PointsPath: headed Playwright login + --from-chrome import#6
Merged
Conversation
Solves the auth-rotation race that's been derailing PP work all session.
Until now the only login path was --tokens-file pointing at a manually-
captured JSON of Supabase cookies. Two new modes that share the same
underlying cookie-reassembly logic:
default (no flag) — Playwright headed Chromium. User logs in normally;
CLI captures the resulting Supabase session. This is
the recommended path: independent server-side
session, so Chrome PP can stay logged in elsewhere
and neither side races the other's refresh chain.
Optional extra: `flight-cli[browser-login]`.
--from-chrome — rookiepy reads cookies from a local Chrome profile.
Quicker (no re-login) but the CLI inherits Chrome's
refresh chain. Supabase rotates single-use, so a
refresh on one side eventually invalidates the
other. Convenience for one-shot use; the default is
the right pick for stability.
Mode shape modeled on krisp-cli (OAuth PKCE — CLI owns its token chain)
and pplx (`auth import --browser X` via rookiepy). Both established
precedents for CLI auth in the broader skill ecosystem.
Shared `tokens_from_supabase_cookies()` helper in pp/auth.py funnels
all three paths. Reassembles `sb-<ref>-auth-token.0/.1` cookies,
handles raw JSON and `base64-` prefix, ignores the `-code-verifier`
PKCE cookie, falls back to JWT `exp` claim when payload lacks
`expires_at`. Seven new unit tests pin the behavior with synthetic
cookies + a fake rookiepy.
Three modes are mutually exclusive; supplying more than one is a clean
typer.BadParameter exit. Missing playwright import → clear "install
with X" error pointing to the optional extra.
Closes work-k93b.
…g install The previous setup section pushed users toward `uv pip install -e '.[browser-login]'` — which mutates flight-cli's project venv just to add an interactive-login dep. Most users would rather inject playwright at run-time and leave the venv alone. New pattern (recommended): # One-time, global (browser cached at ~/Library/Caches/ms-playwright): uvx --from playwright playwright install chromium # Per-invocation, ephemeral: uv run --with playwright flight auth pp login The optional extra is still defined for users who DO want playwright resident, but it's no longer the primary path. Updated `--help` docstring, README, and the missing-playwright ImportError message.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves the auth-rotation race that's been derailing PP work this session. Today's only login path is
--tokens-file ~/Downloads/pp_tokens.json— manually captured JSON. This PR adds two new modes that share the same underlying Supabase-cookie reassembly:--from-chromerookiepyreads cookies from a local Chrome profile--tokens-file PATHPattern is modeled on real precedents in the broader skill ecosystem:
auth import --browser XviarookiepyPP doesn't expose OAuth, so we get the same "independent token chain" property via Playwright-driven login instead.
Implementation
Shared
tokens_from_supabase_cookies()inpp/auth.pyfunnels all three modes. Reassemblessb-<ref>-auth-token.0/.1cookies, handles raw JSON andbase64-prefix, ignores the-code-verifierPKCE cookie, falls back to JWTexpclaim when payload lacksexpires_at.Three modes are mutually exclusive; multiple →
typer.BadParameter. Missing playwright import → clear install instructions pointing to thebrowser-loginoptional extra.rookiepyis a regular dep (small package, useful surface).playwrightis an optional extra (flight-cli[browser-login]) — the package itself is small, butplaywright install chromiumis ~150MB and non-PP users shouldn't pay that.Closes
work-k93b.Test plan
make check(ruff lint + format + basedpyright strict + pytest) — all greentests/pp/test_auth_login.py).0+.1cookies, raw JSON payload, single unsplit cookie, PKCE verifier ignored, no-cookies error path, JWT-expexpiry fallback, rookiepy plumbing scoped to pointspath.comflight auth pp login --helprenders all three modes cleanly