john/claude-engineering-plugin
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
470f56fd35f809ec1847086dee2d0cdc2cde7d48
claude-engineering-plugin/plugins/compound-engineering/skills/agent-browser/references/authentication.md
Trevin Chow 24860ec3f1 feat: sync agent-browser skill with upstream vercel-labs/agent-browser 
Update SKILL.md to match the latest upstream skill from
vercel-labs/agent-browser, adding substantial new capabilities:

- Authentication (auth vault, profiles, session persistence, state files)
- Command chaining, annotated screenshots, diffing
- Security features (content boundaries, domain allowlist, action policy)
- iOS Simulator support, Lightpanda engine, downloads, clipboard
- JS eval improvements (--stdin, -b for shell safety)
- Timeout guidance, config files, session cleanup

Add 7 reference docs (commands, authentication, snapshot-refs,
session-management, video-recording, profiling, proxy-support) and
3 ready-to-use shell templates.

Kept our YAML frontmatter, setup check section, and Playwright MCP
comparison table which are unique to our plugin context.
2026-03-14 20:08:27 -07:00

8.2 KiB
Raw Blame History

Authentication Patterns

Login flows, session persistence, OAuth, 2FA, and authenticated browsing.

Related: commands.md for full command reference, SKILL.md for quick start.

Contents

Import Auth from Your Browser

The fastest way to authenticate is to reuse cookies from a Chrome session you are already logged into.

Step 1: Start Chrome with remote debugging

# macOS
"/Applications/Google Chrome.app/Contents/MacOS/Google Chrome" --remote-debugging-port=9222

# Linux
google-chrome --remote-debugging-port=9222

# Windows
"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222

Log in to your target site(s) in this Chrome window as you normally would.

Security note: --remote-debugging-port exposes full browser control on localhost. Any local process can connect and read cookies, execute JS, etc. Only use on trusted machines and close Chrome when done.

Step 2: Grab the auth state

# Auto-discover the running Chrome and save its cookies + localStorage
agent-browser --auto-connect state save ./my-auth.json

Step 3: Reuse in automation

# Load auth at launch
agent-browser --state ./my-auth.json open https://app.example.com/dashboard

# Or load into an existing session
agent-browser state load ./my-auth.json
agent-browser open https://app.example.com/dashboard

This works for any site, including those with complex OAuth flows, SSO, or 2FA -- as long as Chrome already has valid session cookies.

Security note: State files contain session tokens in plaintext. Add them to .gitignore, delete when no longer needed, and set AGENT_BROWSER_ENCRYPTION_KEY for encryption at rest. See Security Best Practices.

Tip: Combine with --session-name so the imported auth auto-persists across restarts:

agent-browser --session-name myapp state load ./my-auth.json
# From now on, state is auto-saved/restored for "myapp"

Persistent Profiles

Use --profile to point agent-browser at a Chrome user data directory. This persists everything (cookies, IndexedDB, service workers, cache) across browser restarts without explicit save/load:

# First run: login once
agent-browser --profile ~/.myapp-profile open https://app.example.com/login
# ... complete login flow ...

# All subsequent runs: already authenticated
agent-browser --profile ~/.myapp-profile open https://app.example.com/dashboard

Use different paths for different projects or test users:

agent-browser --profile ~/.profiles/admin open https://app.example.com
agent-browser --profile ~/.profiles/viewer open https://app.example.com

Or set via environment variable:

export AGENT_BROWSER_PROFILE=~/.myapp-profile
agent-browser open https://app.example.com/dashboard

Session Persistence

Use --session-name to auto-save and restore cookies + localStorage by name, without managing files:

# Auto-saves state on close, auto-restores on next launch
agent-browser --session-name twitter open https://twitter.com
# ... login flow ...
agent-browser close  # state saved to ~/.agent-browser/sessions/

# Next time: state is automatically restored
agent-browser --session-name twitter open https://twitter.com

Encrypt state at rest:

export AGENT_BROWSER_ENCRYPTION_KEY=$(openssl rand -hex 32)
agent-browser --session-name secure open https://app.example.com

Basic Login Flow

# Navigate to login page
agent-browser open https://app.example.com/login
agent-browser wait --load networkidle

# Get form elements
agent-browser snapshot -i
# Output: @e1 [input type="email"], @e2 [input type="password"], @e3 [button] "Sign In"

# Fill credentials
agent-browser fill @e1 "user@example.com"
agent-browser fill @e2 "password123"

# Submit
agent-browser click @e3
agent-browser wait --load networkidle

# Verify login succeeded
agent-browser get url  # Should be dashboard, not login

Saving Authentication State

After logging in, save state for reuse:

# Login first (see above)
agent-browser open https://app.example.com/login
agent-browser snapshot -i
agent-browser fill @e1 "user@example.com"
agent-browser fill @e2 "password123"
agent-browser click @e3
agent-browser wait --url "**/dashboard"

# Save authenticated state
agent-browser state save ./auth-state.json

Restoring Authentication

Skip login by loading saved state:

# Load saved auth state
agent-browser state load ./auth-state.json

# Navigate directly to protected page
agent-browser open https://app.example.com/dashboard

# Verify authenticated
agent-browser snapshot -i

OAuth / SSO Flows

For OAuth redirects:

# Start OAuth flow
agent-browser open https://app.example.com/auth/google

# Handle redirects automatically
agent-browser wait --url "**/accounts.google.com**"
agent-browser snapshot -i

# Fill Google credentials
agent-browser fill @e1 "user@gmail.com"
agent-browser click @e2  # Next button
agent-browser wait 2000
agent-browser snapshot -i
agent-browser fill @e3 "password"
agent-browser click @e4  # Sign in

# Wait for redirect back
agent-browser wait --url "**/app.example.com**"
agent-browser state save ./oauth-state.json

Two-Factor Authentication

Handle 2FA with manual intervention:

# Login with credentials
agent-browser open https://app.example.com/login --headed  # Show browser
agent-browser snapshot -i
agent-browser fill @e1 "user@example.com"
agent-browser fill @e2 "password123"
agent-browser click @e3

# Wait for user to complete 2FA manually
echo "Complete 2FA in the browser window..."
agent-browser wait --url "**/dashboard" --timeout 120000

# Save state after 2FA
agent-browser state save ./2fa-state.json

HTTP Basic Auth

For sites using HTTP Basic Authentication:

# Set credentials before navigation
agent-browser set credentials username password

# Navigate to protected resource
agent-browser open https://protected.example.com/api

Cookie-Based Auth

Manually set authentication cookies:

# Set auth cookie
agent-browser cookies set session_token "abc123xyz"

# Navigate to protected page
agent-browser open https://app.example.com/dashboard

Token Refresh Handling

For sessions with expiring tokens:

#!/bin/bash
# Wrapper that handles token refresh

STATE_FILE="./auth-state.json"

# Try loading existing state
if [[ -f "$STATE_FILE" ]]; then
    agent-browser state load "$STATE_FILE"
    agent-browser open https://app.example.com/dashboard

    # Check if session is still valid
    URL=$(agent-browser get url)
    if [[ "$URL" == *"/login"* ]]; then
        echo "Session expired, re-authenticating..."
        # Perform fresh login
        agent-browser snapshot -i
        agent-browser fill @e1 "$USERNAME"
        agent-browser fill @e2 "$PASSWORD"
        agent-browser click @e3
        agent-browser wait --url "**/dashboard"
        agent-browser state save "$STATE_FILE"
    fi
else
    # First-time login
    agent-browser open https://app.example.com/login
    # ... login flow ...
fi

Security Best Practices

  1. Never commit state files - They contain session tokens

    echo "*.auth-state.json" >> .gitignore

  2. Use environment variables for credentials

    agent-browser fill @e1 "$APP_USERNAME"
agent-browser fill @e2 "$APP_PASSWORD"

  3. Clean up after automation

    agent-browser cookies clear
rm -f ./auth-state.json

  4. Use short-lived sessions for CI/CD

    # Don't persist state in CI
agent-browser open https://app.example.com/login
# ... login and perform actions ...
agent-browser close  # Session ends, nothing persisted
Reference in New Issue View Git Blame Copy Permalink