Fix MiMo Firefox session cookie import#1565
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ae2aec1db7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
44660db to
084a45a
Compare
|
Codex review: needs real behavior proof before merge. Reviewed July 5, 2026, 2:13 AM ET / 06:13 UTC. Summary Reproducibility: yes. at source level: current main imports MiMo Firefox cookies only through persisted SweetCookieKit rows and has no sessionstore recovery path, so session-only Firefox auth is not covered. I did not run live browser-cookie import because repository policy warns against unattended Keychain/browser-cookie probes. Review metrics: 2 noteworthy metrics.
Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Proof guidance:
Risk before merge
Maintainer options:
Next step before merge
Security Review detailsBest possible solution: Land the bounded Firefox sessionstore importer after redacted latest-head real Firefox proof shows usable MiMo session recovery, or after a maintainer explicitly accepts synthetic coverage for this auth-provider path. Do we have a high-confidence way to reproduce the issue? Yes at source level: current main imports MiMo Firefox cookies only through persisted SweetCookieKit rows and has no sessionstore recovery path, so session-only Firefox auth is not covered. I did not run live browser-cookie import because repository policy warns against unattended Keychain/browser-cookie probes. Is this the best way to solve the issue? Yes for the code direction: the bounded parser plus source-isolated replacement path is narrow, covered by focused tests, and matches the owner-stated behavior. It is not merge-ready until real latest-head auth-provider proof is provided or maintainers intentionally accept synthetic coverage. AGENTS.md: found and applied where relevant. Codex review notes: model internal, reasoning high; reviewed against f1de7006027e. Label changesLabel justifications:
Evidence reviewedWhat I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 924ccbb23d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
924ccbb to
ead2aab
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ead2aab576
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
ead2aab to
28c8728
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 28c8728bef
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
28f780a to
5239ca6
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 5239ca6b54
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| let sessionCookies = BrowserCookieClient.makeHTTPCookies(sessionRecords, origin: .domainBased) | ||
| guard MiMoCookieHeader.header(from: sessionCookies) != nil else { |
There was a problem hiding this comment.
Merge Firefox session cookies with persisted cookies
When Firefox has only one required MiMo cookie in the session restore and the other required cookie persisted in cookies.sqlite, this guard validates sessionRecords by themselves and then falls back to source alone. Since Firefox session restore only carries session cookies, a real browser request can be split across the restore file and the persisted store; in that case CodexBar drops the recovered session cookie and reports no valid MiMo login even though Firefox would send both cookies. Validate/return the merged source.records + sessionRecords set, with session records taking precedence for duplicate keys.
Useful? React with 👍 / 👎.
Summary
cookies.sqlitelacks usable auth rowsMaintainer hardening
mainand removed the stale contributor changelog edit; the maintainer changelog is added after landingSafety behavior
Proof
make check: cleanExact reviewed head:
5239ca6b54a7f128713dfe38a64a455be7f80e46Thanks @aaronflorey for the contribution.