Skip to content

Add environment-variable cookie auth (no browser profile access)#17

Open
chongheado wants to merge 1 commit into
public-clis:mainfrom
chongheado:feat/env-var-cookie-auth
Open

Add environment-variable cookie auth (no browser profile access)#17
chongheado wants to merge 1 commit into
public-clis:mainfrom
chongheado:feat/env-var-cookie-auth

Conversation

@chongheado

Copy link
Copy Markdown

What

Adds an environment-variable credential source so rdt-cli can authenticate without reading the local browser's cookie database.

Credential priority is now env β†’ saved file β†’ browser (browser extraction is kept, but demoted to a last resort):

  • RDT_COOKIE β€” full raw Cookie header (most robust; carries the whole session set)
  • RDT_SESSION (+ optional RDT_MODHASH) β€” convenience for just the session cookie / write capability

Env credentials are read fresh each run and are never written to disk. Public/read-only commands also no longer silently trigger browser cookie extraction, so setting RDT_COOKIE (or nothing at all) never touches the browser.

Why

Reddit now blocks anonymous .json access, so a browser-established session cookie is required. Some users and environments (CI, servers, privacy-conscious setups) don't want the tool reading their local browser profile files. Supplying the cookie via an env var solves this without changing the tool's architecture.

Testing

  • python -m pytest -q β†’ 146 passed, 66 deselected (adds tests/test_env_credential.py β€” 16 tests; tests/conftest.py isolates RDT_* from the test runner's env)
  • ruff check . β†’ clean
  • Manual end-to-end against live Reddit via RDT_COOKIE (no browser launched, no profile files read):
    • rdt status --json β†’ "authenticated": true, "source": "env"
    • rdt whoami β†’ resolves the account
    • rdt popular -n 5 β†’ returns real posts

Docs

README gains an environment-variable auth section and a step-by-step "get your cookie" guide.

Reddit (2026) now blocks anonymous .json access behind a browser JS
anti-bot challenge, and self-service OAuth app registration is closed, so
a browser-established cookie is required. This lets users supply that
cookie themselves β€” WITHOUT the tool reading their browser profile
files β€” via environment variables, and demotes browser extraction to a
last resort.

Credential chain is now: env β†’ saved file β†’ browser (browser kept, last).

Environment variables (read fresh each run, never persisted to disk):
- RDT_COOKIE  : full raw Cookie header (most robust; whole session set)
- RDT_SESSION : reddit_session value (convenience)
- RDT_MODHASH : optional modhash (enables write actions)

Public/read-only commands also no longer silently extract browser cookies
(optional_auth passes allow_browser=False; anonymous runs don't
browser-refresh on session expiry), so setting RDT_COOKIE β€” or nothing β€”
never touches the browser for public browsing.

- auth.py: parse_cookie_header(), extract_env_credential(),
  get_credential(allow_browser=...) chain (env-first, browser-last)
- session.py: anonymous token_v2 cookie counts as read-capable
- commands: optional_auth() never extracts browser; status/login/
  require_auth messages point users to RDT_COOKIE
- README: env-var auth section + step-by-step "get your cookie" guide
- tests: test_env_credential.py, test_public_no_browser.py, conftest env isolation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant