fix: stop replaying poisoned Cloudflare __cf_bm cookie#583
Merged
Conversation
Cookie jar was auto-capturing CF's Bot Management session cookie from warmup responses, then replaying it on /codex/responses where CF returns an empty-body 404 once the bound (IP+UA+TLS+timing) drifts. This produced the diagnostic contradiction of "quota fine, path 404". Restrict auto-capture to a whitelist (cf_clearance only); manual admin set() is unaffected. Add empty-body 404 detection that clears the account's cookies and retries on a different account, auto-disabling the account after 3 consecutive blocks within a 1h sliding window.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
修复个别账号被 Cloudflare Bot Management
__cf_bmcookie 反噬导致/codex/responses全 404、/codex/usage仍正常的"配额没限却用不了"假死状态。根因是 proxy 在 warmupGET /codex/usage时通过captureCookies把 CF 偶发下发的__cf_bm收进 jar,而__cf_bm绑死 (IP + UA + TLS fingerprint + 时序) 30 分钟会话指纹,fingerprint 一漂 CF 就用空 body 404 在重保护路径 stealth-deny。Changes
两层修复:
src/proxy/cookie-jar.ts新增CAPTURABLE_COOKIE_NAMES = {cf_clearance},captureRaw主动丢弃__cf_bm等非白名单 cookie。admin API 手动set()不受限。src/proxy/error-classification.ts新增isCfPathBlockError(404 + 空 body);src/auth/cf-path-block-tracker.ts1h 滑动窗口计数;src/routes/shared/proxy-error-handler.ts命中时清 cookie + fail over 到其他账号,同号 1h 内 ≥3 次自动 disable + 记 Errors tab;src/services/account-mutation.tsre-enable 时 reset 计数。测试覆盖:
tests/unit/auth/cf-path-block-tracker.test.ts(4 个 - 计数 / 窗口过期 / reset / peek)tests/unit/proxy/error-classification.test.ts新增isCfPathBlockErrorsection(4 个分支)tests/unit/routes/shared/proxy-error-handler.test.tsCF block retry/disable 路径(2 个)tests/unit/proxy/cookie-jar.test.ts改写为白名单语义Test Plan
/health返回 200Notes
Cherry-picked from
fix/mac-x64-smoke-timeout(commitdd5fc96) onto a fresh branch offorigin/dev. 原分支上还有重复的 mac x64 smoke 修复(已通过 #560 squash 进 dev)和本地 fingerprint bump,没带进来。