Using JavaScript to create NFAuthentication.key

[ccoenen]

(originally written in #1674 (comment) )

I've read through the NFauth python script, and if I read it correctly, the only thing you need are the cookies from a logged in session, right? If that's the case, maybe a bookmarklet would be a way for a somewhat larger audience?

The information you can extract is not exactly the same. The question is: does that matter?

The python method gets you these keys: name, value, domain, path, expires, size, httpOnly, secure, session, priority, sameParty, sourceScheme, sourcePort. Most of these keys don't really matter, because your browser does not send anything but name and value. All the other keys don't go over the network but determine where the cookies may be sent.

This JavaScript gets you only name and value because that's all the document.cookies gives you back. Do you think this could still work?

(function () {
  const output = {app_name: "NFAuthenticationKey", data: {cookies: {}}};
  document.cookie.split(/;\s*/).forEach(c => {
    const [name, value] = c.split("=")
    output.data.cookies[name] = value;
  });
  console.log(output);
}());

This can be run from your browser's console and should output a json file structurally identical to what's currently created. (I left out a few fields that are easily added later)

If you think this is worthwhile pursueing, I can look into the web crypto api, which can do AES-CBC and base64 is of course not a problem. My screenshot above is from Firefox, but this would probably work across browsers and would not require users to install python and dependencies.

What I would need to understand is, where the cookies will be used later. That way I could try to estimate if the information provided by document.cookies is sufficient.