamsCredentialManager()
@@ -67,7 +68,7 @@ export async function extractAction(options: { pretty?: boolean; debug?: boolean
 
     for (const { token, accountType } of extracted) {
       if (options.debug) {
-        console.error(`[debug] Validating ${accountType} account token...`)
+        debug(`[debug] Validating ${accountType} account token...`)
       }
 
       try {
@@ -76,7 +77,7 @@ export async function extractAction(options: { pretty?: boolean; debug?: boolean
         const teams = await client.listTeams()
 
         if (options.debug) {
-          console.error(`[debug] ✓ ${accountType}: ${authInfo.displayName} (${teams.length} team(s))`)
+          debug(`[debug] ✓ ${accountType}: ${authInfo.displayName} (${teams.length} team(s))`)
         }
 
         const teamMap: Record<string, { team_id: string; team_name: string }> = {}
@@ -107,7 +108,7 @@ export async function extractAction(options: { pretty?: boolean; debug?: boolean
         const errorMessage = (error as Error).message
         const is401 = errorMessage.includes('401') || errorMessage.includes('Unauthorized')
         if (options.debug) {
-          console.error(`[debug] ✗ ${accountType}: ${errorMessage}`)
+          debug(`[debug] ✗ ${accountType}: ${errorMessage}`)
         }
         if (extracted.length === 1) {
           console.log(
@@ -139,7 +140,7 @@ export async function extractAction(options: { pretty?: boolean; debug?: boolean
     await credManager.saveConfig(config)
 
     if (options.debug) {
-      console.error('[debug] ✓ Credentials saved')
+      debug('[debug] ✓ Credentials saved')
     }
 
     console.log(
@@ -158,7 +159,7 @@ export async function extractAction(options: { pretty?: boolean; debug?: boolean
 
 async function extractManualToken(token: string, options: { pretty?: boolean; debug?: boolean }): Promise<void> {
   if (options.debug) {
-    console.error(`[debug] Using provided token: ${token.substring(0, 20)}...`)
+    debug(`[debug] Using provided token: ${token.substring(0, 20)}...`)
   }
 
   try {
@@ -202,7 +203,7 @@ async function extractManualToken(token: string, options: { pretty?: boolean; de
     await credManager.saveConfig(config)
 
     if (options.debug) {
-      console.error('[debug] ✓ Credentials saved')
+      debug('[debug] ✓ Credentials saved')
     }
 
     console.log(

package/src/platforms/teams/ensure-auth.ts

@@ -1,3 +1,5 @@
+import { warn } from '@/shared/utils/stderr'
+
 import { TeamsClient } from './client'
 import { TeamsCredentialManager } from './credential-manager'
 import { TeamsTokenExtractor } from './token-extractor'
@@ -47,7 +49,7 @@ export async function ensureTeamsAuth(): Promise<void> {
           newConfig.current_account = accountType
         }
       } catch (error) {
-        console.error(`[agent-teams] Skipping ${accountType} account: ${(error as Error).message}`)
+        warn(`[agent-teams] Skipping ${accountType} account: ${(error as Error).message}`)
       }
     }
 

package/src/platforms/teams/token-extractor.test.ts

@@ -11,10 +11,10 @@ describe('TeamsTokenExtractor', () => {
     extractor = new TeamsTokenExtractor()
   })
 
-  describe('getTeamsCookiesPaths', () => {
-    test('returns darwin paths on macOS with New Teams first', () => {
+  describe('getDesktopCookiesPaths', () => {
+    test('returns darwin desktop paths on macOS', () => {
       const darwinExtractor = new TeamsTokenExtractor('darwin')
-      const paths = darwinExtractor.getTeamsCookiesPaths()
+      const paths = darwinExtractor.getDesktopCookiesPaths()
 
       expect(paths).toEqual([
         {
@@ -75,9 +75,9 @@ describe('TeamsTokenExtractor', () => {
       ])
     })
 
-    test('returns linux paths on Linux', () => {
+    test('returns linux desktop path on Linux', () => {
       const linuxExtractor = new TeamsTokenExtractor('linux')
-      const paths = linuxExtractor.getTeamsCookiesPaths()
+      const paths = linuxExtractor.getDesktopCookiesPaths()
 
       expect(paths).toEqual([
         {
@@ -87,9 +87,9 @@ describe('TeamsTokenExtractor', () => {
       ])
     })
 
-    test('returns win32 paths on Windows with New Teams first', () => {
+    test('returns win32 desktop paths on Windows', () => {
       const winExtractor = new TeamsTokenExtractor('win32')
-      const paths = winExtractor.getTeamsCookiesPaths()
+      const paths = winExtractor.getDesktopCookiesPaths()
 
       const localAppData = process.env.LOCALAPPDATA || join(homedir(), 'AppData', 'Local')
       const appdata = process.env.APPDATA || join(homedir(), 'AppData', 'Roaming')
@@ -143,6 +143,105 @@ describe('TeamsTokenExtractor', () => {
       ])
     })
 
+    test('returns empty array for unsupported platform', () => {
+      const unsupportedExtractor = new TeamsTokenExtractor('freebsd' as NodeJS.Platform)
+      expect(unsupportedExtractor.getDesktopCookiesPaths()).toEqual([])
+    })
+  })
+
+  describe('getBrowserCookiesPaths', () => {
+    test('returns browser cookie paths on macOS (at least Default profile per browser)', () => {
+      const darwinExtractor = new TeamsTokenExtractor('darwin')
+      const paths = darwinExtractor.getBrowserCookiesPaths()
+
+      const chromeBase = join(homedir(), 'Library', 'Application Support', 'Google', 'Chrome')
+      expect(paths).toContainEqual({
+        path: join(chromeBase, 'Default', 'Cookies'),
+        accountType: 'work',
+      })
+      expect(paths).toContainEqual({
+        path: join(chromeBase, 'Default', 'Network', 'Cookies'),
+        accountType: 'work',
+      })
+    })
+
+    test('returns browser cookie paths on Linux', () => {
+      const linuxExtractor = new TeamsTokenExtractor('linux')
+      const paths = linuxExtractor.getBrowserCookiesPaths()
+
+      const chromeBase = join(homedir(), '.config', 'google-chrome')
+      expect(paths).toContainEqual({
+        path: join(chromeBase, 'Default', 'Cookies'),
+        accountType: 'work',
+      })
+    })
+
+    test('returns browser cookie paths on Windows', () => {
+      const winExtractor = new TeamsTokenExtractor('win32')
+      const paths = winExtractor.getBrowserCookiesPaths()
+
+      const localAppData = process.env.LOCALAPPDATA || join(homedir(), 'AppData', 'Local')
+      const chromeBase = join(localAppData, 'Google', 'Chrome', 'User Data')
+      expect(paths).toContainEqual({
+        path: join(chromeBase, 'Default', 'Cookies'),
+        accountType: 'work',
+      })
+    })
+
+    test('returns empty array for unsupported platform', () => {
+      const unsupportedExtractor = new TeamsTokenExtractor('freebsd' as NodeJS.Platform)
+      expect(unsupportedExtractor.getBrowserCookiesPaths()).toEqual([])
+    })
+
+    test('all browser paths have accountType work', () => {
+      const darwinExtractor = new TeamsTokenExtractor('darwin')
+      const paths = darwinExtractor.getBrowserCookiesPaths()
+      expect(paths.every((p) => p.accountType === 'work')).toBe(true)
+    })
+  })
+
+  describe('getTeamsCookiesPaths', () => {
+    test('returns darwin paths on macOS with desktop paths first', () => {
+      const darwinExtractor = new TeamsTokenExtractor('darwin')
+      const paths = darwinExtractor.getTeamsCookiesPaths()
+      const desktopPaths = darwinExtractor.getDesktopCookiesPaths()
+
+      expect(paths.slice(0, desktopPaths.length)).toEqual(desktopPaths)
+    })
+
+    test('browser paths come after desktop paths on macOS', () => {
+      const darwinExtractor = new TeamsTokenExtractor('darwin')
+      const paths = darwinExtractor.getTeamsCookiesPaths()
+      const desktopPaths = darwinExtractor.getDesktopCookiesPaths()
+      const browserPaths = darwinExtractor.getBrowserCookiesPaths()
+
+      expect(paths.length).toBe(desktopPaths.length + browserPaths.length)
+      expect(paths.slice(desktopPaths.length)).toEqual(browserPaths)
+    })
+
+    test('returns linux paths with desktop first then browser paths', () => {
+      const linuxExtractor = new TeamsTokenExtractor('linux')
+      const paths = linuxExtractor.getTeamsCookiesPaths()
+      const desktopPaths = linuxExtractor.getDesktopCookiesPaths()
+
+      expect(paths.slice(0, 1)).toEqual([
+        {
+          path: join(homedir(), '.config', 'Microsoft', 'Microsoft Teams', 'Cookies'),
+          accountType: 'work',
+        },
+      ])
+      expect(paths.length).toBeGreaterThan(desktopPaths.length)
+    })
+
+    test('returns win32 paths with desktop first then browser paths', () => {
+      const winExtractor = new TeamsTokenExtractor('win32')
+      const paths = winExtractor.getTeamsCookiesPaths()
+      const desktopPaths = winExtractor.getDesktopCookiesPaths()
+
+      expect(paths.slice(0, desktopPaths.length)).toEqual(desktopPaths)
+      expect(paths.length).toBeGreaterThan(desktopPaths.length)
+    })
+
     test('returns empty array for unsupported platform', () => {
       const unsupportedExtractor = new TeamsTokenExtractor('freebsd' as NodeJS.Platform)
       const paths = unsupportedExtractor.getTeamsCookiesPaths()
@@ -176,18 +275,38 @@ describe('TeamsTokenExtractor', () => {
   })
 
   describe('getKeychainVariants', () => {
-    test('returns keychain variants for macOS', () => {
+    test('includes Teams-specific keychain entries', () => {
       const macExtractor = new TeamsTokenExtractor('darwin')
+      const variants = macExtractor.getKeychainVariants()
 
-      expect(macExtractor.getKeychainVariants()).toEqual([
-        { service: 'Microsoft Teams Safe Storage', account: 'Microsoft Teams' },
-        {
-          service: 'Microsoft Teams (work or school) Safe Storage',
-          account: 'Microsoft Teams (work or school)',
-        },
-        { service: 'Microsoft Edge Safe Storage', account: 'Microsoft Edge' },
-        { service: 'Teams Safe Storage', account: 'Teams' },
-      ])
+      expect(variants).toContainEqual({ service: 'Microsoft Teams Safe Storage', account: 'Microsoft Teams' })
+      expect(variants).toContainEqual({
+        service: 'Microsoft Teams (work or school) Safe Storage',
+        account: 'Microsoft Teams (work or school)',
+      })
+      expect(variants).toContainEqual({ service: 'Microsoft Edge Safe Storage', account: 'Microsoft Edge' })
+      expect(variants).toContainEqual({ service: 'Teams Safe Storage', account: 'Teams' })
+    })
+
+    test('includes browser keychain entries appended after Teams entries', () => {
+      const macExtractor = new TeamsTokenExtractor('darwin')
+      const variants = macExtractor.getKeychainVariants()
+
+      expect(variants).toContainEqual({ service: 'Chrome Safe Storage', account: 'Chrome' })
+      expect(variants).toContainEqual({ service: 'Chrome Canary Safe Storage', account: 'Chrome Canary' })
+      expect(variants).toContainEqual({ service: 'Arc Safe Storage', account: 'Arc' })
+      expect(variants).toContainEqual({ service: 'Brave Safe Storage', account: 'Brave' })
+      expect(variants).toContainEqual({ service: 'Vivaldi Safe Storage', account: 'Vivaldi' })
+      expect(variants).toContainEqual({ service: 'Chromium Safe Storage', account: 'Chromium' })
+    })
+
+    test('Teams entries come before browser entries', () => {
+      const macExtractor = new TeamsTokenExtractor('darwin')
+      const variants = macExtractor.getKeychainVariants()
+
+      const teamsIdx = variants.findIndex((v) => v.service === 'Microsoft Teams Safe Storage')
+      const chromeIdx = variants.findIndex((v) => v.service === 'Chrome Safe Storage')
+      expect(teamsIdx).toBeLessThan(chromeIdx)
     })
   })
 

package/src/platforms/teams/token-extractor.ts

@@ -1,6 +1,6 @@
 import { execSync } from 'node:child_process'
 import { createDecipheriv, pbkdf2Sync } from 'node:crypto'
-import { copyFileSync, existsSync, readFileSync, unlinkSync } from 'node:fs'
+import { copyFileSync, existsSync, readFileSync, readdirSync, unlinkSync } from 'node:fs'
 import { createRequire } from 'node:module'
 import { homedir, tmpdir } from 'node:os'
 import { join } from 'node:path'
@@ -26,6 +26,13 @@ interface KeychainVariant {
   account: string
 }
 
+interface BrowserConfig {
+  name: string
+  darwin: string
+  linux: string
+  win32: string
+}
+
 const TEAMS_PROCESS_NAMES: Record<string, string> = {
   darwin: 'Microsoft Teams',
   win32: 'Teams.exe',
@@ -41,6 +48,51 @@ const TEAMS_HOST_PATTERNS = [
   '.microsoft.com',
 ]
 
+const BROWSERS: BrowserConfig[] = [
+  {
+    name: 'Chrome',
+    darwin: join('Google', 'Chrome'),
+    linux: 'google-chrome',
+    win32: join('Google', 'Chrome', 'User Data'),
+  },
+  {
+    name: 'Chrome Canary',
+    darwin: join('Google', 'Chrome Canary'),
+    linux: 'google-chrome-unstable',
+    win32: join('Google', 'Chrome SxS', 'User Data'),
+  },
+  {
+    name: 'Edge',
+    darwin: 'Microsoft Edge',
+    linux: 'microsoft-edge',
+    win32: join('Microsoft', 'Edge', 'User Data'),
+  },
+  {
+    name: 'Arc',
+    darwin: join('Arc', 'User Data'),
+    linux: '',
+    win32: join('Arc', 'User Data'),
+  },
+  {
+    name: 'Brave',
+    darwin: join('BraveSoftware', 'Brave-Browser'),
+    linux: join('BraveSoftware', 'Brave-Browser'),
+    win32: join('BraveSoftware', 'Brave-Browser', 'User Data'),
+  },
+  {
+    name: 'Vivaldi',
+    darwin: 'Vivaldi',
+    linux: 'vivaldi',
+    win32: join('Vivaldi', 'User Data'),
+  },
+  {
+    name: 'Chromium',
+    darwin: 'Chromium',
+    linux: 'chromium',
+    win32: join('Chromium', 'User Data'),
+  },
+]
+
 export class TeamsTokenExtractor {
   private platform: NodeJS.Platform
   private keyCache: DerivedKeyCache
@@ -51,7 +103,7 @@ export class TeamsTokenExtractor {
     this.keyCache = keyCache ?? new DerivedKeyCache()
   }
 
-  getTeamsCookiesPaths(): TeamsCookiePath[] {
+  getDesktopCookiesPaths(): TeamsCookiePath[] {
     switch (this.platform) {
       case 'darwin': {
         const ebWebViewBase = join(
@@ -107,6 +159,83 @@ export class TeamsTokenExtractor {
     }
   }
 
+  getBrowserCookiesPaths(): TeamsCookiePath[] {
+    const paths: TeamsCookiePath[] = []
+
+    for (const browser of BROWSERS) {
+      const browserBase = this.getBrowserBasePath(browser)
+      if (!browserBase) continue
+
+      const profileDirs = this.discoverProfileDirs(browserBase)
+      for (const profileDir of profileDirs) {
+        paths.push({ path: join(profileDir, 'Cookies'), accountType: 'work' })
+        paths.push({ path: join(profileDir, 'Network', 'Cookies'), accountType: 'work' })
+      }
+    }
+
+    return paths
+  }
+
+  getTeamsCookiesPaths(): TeamsCookiePath[] {
+    const desktopPaths = this.getDesktopCookiesPaths()
+    const browserPaths = this.getBrowserCookiesPaths()
+    return [...desktopPaths, ...browserPaths]
+  }
+
+  private getBrowserBasePath(browser: BrowserConfig): string | null {
+    let relative: string
+
+    switch (this.platform) {
+      case 'darwin':
+        relative = browser.darwin
+        if (!relative) return null
+        return join(homedir(), 'Library', 'Application Support', relative)
+      case 'linux':
+        relative = browser.linux
+        if (!relative) return null
+        return join(homedir(), '.config', relative)
+      case 'win32':
+        relative = browser.win32
+        if (!relative) return null
+        return join(
+          process.env.LOCALAPPDATA || join(homedir(), 'AppData', 'Local'),
+          relative,
+        )
+      default:
+        return null
+    }
+  }
+
+  private discoverProfileDirs(browserBase: string): string[] {
+    const dirs: string[] = []
+
+    dirs.push(join(browserBase, 'Default'))
+
+    if (!existsSync(browserBase)) return dirs
+
+    try {
+      const entries = readdirSync(browserBase, { withFileTypes: true })
+      for (const entry of entries) {
+        if (!entry.isDirectory()) continue
+        if (!/^Profile \d+$/i.test(entry.name)) continue
+        dirs.push(join(browserBase, entry.name))
+      }
+    } catch {}
+
+    return dirs
+  }
+
+  private findLocalStateForCookiePath(cookiePath: string): string | null {
+    const parts = cookiePath.split(/[/\\]/)
+    for (let levels = 2; levels <= 4; levels++) {
+      if (parts.length < levels) break
+      const base = parts.slice(0, parts.length - levels).join('/')
+      const candidate = join(base, 'Local State')
+      if (existsSync(candidate)) return candidate
+    }
+    return null
+  }
+
   getLocalStatePath(): string {
     switch (this.platform) {
       case 'darwin':
@@ -136,17 +265,21 @@ export class TeamsTokenExtractor {
 
   getKeychainVariants(): KeychainVariant[] {
     return [
-      // New Teams (com.microsoft.teams2) keychain entry - try first
+      // Teams-specific keychain entries
       { service: 'Microsoft Teams Safe Storage', account: 'Microsoft Teams' },
-      // Work/school variant
       {
         service: 'Microsoft Teams (work or school) Safe Storage',
         account: 'Microsoft Teams (work or school)',
       },
-      // Edge WebView2 fallback
       { service: 'Microsoft Edge Safe Storage', account: 'Microsoft Edge' },
-      // Classic Teams fallback
       { service: 'Teams Safe Storage', account: 'Teams' },
+      // Browser keychain entries for fallback
+      { service: 'Chrome Safe Storage', account: 'Chrome' },
+      { service: 'Chrome Canary Safe Storage', account: 'Chrome Canary' },
+      { service: 'Arc Safe Storage', account: 'Arc' },
+      { service: 'Brave Safe Storage', account: 'Brave' },
+      { service: 'Vivaldi Safe Storage', account: 'Vivaldi' },
+      { service: 'Chromium Safe Storage', account: 'Chromium' },
     ]
   }
 
@@ -206,7 +339,13 @@ export class TeamsTokenExtractor {
 
     try {
       this.copyDatabaseToTemp(dbPath, tempPath)
-      const token = await this.extractFromSQLite(tempPath)
+      // For Windows: find the Local State relative to the cookie path so browser cookies
+      // use the browser's own Local State instead of the Teams app Local State.
+      const localStatePath =
+        this.platform === 'win32'
+          ? (this.findLocalStateForCookiePath(dbPath) ?? this.getLocalStatePath())
+          : undefined
+      const token = await this.extractFromSQLite(tempPath, localStatePath)
       this.cleanupTempFile(tempPath)
       return token
     } catch {
@@ -230,7 +369,7 @@ export class TeamsTokenExtractor {
     }
   }
 
-  private async extractFromSQLite(dbPath: string): Promise<string | null> {
+  private async extractFromSQLite(dbPath: string, localStatePath?: string): Promise<string | null> {
     try {
       for (const hostPattern of TEAMS_HOST_PATTERNS) {
         const sql = `
@@ -257,7 +396,7 @@ export class TeamsTokenExtractor {
         }
 
         if (row?.encrypted_value) {
-          const decrypted = this.decryptCookie(Buffer.from(row.encrypted_value))
+          const decrypted = this.decryptCookie(Buffer.from(row.encrypted_value), localStatePath)
           if (decrypted && this.isValidSkypeToken(decrypted)) {
             return decrypted
           }
@@ -270,14 +409,14 @@ export class TeamsTokenExtractor {
     }
   }
 
-  private decryptCookie(encryptedValue: Buffer): string | null {
+  private decryptCookie(encryptedValue: Buffer, localStatePath?: string): string | null {
     if (!this.isEncryptedValue(encryptedValue)) {
       // Not encrypted, return as-is
       return encryptedValue.toString('utf8')
     }
 
     if (this.platform === 'win32') {
-      return this.decryptWindowsCookie(encryptedValue)
+      return this.decryptWindowsCookie(encryptedValue, localStatePath)
     } else if (this.platform === 'darwin') {
       return this.decryptMacCookie(encryptedValue)
     } else if (this.platform === 'linux') {
@@ -287,12 +426,12 @@ export class TeamsTokenExtractor {
     return null
   }
 
-  private decryptWindowsCookie(encryptedData: Buffer): string | null {
+  private decryptWindowsCookie(encryptedData: Buffer, localStatePath?: string): string | null {
     try {
-      const localStatePath = this.getLocalStatePath()
-      if (!existsSync(localStatePath)) return null
+      const statePath = localStatePath ?? this.getLocalStatePath()
+      if (!existsSync(statePath)) return null
 
-      const localState = JSON.parse(readFileSync(localStatePath, 'utf8'))
+      const localState = JSON.parse(readFileSync(statePath, 'utf8'))
       const encryptedKey = Buffer.from(localState.os_crypt.encrypted_key, 'base64')
 
       // Remove DPAPI prefix (5 bytes)
@@ -329,16 +468,20 @@ export class TeamsTokenExtractor {
       if (decrypted) return decrypted
     }
 
-    const password = this.getKeychainPassword()
-    if (!password) return null
-
-    const key = pbkdf2Sync(password, 'saltysalt', 1003, 16, 'sha1')
-    const decrypted = this.decryptAESCBC(encryptedData, key)
-    if (decrypted) {
-      this.cachedKey = key
-      this.keyCache.set('teams', key).catch(() => {})
+    for (const variant of this.getKeychainVariants()) {
+      const password = this.execSecurityCommand(variant.service, variant.account)
+      if (!password) continue
+
+      const key = pbkdf2Sync(password, 'saltysalt', 1003, 16, 'sha1')
+      const decrypted = this.decryptAESCBC(encryptedData, key)
+      if (decrypted) {
+        this.cachedKey = key
+        this.keyCache.set('teams', key).catch(() => {})
+        return decrypted
+      }
     }
-    return decrypted
+
+    return null
   }
 
   private decryptLinuxCookie(encryptedData: Buffer): string | null {
@@ -348,13 +491,10 @@ export class TeamsTokenExtractor {
   }
 
   private getKeychainPassword(): string | null {
-    const variants = this.getKeychainVariants()
-
-    for (const variant of variants) {
+    for (const variant of this.getKeychainVariants()) {
       const password = this.execSecurityCommand(variant.service, variant.account)
       if (password) return password
     }
-
     return null
   }
 
@@ -363,9 +503,10 @@ export class TeamsTokenExtractor {
       // Escape double quotes in service/account to prevent command injection
       const safeService = service.replace(/"/g, '\\"')
       const safeAccount = account.replace(/"/g, '\\"')
-      const result = execSync(`security find-generic-password -s "${safeService}" -a "${safeAccount}" -w 2>/dev/null`, {
-        encoding: 'utf8',
-      })
+      const result = execSync(
+        `security find-generic-password -s "${safeService}" -a "${safeAccount}" -w 2>/dev/null`,
+        { encoding: 'utf8' },
+      )
       return result.trim()
     } catch {
       return null
@@ -381,6 +522,16 @@ export class TeamsTokenExtractor {
       decipher.setAutoPadding(true)
 
       const decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()])
+
+      // Chromium v130+ prepends a 32-byte integrity hash before the actual cookie value.
+      // Detect by checking if the first bytes contain non-printable characters.
+      if (decrypted.length > 32) {
+        const hasNonPrintablePrefix = decrypted.subarray(0, 32).some((b) => b < 0x20 || b > 0x7e)
+        if (hasNonPrintablePrefix) {
+          return decrypted.subarray(32).toString('utf8')
+        }
+      }
+
       const decryptedStr = decrypted.toString('utf8')
 
       // Chromium v24+ prepends a 32-byte integrity hash before the actual value