Merge pull request #62 from stablyai/fix/eslint-warnings

nwparker · web-flow · commit 8a3245ea2266 · 2026-03-09T23:48:23.000-07:00
Fix eslint warnings: max-params, unused imports, max-lines
diff --git a/src/auth/brave.ts b/src/auth/brave.ts
@@ -148,7 +148,7 @@ async function extractCookieDFromBrave(): Promise<string> {
 
   for (const password of passwords) {
     try {
-      const decrypted = decryptChromiumCookieValue(data, password, 1003);
+      const decrypted = decryptChromiumCookieValue(data, { password, iterations: 1003 });
       const match = decrypted.match(/xoxd-[A-Za-z0-9%/+_=.-]+/);
       if (match) {
         return match[0]!;
diff --git a/src/auth/chromium-cookie.ts b/src/auth/chromium-cookie.ts
@@ -2,13 +2,14 @@ import { pbkdf2Sync, createDecipheriv } from "node:crypto";
 
 export function decryptChromiumCookieValue(
   data: Buffer,
-  password: string,
-  iterations: number,
+  options: { password: string; iterations: number },
 ): string {
   if (!data || data.length === 0) {
     return "";
   }
 
+  const { password, iterations } = options;
+
   if (iterations < 1) {
     throw new RangeError(`iterations must be >= 1, got ${iterations}`);
   }
diff --git a/src/auth/desktop-crypto.ts b/src/auth/desktop-crypto.ts
@@ -0,0 +1,157 @@
+import { existsSync, readFileSync, writeFileSync, unlinkSync } from "node:fs";
+import { execFileSync } from "node:child_process";
+import { createDecipheriv, randomUUID } from "node:crypto";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { isRecord } from "../lib/object-type-guards.ts";
+
+const IS_MACOS = process.platform === "darwin";
+const IS_LINUX = process.platform === "linux";
+
+export function getSafeStoragePasswords(prefix: string): string[] {
+  if (IS_MACOS) {
+    // Electron ("Slack Key") and Mac App Store ("Slack App Store Key") builds
+    // store separate Safe Storage passwords under the same service name.
+    // Query each known account explicitly, then fall back to service-only
+    // lookups to catch unknown account names.
+    const keychainQueries: { service: string; account?: string }[] = [
+      { service: "Slack Safe Storage", account: "Slack Key" },
+      { service: "Slack Safe Storage", account: "Slack App Store Key" },
+      { service: "Slack Safe Storage" },
+      { service: "Chrome Safe Storage" },
+      { service: "Chromium Safe Storage" },
+    ];
+    const passwords: string[] = [];
+    for (const q of keychainQueries) {
+      try {
+        const args = ["-w", "-s", q.service];
+        if (q.account) {
+          args.push("-a", q.account);
+        }
+        const out = execFileSync("security", ["find-generic-password", ...args], {
+          encoding: "utf8",
+          stdio: ["ignore", "pipe", "ignore"],
+        }).trim();
+        if (out) {
+          passwords.push(out);
+        }
+      } catch {
+        // continue
+      }
+    }
+    if (passwords.length > 0) {
+      return [...new Set(passwords)];
+    }
+  }
+
+  if (IS_LINUX) {
+    const attributes: string[][] = [
+      ["application", "com.slack.Slack"],
+      ["application", "Slack"],
+      ["application", "slack"],
+      ["service", "Slack Safe Storage"],
+    ];
+    const passwords: string[] = [];
+    for (const pair of attributes) {
+      try {
+        const out = execFileSync("secret-tool", ["lookup", ...pair], {
+          encoding: "utf8",
+          stdio: ["ignore", "pipe", "ignore"],
+        }).trim();
+        if (out) {
+          passwords.push(out);
+        }
+      } catch {
+        // continue
+      }
+    }
+
+    // Chromium Linux OSCrypt v10 fallback password (see os_crypt_linux.cc).
+    if (prefix === "v11") {
+      passwords.push("");
+    }
+    passwords.push("peanuts");
+
+    return [...new Set(passwords)];
+  }
+
+  throw new Error("Could not read Safe Storage password from desktop keychain.");
+}
+
+/**
+ * Decrypt a Chromium cookie on Windows using DPAPI + AES-256-GCM.
+ *
+ * On Windows (Chromium v80+), cookies are encrypted as:
+ *   v10/v11 + 12-byte nonce + AES-256-GCM ciphertext + 16-byte auth tag
+ *
+ * The AES key is stored DPAPI-encrypted in the "Local State" file under
+ * os_crypt.encrypted_key (base64, prefixed with "DPAPI").
+ */
+export function decryptCookieWindows(encrypted: Buffer, slackDataDir: string): string {
+  // Read the DPAPI-protected AES key from Local State
+  const localStatePath = join(slackDataDir, "Local State");
+  if (!existsSync(localStatePath)) {
+    throw new Error(`Local State file not found: ${localStatePath}`);
+  }
+  let localState: unknown;
+  try {
+    localState = JSON.parse(readFileSync(localStatePath, "utf8"));
+  } catch (error) {
+    throw new Error(`Failed to parse Local State file: ${localStatePath}`, { cause: error });
+  }
+  const osCrypt = isRecord(localState) ? localState.os_crypt : undefined;
+  if (!isRecord(osCrypt) || typeof osCrypt.encrypted_key !== "string") {
+    throw new Error("No os_crypt.encrypted_key in Local State");
+  }
+  const encKeyFull = Buffer.from(osCrypt.encrypted_key as string, "base64");
+  // Skip "DPAPI" prefix (5 bytes)
+  const encKeyBlob = encKeyFull.subarray(5);
+
+  // Decrypt AES key via Windows DPAPI using PowerShell
+  const id = randomUUID();
+  const encKeyFile = join(tmpdir(), `as-key-enc-${id}.bin`);
+  const decKeyFile = join(tmpdir(), `as-key-dec-${id}.bin`);
+  writeFileSync(encKeyFile, encKeyBlob, { mode: 0o600 });
+  try {
+    // Escape single quotes for PowerShell single-quoted strings (' → '')
+    const psEncKeyFile = encKeyFile.replaceAll("'", "''");
+    const psDecKeyFile = decKeyFile.replaceAll("'", "''");
+    const psCmd = [
+      "Add-Type -AssemblyName System.Security",
+      `$e=[System.IO.File]::ReadAllBytes('${psEncKeyFile}')`,
+      "$d=[System.Security.Cryptography.ProtectedData]::Unprotect($e,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)",
+      `[System.IO.File]::WriteAllBytes('${psDecKeyFile}',$d)`,
+    ].join("; ");
+    execFileSync("powershell", ["-ExecutionPolicy", "Bypass", "-Command", psCmd], {
+      stdio: "pipe",
+    });
+    if (!existsSync(decKeyFile)) {
+      throw new Error("DPAPI decryption failed: PowerShell did not produce the decrypted key file");
+    }
+    const aesKey = readFileSync(decKeyFile);
+
+    // AES-256-GCM: v10(3) + nonce(12) + ciphertext(N-16) + tag(16)
+    const nonce = encrypted.subarray(3, 15);
+    const ciphertextWithTag = encrypted.subarray(15);
+    const tag = ciphertextWithTag.subarray(-16);
+    const ciphertext = ciphertextWithTag.subarray(0, -16);
+
+    const decipher = createDecipheriv("aes-256-gcm", aesKey, nonce);
+    decipher.setAuthTag(tag);
+    let decrypted = decipher.update(ciphertext, undefined, "utf8");
+    decrypted += decipher.final("utf8");
+
+    return decrypted;
+  } finally {
+    try {
+      unlinkSync(encKeyFile);
+    } catch {
+      /* ignore */
+    }
+    try {
+      unlinkSync(decKeyFile);
+    } catch {
+      /* ignore */
+    }
+  }
+}
diff --git a/src/auth/desktop.ts b/src/auth/desktop.ts
@@ -1,22 +1,15 @@
 // Desktop auth extraction approach inspired by:
 // - slacktokens: https://github.com/hraftery/slacktokens
 import { cp, mkdir, rm, unlink } from "node:fs/promises";
-import {
-  existsSync,
-  readFileSync,
-  readdirSync,
-  copyFileSync,
-  writeFileSync,
-  unlinkSync,
-} from "node:fs";
+import { existsSync, readdirSync, copyFileSync, unlinkSync } from "node:fs";
 import { execFileSync } from "node:child_process";
-import { createDecipheriv, randomUUID } from "node:crypto";
 import { homedir, platform, tmpdir } from "node:os";
 import { join } from "node:path";
 import { findKeysContaining } from "../lib/leveldb-reader.js";
 import { isRecord } from "../lib/object-type-guards.ts";
 import { queryReadonlySqlite } from "./firefox-profile.ts";
 import { decryptChromiumCookieValue } from "./chromium-cookie.ts";
+import { getSafeStoragePasswords, decryptCookieWindows } from "./desktop-crypto.ts";
 
 type DesktopTeam = { url: string; name?: string; token: string };
 
@@ -261,154 +254,6 @@ async function extractTeamsFromSlackLevelDb(leveldbDir: string): Promise<Desktop
   }
 }
 
-function getSafeStoragePasswords(prefix: string): string[] {
-  if (IS_MACOS) {
-    // Electron ("Slack Key") and Mac App Store ("Slack App Store Key") builds
-    // store separate Safe Storage passwords under the same service name.
-    // Query each known account explicitly, then fall back to service-only
-    // lookups to catch unknown account names.
-    const keychainQueries: { service: string; account?: string }[] = [
-      { service: "Slack Safe Storage", account: "Slack Key" },
-      { service: "Slack Safe Storage", account: "Slack App Store Key" },
-      { service: "Slack Safe Storage" },
-      { service: "Chrome Safe Storage" },
-      { service: "Chromium Safe Storage" },
-    ];
-    const passwords: string[] = [];
-    for (const q of keychainQueries) {
-      try {
-        const args = ["-w", "-s", q.service];
-        if (q.account) {
-          args.push("-a", q.account);
-        }
-        const out = execFileSync("security", ["find-generic-password", ...args], {
-          encoding: "utf8",
-          stdio: ["ignore", "pipe", "ignore"],
-        }).trim();
-        if (out) {
-          passwords.push(out);
-        }
-      } catch {
-        // continue
-      }
-    }
-    if (passwords.length > 0) {
-      return [...new Set(passwords)];
-    }
-  }
-
-  if (IS_LINUX) {
-    const attributes: string[][] = [
-      ["application", "com.slack.Slack"],
-      ["application", "Slack"],
-      ["application", "slack"],
-      ["service", "Slack Safe Storage"],
-    ];
-    const passwords: string[] = [];
-    for (const pair of attributes) {
-      try {
-        const out = execFileSync("secret-tool", ["lookup", ...pair], {
-          encoding: "utf8",
-          stdio: ["ignore", "pipe", "ignore"],
-        }).trim();
-        if (out) {
-          passwords.push(out);
-        }
-      } catch {
-        // continue
-      }
-    }
-
-    // Chromium Linux OSCrypt v10 fallback password (see os_crypt_linux.cc).
-    if (prefix === "v11") {
-      passwords.push("");
-    }
-    passwords.push("peanuts");
-
-    return [...new Set(passwords)];
-  }
-
-  throw new Error("Could not read Safe Storage password from desktop keychain.");
-}
-
-/**
- * Decrypt a Chromium cookie on Windows using DPAPI + AES-256-GCM.
- *
- * On Windows (Chromium v80+), cookies are encrypted as:
- *   v10/v11 + 12-byte nonce + AES-256-GCM ciphertext + 16-byte auth tag
- *
- * The AES key is stored DPAPI-encrypted in the "Local State" file under
- * os_crypt.encrypted_key (base64, prefixed with "DPAPI").
- */
-function decryptCookieWindows(encrypted: Buffer, slackDataDir: string): string {
-  // Read the DPAPI-protected AES key from Local State
-  const localStatePath = join(slackDataDir, "Local State");
-  if (!existsSync(localStatePath)) {
-    throw new Error(`Local State file not found: ${localStatePath}`);
-  }
-  let localState: unknown;
-  try {
-    localState = JSON.parse(readFileSync(localStatePath, "utf8"));
-  } catch (error) {
-    throw new Error(`Failed to parse Local State file: ${localStatePath}`, { cause: error });
-  }
-  const osCrypt = isRecord(localState) ? localState.os_crypt : undefined;
-  if (!isRecord(osCrypt) || typeof osCrypt.encrypted_key !== "string") {
-    throw new Error("No os_crypt.encrypted_key in Local State");
-  }
-  const encKeyFull = Buffer.from(osCrypt.encrypted_key as string, "base64");
-  // Skip "DPAPI" prefix (5 bytes)
-  const encKeyBlob = encKeyFull.subarray(5);
-
-  // Decrypt AES key via Windows DPAPI using PowerShell
-  const id = randomUUID();
-  const encKeyFile = join(tmpdir(), `as-key-enc-${id}.bin`);
-  const decKeyFile = join(tmpdir(), `as-key-dec-${id}.bin`);
-  writeFileSync(encKeyFile, encKeyBlob, { mode: 0o600 });
-  try {
-    // Escape single quotes for PowerShell single-quoted strings (' → '')
-    const psEncKeyFile = encKeyFile.replaceAll("'", "''");
-    const psDecKeyFile = decKeyFile.replaceAll("'", "''");
-    const psCmd = [
-      "Add-Type -AssemblyName System.Security",
-      `$e=[System.IO.File]::ReadAllBytes('${psEncKeyFile}')`,
-      "$d=[System.Security.Cryptography.ProtectedData]::Unprotect($e,$null,[System.Security.Cryptography.DataProtectionScope]::CurrentUser)",
-      `[System.IO.File]::WriteAllBytes('${psDecKeyFile}',$d)`,
-    ].join("; ");
-    execFileSync("powershell", ["-ExecutionPolicy", "Bypass", "-Command", psCmd], {
-      stdio: "pipe",
-    });
-    if (!existsSync(decKeyFile)) {
-      throw new Error("DPAPI decryption failed: PowerShell did not produce the decrypted key file");
-    }
-    const aesKey = readFileSync(decKeyFile);
-
-    // AES-256-GCM: v10(3) + nonce(12) + ciphertext(N-16) + tag(16)
-    const nonce = encrypted.subarray(3, 15);
-    const ciphertextWithTag = encrypted.subarray(15);
-    const tag = ciphertextWithTag.subarray(-16);
-    const ciphertext = ciphertextWithTag.subarray(0, -16);
-
-    const decipher = createDecipheriv("aes-256-gcm", aesKey, nonce);
-    decipher.setAuthTag(tag);
-    let decrypted = decipher.update(ciphertext, undefined, "utf8");
-    decrypted += decipher.final("utf8");
-
-    return decrypted;
-  } finally {
-    try {
-      unlinkSync(encKeyFile);
-    } catch {
-      /* ignore */
-    }
-    try {
-      unlinkSync(decKeyFile);
-    } catch {
-      /* ignore */
-    }
-  }
-}
-
 async function extractCookieDFromSlackCookiesDb(
   cookiesPath: string,
   slackDataDir: string,
@@ -482,7 +327,10 @@ async function extractCookieDFromSlackCookiesDb(
 
   for (const password of passwords) {
     try {
-      const decrypted = decryptChromiumCookieValue(data, password, IS_LINUX ? 1 : 1003);
+      const decrypted = decryptChromiumCookieValue(data, {
+        password,
+        iterations: IS_LINUX ? 1 : 1003,
+      });
       const match = decrypted.match(/xoxd-[A-Za-z0-9%/+_=.-]+/);
       if (match) {
         return match[0]!;
diff --git a/src/cli/context.ts b/src/cli/context.ts
@@ -3,14 +3,7 @@ import { extractFromChrome } from "../auth/chrome.ts";
 import { parseSlackCurlCommand } from "../auth/curl.ts";
 import { extractFromSlackDesktop } from "../auth/desktop.ts";
 import { extractFromFirefox } from "../auth/firefox.ts";
-import {
-  loadCredentials,
-  resolveDefaultWorkspace,
-  resolveWorkspaceForUrl,
-  upsertWorkspace,
-  upsertWorkspaces,
-} from "../auth/store.ts";
-import { resolveWorkspaceSelector } from "./workspace-selector.ts";
+import { loadCredentials, upsertWorkspaces } from "../auth/store.ts";
 import { normalizeChannelInput } from "../slack/channels.ts";
 import type { SlackApiClient } from "../slack/client.ts";
 import { type SlackAuth } from "../slack/client.ts";
diff --git a/src/cli/message-actions.ts b/src/cli/message-actions.ts
@@ -5,7 +5,6 @@ import { resolveChannelId, openDmChannel } from "../slack/channels.ts";
 import { normalizeSlackReactionName } from "../slack/emoji.ts";
 import { warnOnTruncatedSlackUrl } from "./message-url-warning.ts";
 import { textToRichTextBlocks } from "../slack/rich-text.ts";
-import { getThreadSummary, toThreadListMessage } from "./message-thread-info.ts";
 import type { SlackApiClient } from "../slack/client.ts";
 import { uploadLocalFileToSlack } from "../slack/upload.ts";
 
