unbrowse 2.8.1 → 2.8.3

package/dist/cli.js

@@ -6116,6 +6116,10 @@ async function interactiveLogin(url, domain) {
     const vaultKey = `auth:${getRegistrableDomain(targetDomain)}`;
     await storeCredential(vaultKey, JSON.stringify({ cookies: storableCookies }));
     log("auth", `stored ${storableCookies.length} cookies under ${vaultKey}`);
+    try {
+      await authProfileSave(tabId, targetDomain.replace(/^www\./, ""));
+      log("auth", `saved Kuri auth profile for ${targetDomain}`);
+    } catch {}
     return { success: true, domain: targetDomain, cookies_stored: storableCookies.length };
   } finally {
     if (prevHeadless !== undefined)
@@ -11157,12 +11161,11 @@ async function executeEndpoint(skill, endpoint, params = {}, projection, options
         return `${c.name}=${v}`;
       }).join("; ");
       headers["cookie"] = cookieStr;
-      if (!headers["x-csrf-token"] && !headers["x-xsrf-token"]) {
-        const csrfCookie = cookies.find((c) => /^(ct0|csrf_token|_csrf|csrftoken|XSRF-TOKEN|_xsrf)$/i.test(c.name));
-        if (csrfCookie) {
-          const v = csrfCookie.value.startsWith('"') && csrfCookie.value.endsWith('"') ? csrfCookie.value.slice(1, -1) : csrfCookie.value;
-          headers["x-csrf-token"] = v;
-        }
+      const csrfCookie = cookies.find((c) => /^(ct0|csrf_token|_csrf|csrftoken|XSRF-TOKEN|_xsrf)$/i.test(c.name));
+      if (csrfCookie) {
+        const v = csrfCookie.value.startsWith(") && csrfCookie.value.endsWith(") ? csrfCookie.value.slice(1, -1) : csrfCookie.value;
+        headers["x-csrf-token"] = v;
+        headers["x-xsrf-token"] = v;
       }
     }
     if (endpoint.csrf_plan && cookies.length > 0) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "unbrowse",
-  "version": "2.8.1",
+  "version": "2.8.3",
   "description": "Reverse-engineer any website into reusable API skills. Zero-dep single binary with embedded browser engine.",
   "type": "module",
   "bin": {

package/runtime-src/auth/index.ts

@@ -142,6 +142,12 @@ export async function interactiveLogin(
     await storeCredential(vaultKey, JSON.stringify({ cookies: storableCookies }));
     log("auth", `stored ${storableCookies.length} cookies under ${vaultKey}`);
 
+    // Also save as Kuri auth profile so browse commands (go/snap/click) have auth
+    try {
+      await kuri.authProfileSave(tabId, targetDomain.replace(/^www\./, ""));
+      log("auth", `saved Kuri auth profile for ${targetDomain}`);
+    } catch { /* non-fatal — Kuri auth profile save is best-effort */ }
+
     return { success: true, domain: targetDomain, cookies_stored: storableCookies.length };
   } finally {
     // Restore headless setting so subsequent captures run headless

package/runtime-src/execution/index.ts

@@ -1880,15 +1880,15 @@ export async function executeEndpoint(
       headers["cookie"] = cookieStr;
 
       // CSRF token auto-detection (bird pattern): many sites require CSRF tokens
-      // as both a cookie AND a header. Detect common patterns and replay them.
-      if (!headers["x-csrf-token"] && !headers["x-xsrf-token"]) {
-        const csrfCookie = cookies.find((c) =>
-          /^(ct0|csrf_token|_csrf|csrftoken|XSRF-TOKEN|_xsrf)$/i.test(c.name)
-        );
-        if (csrfCookie) {
-          const v = csrfCookie.value.startsWith('"') && csrfCookie.value.endsWith('"') ? csrfCookie.value.slice(1, -1) : csrfCookie.value;
-          headers["x-csrf-token"] = v;
-        }
+      // as both a cookie AND a header. The cookie value is always fresher than
+      // any stored vault header, so it ALWAYS overrides.
+      const csrfCookie = cookies.find((c) =>
+        /^(ct0|csrf_token|_csrf|csrftoken|XSRF-TOKEN|_xsrf)$/i.test(c.name)
+      );
+      if (csrfCookie) {
+        const v = csrfCookie.value.startsWith(') && csrfCookie.value.endsWith(') ? csrfCookie.value.slice(1, -1) : csrfCookie.value;
+        headers["x-csrf-token"] = v;
+        headers["x-xsrf-token"] = v;
       }
     }