Skip to content

Fix auth VNC rendering with cloned Chrome profiles#2

Open
federicodeponte wants to merge 3 commits into
mainfrom
openbrowser-auth-fix
Open

Fix auth VNC rendering with cloned Chrome profiles#2
federicodeponte wants to merge 3 commits into
mainfrom
openbrowser-auth-fix

Conversation

@federicodeponte

Copy link
Copy Markdown
Member

Summary

  • Launch generic and identity auth VNC sessions from per-request cloned Chrome profiles instead of attaching to or opening locked live profiles.
  • Verify Chrome CDP and a visible X window before exposing VNC; persist start_error so the portal shows launch failures.
  • Clean cloned profiles on stop/expiry and keep the existing same-lease path unchanged.

Verification

  • python3 -m compileall -q ax_browser_broker && python3 -m pytest -q -> 209 passed.
  • Isolated generic auth VNC screenshot: /root/.fleet-logs/auth-vnc-generic-example-hRynPErc.png, rendered Example Domain, non-black mean 52110.5.
  • Isolated identity auth VNC screenshot: /root/.fleet-logs/auth-vnc-example-Pb5RDQvG.png, rendered Example Domain, non-black mean 49072.8.
  • Isolated logged identity screenshot: /root/.fleet-logs/auth-vnc-linkedin-logged-9ja6zMad.png, rendered LinkedIn feed, title Feed | LinkedIn, no sign-in text.
  • No production broker restart performed. Smoke sessions used isolated roots under /tmp/ax-auth-vnc-smoke-* and non-production VNC/websocket ports.

Safe Reload Plan

  1. Check active sessions: /root/ax-browser-broker/bin/ax-browser-audit --json and curl -s http://127.0.0.1:8767/status.
  2. Wait for active human auth/VNC sessions to finish, or coordinate a drain window with Federico.
  3. Pull this branch on AX41 and run python3 -m compileall -q ax_browser_broker && python3 -m pytest -q.
  4. Reload with a fast API restart only after approval: systemctl restart ax-browser-broker.service. This leaves browser pool Chrome processes intact; no pool supervisor restart.
  5. Post-reload smoke: create one auth VNC to https://example.com, capture DISPLAY=:<display> import -window root /root/.fleet-logs/auth-vnc-postreload.png, confirm non-black and title Example Domain.

WorkerOS and others added 3 commits July 2, 2026 20:24
The auth portal (/auth/<token>) only supplied the VNC password to noVNC when
trusted_client was true, so the owner opening the portal from an untrusted
device (their phone) got a blank viewer. The portal token is itself the secret,
so always auto-supply the password.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…ock; fail loud if chrome window doesn't open

Auth VNC sessions launched chrome on the shared identity profile which is
SingletonLock'd by a live pool chrome, so the new chrome exited immediately and
the display stayed black. Clone the profile (login state preserved) to a
per-session temp dir, and raise if no visible window appears.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants