bertrandom / chrome-cookies-secure Goto Github PK

Extract encrypted Google Chrome cookies for a url on a Mac or Linux

Home Page: https://www.npmjs.com/package/chrome-cookies-secure

License: MIT License

JavaScript 100.00%

chrome-cookies-secure's Introduction

Selfie

Created for the SFMoMA Art+Data day. This application will show an image from an item in the SFMoMA collection and will place it next to a rapidly changing set of Flickr photos with that work as a subject. This will fail if no photo is returned from the SFMoMA API. Also, the photos on the right will not show up until they are all loaded. At this point there is no loading indicator.

To Install

npm install

Configure

Copy config/default.json to config/local.json.

Apply for a Flickr API key and put it in the config file. Also put the HTTP Basic Auth credentials for the SFMOMA API in the config file.

Start the app

node app

chrome-cookies-secure's People

Contributors

Stargazers

Watchers

chrome-cookies-secure's Issues

Sqlite not working on Ubuntu 18.04

Error:

[Error: SQLITE_CANTOPEN: unable to open database file
Emitted 'error' event on Database instance at:
]

Steps to reproduce:

npm init -y && npm i -S chrome-cookies-secure

echo "const chrome = require('chrome-cookies-secure'); \
const url = 'https://wallapop.com/'; \
chrome.getCookies(url, function (err, cookies) { \
    console.log(cookies); \
}); " > index.js

node index.js

Versions:
Ubuntu 18.04.1 (Virtual Machine)
Node.js v14.17.4 (also tried with v16.3.0)

Extra info:
I also tried on Mac OS 10.14 and it worked fine

Does not work with localhost

Doesn't work with localhost domains. I assume this is some kind of security thing?

Is there anyway to grab the localhost cookies, and if so is there any plans to implement it?

Error running through SSH

chrome-cookies-secure is very helpful ;-) thanks for that

The following code works just fine on MacOS:

const chrome = require('chrome-cookies-secure');
chrome.getCookies('https://www.google.com/', function(err, cookies) {
        console.log(cookies);
});

but running it through SSH I get the following error:

node:internal/process/promises:289
            triggerUncaughtException(err, true /* fromPromise */);
            ^

[Error: User interaction is not allowed.]

Node.js v19.2.0

Keychain access to "Chrome Safe Storage" is set to "Allow all applications to access this item"

Any idea?

Add a typescript definition file

Add a typescript definition file, so we can get type inference supported by VSCode.

Chrome 114 "Lock profile cookie files on disk"

Chrome 114 introduces "Lock profile cookie files on disk" which breaks chrome-cookies-secure
[Error: SQLITE_CANTOPEN: unable to open database file Emitted 'error' event on Database instance at:]
{ errno: 14, code: 'SQLITE_CANTOPEN' }

After a clean install it says "Cannot find module 'keytar'"

npm i chrome-cookies-secure

The version is the latest, at the moment: 1.3.3

const cookies = await chrome.getCookiesPromised(url, 'puppeteer', 'Default');

Throws error

Error: Cannot find module 'keytar'
Require stack:

/Users/.../node_modules/chrome-cookies-secure/index.js

Cannot find module 'win-dpapi'

I'm uisng this package with puppeteer.

This is package.json file:

{
  "name": "cookie-puppeteer",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "dependencies": {
    "chrome-cookies-secure": "^2.1.1",
    "puppeteer": "^21.6.1",
    "puppeteer-extra": "^3.3.6",
    "puppeteer-extra-plugin-stealth": "^2.11.2"
  }
}

And this is my code from sample:

const chrome = require('chrome-cookies-secure');
const puppeteer = require('puppeteer-extra');
const StealthPlugin = require('puppeteer-extra-plugin-stealth');

puppeteer.use(StealthPlugin());

const url = 'https://nowsecure.nl/';


const getCookies = (callback) => {
    chrome.getCookies(url, 'puppeteer', function (err, cookies) {
        if (err) {
            console.log(err, 'error');
            return
        }
        console.log(cookies, 'cookies');
        callback(cookies);
    }, 'yourProfile') // e.g. 'Profile 2'
};

getCookies(async (cookies) => {
    const browser = await puppeteer.launch({
        headless: false
    });
    const page = (await browser.pages())[0];

    await page.setCookie(...cookies);
    await page.goto(url);
    // await page.waitFor(1000);
    // browser.close(); //You missed await for this line but in my case I do not want to close browser so it is commented
});

And I have this error:

Uncaught Error: Cannot find module 'win-dpapi'
Module._resolveFilename loader:1144
Module._load loader:985
Module.require loader:1235
require helpers:176
getDerivedKey index.js:72
getCookies index.js:368
getCookies index.js:11
(anonymous function) index.js:21
Module._compile loader:1376
Module._extensions..js loader:1435
Module.load loader:1207
Module._load loader:1023
executeUserEntryPoint run_main:135
(anonymous function) run_main_module:28

index.js from `node-modules/chrome-cookies-secure/index.js:

.
.
.
	} else if (process.platform === 'linux') {

		chromePassword = 'peanuts';
		crypto.pbkdf2(chromePassword, SALT, ITERATIONS, KEYLENGTH, 'sha1', callback);

	} else if (process.platform === 'win32') {

		// On Windows, the crypto is managed entirely by the OS.  We never see the keys.
		dpapi = require('win-dpapi'); //line 72
		callback(null, null);
	}
.
.
.

line 368:

.
.
.

	getDerivedKey(function (err, derivedKey) { //line 368

		if (err) {
			return callback(err);
		}
.
.
.

Cookies Database Moving in Chrome 96

https://dfir.blog/cookies-database-moving-in-chrome-96/

The reason for this change is to enable sandboxing of Chrome's network service, so it can only access files on the file system that it needs. This would make it so any compromised network service can't access other files in the user's profile directory. Because of how ACLs work on Windows, to accomplish this the files needed by network services have moved from the user's profile directory to a Network subdirectory.

so there should be a cookie db detect or let user provide the path?

for now , we could pass '{the profile name}/Network' as profile parameter to bypass this issue

Support for custom configs and allowing Chromium/Blink browsers

This tool is extremely useful but my ideal use case would let me import cookies from Brave. Naturally, the sprawl of Chromium-based browsers is pretty wide so an ideal path for this might just be reorganizing the api to allow for custom paths like:

const chromeish = require('chrome-cookies-secure');

const options = {
  format: 'curl',
  profile: 'Default',
  path: '/Library/Application Support/BraveSoftware/Brave-Browser',
  // Or override home path with fullPath
}
chromeish.getCookies('https://foo.com/', options, console.log);

An API structure like this would be ideal and it should be easy to maintain backwards compatibility. I may fork this project in a few weeks for my use case. Thanks!

Crashing on require

Just installed this and added to the top of my file

const chrome = require('chrome-cookies-secure')

and I'm getting the following error

Cannot install keytar module and weird error

It's failing in Ubuntu 12.04 with the following error:

> [email protected] install /home/demian/www/projects/iatsqueue/node_modules/chrome-cookies-secure/node_modules/keytar
> node-gyp rebuild

Package gnome-keyring-1 was not found in the pkg-config search path.
Perhaps you should add the directory containing `gnome-keyring-1.pc'
to the PKG_CONFIG_PATH environment variable
No package 'gnome-keyring-1' found
gyp: Call to 'pkg-config --libs-only-l gnome-keyring-1' returned exit status 1. while trying to load binding.gyp
gyp ERR! configure error 
gyp ERR! stack Error: `gyp` failed with exit code: 1
gyp ERR! stack     at ChildProcess.onCpExit (/usr/lib/node_modules/npm/node_modules/node-gyp/lib/configure.js:343:16)
gyp ERR! stack     at ChildProcess.emit (events.js:98:17)
gyp ERR! stack     at Process.ChildProcess._handle.onexit (child_process.js:810:12)
gyp ERR! System Linux 3.13.0-43-generic
gyp ERR! command "node" "/usr/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
gyp ERR! cwd /home/demian/www/projects/iatsqueue/node_modules/chrome-cookies-secure/node_modules/keytar
gyp ERR! node -v v0.10.33
gyp ERR! node-gyp -v v1.0.1
gyp ERR! not ok 
npm WARN optional dep failed, continuing [email protected]

What can I do?

Also I'm getting this error:

crypto.js:323
  var ret = this._binding.final();
                          ^
TypeError: error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length
    at Decipheriv.Cipher.final (crypto.js:323:27)
    at decrypt (/home/demian/www/projects/iatsqueue/node_modules/chrome-cookies-secure/index.js:45:22)
    at Statement.db.each.host (/home/demian/www/projects/iatsqueue/node_modules/chrome-cookies-secure/index.js:242:21)

fail: unable to open database file

Hi everyone. The profile for test has been checked by manually opening chrome, but the code provided by readme.md keeps issuing the error 'unable to open database file'.
I am on windows 10 x64, chrome 80.0.3987.149 (Official Build) (64-bit) (cohort: 80_149_Win), Node v12.16.1, and npm 6.13.4.
Here is the code for test:

const chrome = require('chrome-cookies-secure');
const puppeteer = require('puppeteer-core');

const url = 'https://www.hostloc.com/forum.php';

const getCookies = (callback) => {
    chrome.getCookies(url, 'puppeteer', function(err, cookies) {
        if (err) {
            console.log(err, 'error');
            return
        }
        console.log(cookies, 'cookies');
        callback(cookies);
    }, 
    './UserData2')  // Absolute path has been also tested.
}

getCookies(async (cookies) => {
    const browser = await puppeteer.launch({ 
        headless: false
    });
    const page = await browser.newPage();

    await page.setCookie(...cookies);
    await page.goto(url);
    await page.waitFor(1000);
    browser.close();
});

The errors issued:

events.js:288
      throw er; // Unhandled 'error' event
      ^
[Error: SQLITE_CANTOPEN: unable to open database file
Emitted 'error' event on Database instance at:
] {
  errno: 14,
  code: 'SQLITE_CANTOPEN'
}

Unable to build on Linux with Webpack

Attempting to webpack a project that uses this package. I get the win-dpapi error, and a lot of other confusing errors. When I attempt to just install win-dpapi, it tells me it can't because I'm on Linux.

ERROR in ./node_modules/chrome-cookies-secure/index.js 72:10-30
Module not found: Error: Can't resolve 'win-dpapi' in 'REDACTED/node_modules/chrome-cookies-secure'
resolve 'win-dpapi' in 'REDACTED/node_modules/chrome-cookies-secure'
  Parsed request is a module
  using description file: REDACTED/node_modules/chrome-cookies-secure/package.json (relative path: .)
    Field 'browser' doesn't contain a valid alias configuration
    resolve as module
      REDACTED/node_modules/chrome-cookies-secure/node_modules doesn't exist or is not a directory
      REDACTED/node_modules/node_modules doesn't exist or is not a directory
      looking for modules in REDACTED/node_modules
        single file module
          using description file: REDACTED/package.json (relative path: ./node_modules/win-dpapi)
            no extension
              Field 'browser' doesn't contain a valid alias configuration
              REDACTED/node_modules/win-dpapi doesn't exist
            .ts
              Field 'browser' doesn't contain a valid alias configuration
              REDACTED/node_modules/win-dpapi.ts doesn't exist
            .js
              Field 'browser' doesn't contain a valid alias configuration
              REDACTED/node_modules/win-dpapi.js doesn't exist
        REDACTED/node_modules/win-dpapi doesn't exist
      /home/mpanik/localhost/node_modules doesn't exist or is not a directory
      /home/mpanik/node_modules doesn't exist or is not a directory
      /home/node_modules doesn't exist or is not a directory
      /node_modules doesn't exist or is not a directory
 @ ./src/popup.js 3:22-54

Decryption failed. TODO: Error code

if i run:

chrome.getCookies('https://www.google.com.hk', function(err, cookies) {
  console.log(cookies)
})

i get

\node_modules\chrome-cookies-secure\index.js:314
cookie.value = dpapi.unprotectData(encryptedValue, null, 'CurrentUser').toString('utf-8');
^
Error: Decryption failed. TODO: Error code
at Statement. (d:\myCode\baiduAnswerPuppeteer\node_modules\chrome-cookies-secure\index.js:314:28)

browser: chrome 80.0.3987.87
How to solve this problem？？

Error on Crypto in Node >= 6

Hi, I'm getting this error in Node v8.1.4:

crypto.js:635
    throw new TypeError(
    ^

TypeError: The "digest" argument is required and must not be undefined
    at pbkdf2 (crypto.js:635:11)
    at Object.exports.pbkdf2 (crypto.js:623:10)
    at getDerivedKey (/.../node_modules/chrome-cookies-secure/index.js:88:9)
    at getCookies (/.../node_modules/chrome-cookies-secure/index.js:240:2)
    at Object.<anonymous> (/.../index.js:72:1)
    at Module._compile (module.js:569:30)
    at Object.Module._extensions..js (module.js:580:10)
    at Module.load (module.js:503:32)
    at tryModuleLoad (module.js:466:12)
    at Function.Module._load (module.js:458:3)

Seems like in Node v5 the digest param was optional, defaulting to sha1, and now is mandatory.

Upgrade sqlite3 version

The current version doesn't work with Node.js 10, when trying to install it you'll see—

node-pre-gyp ERR! not ok 
[...]
In file included from ../node_modules/nan/nan.h:192:
../node_modules/nan/nan_maybe_43_inl.h:112:15: error: no member named 'ForceSet' in 'v8::Object'
  return obj->ForceSet(isolate->GetCurrentContext(), key, value, attribs);
[...]
8 warnings and 1 error generated.

nan is a dependency of sqlite3

fails on google

If I run this:

chrome.getCookies('http://google.com', function(err, cookies) {
console.log(cookies);
});

I get only SID and NID and not HSID and SSID (which are there)

any clues?

Doesn't work for Apple M1 (or M2) based machines

Linux support?

Can you make it work on Linux please? Is it just the file path or any other twisted logic is needed?
Thanks.

Need help understanding how to decrypt for Chromium

I looked through the Chromium source code and I think this is the relevant section:
https://github.com/chromium/chromium/blob/dc778ef2640dfd02ee7a896b92cd72e8f6d5cdf1/components/os_crypt/os_crypt_mac.mm#L35

// Salt for Symmetric key derivation.
constexpr char kSalt[] = "saltysalt";

// Key size required for 128 bit AES.
constexpr size_t kDerivedKeySizeInBits = 128;

// Constant for Symmetic key derivation.
constexpr size_t kEncryptionIterations = 1003;

I tried updating your module to use 1003 iterations when loading the Chromium sqlite db but it doesn't appear to be decrypting correctly.
Searching the chromium source for DeriveKeyFromPasswordUsingPbkdf2 seems to hint a little bit of how it works.

Possibly related source code is persistent cookie store code here or in here.

Besides changing setting the path to support Chromium and trying different iteration values, I also made this change:

		keytar.getPassword('Chromium Safe Storage', 'Chromium').then(function(chromePassword) {
			crypto.pbkdf2(chromePassword, SALT, 1003, KEYLENGTH, 'sha1', callback);
		});

It returns the values but they're all garbled since they weren't decrypted correctly.

What else might I be missing?

OSX: Error: The user name or passphrase you entered is not correct.

When I start my node app, it immediately crashes with this error on OSX Monterey 12.5

node:internal/process/promises:279
            triggerUncaughtException(err, true /* fromPromise */);
            ^

[Error: The user name or passphrase you entered is not correct.]
error Command failed with exit code 1.

select all cookies?

Would like to have an option to get all the cookies out of the db. The strict domain validation you are using makes this impossible though so you cannot do something like 'http://_/test. Would be nice if it was more flexible.

No longer works on Linux with recent keyring changes

The password is no longer hardcoded on Linux when a keyring is available. This Python package has a bit more detail:

https://github.com/n8henrie/pycookiecheat#installation-notes-regarding-alternative-keyrings-on-linux

I figure you probably won't have time to fix it, but wanted to leave a note here in case others run into the issue. Needless to say, it will result in garbage cookie values.

sqlite3 forces native compilation in electron

https://stackoverflow.com/questions/32504307/how-to-use-sqlite3-module-with-electron

Decrypting some cookies results in RangeError

On decrypting cookies set by one particular site (Goodreads.com), I got the following error:

RangeError: out of range index
at RangeError (native)
at decrypt (node_modules/chrome-cookies-secure/index.js:59:8)
at Statement.db.each.host (node_modules/chrome-cookies-secure/index.js:268:21)

The offending line 59 is final.copy(decoded, decoded.length - 1);. Changing it to final.copy(decoded, decoded.length ? decoded.length - 1 : 0); (no longer assuming that the target buffer contains data) fixed the issue for me, though I don't know if that's the best solution.

Brave permissions

When I am using Chrome on MacOS, everything is good, the system asks me to grant permissions and I can see cookies properly.

However when I pass something like this
'/Users/' + process.env.USER + '/Library/Application Support/BraveSoftware/Brave-Browser/Default')

It still works, but I am not asked for permissions and the data returned looks unreadable, I guess it needs to be decrypted correctly.

Any solution?

No types file for chrome-cookies-secure

chrome-cookies-secure doesn't have a types file on @types/node

https://www.npmjs.com/package/@types/node

Can't fetch cookies on windows

It was working fine a couple days ago, but I tried again recently and it's returning no cookies for any domain on Windows. I tried the google example as well after updating the profile.

Some version info:
Google Chrome | 96.0.4664.93 (Official Build) (64-bit) (cohort: Stable)
Revision | 17531e0a70b4f8108f2418e8b5117f465077710b-refs/branch-heads/4664@{#1229}
OS | Windows 10 Version 21H1 (Build 19043.1348)

And I did notice the Cookies file is empty in the profile I'm checking, in another profile it doesn't exist at all.(I'm assuming it got created when I ran the example)