fix(auth): stop importing yandex.com cookies as "x.com" — the real 403 cause

User reported auto-import reading 40 cookies including yandexuid, ymex,
yp, yuidss, __gads, __gpi, Hm_lvt_*, _pk_id, _pk_ref, POSMEDIAID,
__cf_bm, cf_clearance, FCCDCF, FCNEC — almost none of which belong to
X/Twitter. They were getting stuffed into the `Cookie:` header of every
UserByRestId request and X's gateway was (correctly) 403'ing the
jumbled request.

Root cause: `kooky.DomainHasSuffix("x.com")` does a literal string
suffix match against `cookie.Domain`. `yandex.com` ends in the three
characters "x.com", so does `unix.com`, `pix.com`, `nhx.com`, etc. The
filter was matching every tracker / ad / analytics cookie from every
site whose domain happens to end in those letters. That's how all the
garbage got imported.

XActions works because users paste cookies from DevTools →
Application → Cookies → https://x.com, which the browser has already
scoped to the x.com registrable domain. No browser-side bug, just a
manual filter. x-cli was trying to be clever with auto-read and hit
the substring-matching footgun.

Fix in internal/browsercookies:

  isDomainMatch(want, cookieDomain) — proper registrable-domain check.

    isDomainMatch("x.com", "x.com")        → true
    isDomainMatch("x.com", ".x.com")       → true
    isDomainMatch("x.com", "api.x.com")    → true
    isDomainMatch("x.com", ".help.x.com")  → true

    isDomainMatch("x.com", "yandex.com")   → false  ← the bug fix
    isDomainMatch("x.com", "unix.com")     → false
    isDomainMatch("x.com", "pix.com")      → false

  Both Load and List now drop kooky.DomainHasSuffix and apply this
  check in their own traversal loop.

  TestIsDomainMatch pins the rule with 16 cases covering exact match,
  subdomain match, leading-dot match, case insensitivity, and the
  critical yandex.com / unix.com / pix.com negative cases that caused
  the original bug.

Bonus cleanup in api/client.go (the header minimization from the prior
commit stays in place): x-cli now sends the XActions-minimal header
profile (bearer + UA + accept + content-type + x-twitter-* + cookie
+ csrf) and NOT the browser-fingerprint set (no sec-ch-ua, no
sec-fetch-*, no Origin, no Referer). XActions and twikit both work
with this minimal profile against today's x.com; adding browser-
fingerprint headers without matching TLS fingerprint only made x.com
fingerprint us as "lying about being a browser" and 403 harder.

api/client_test.go — TestApplyHeadersUnauthenticated updated to assert
that the browser-fingerprint headers are NOT sent (the correct
behaviour).

Expected result after this: `x auth import` reads ~8-12 real x.com
cookies (auth_token, ct0, twid, kdt, att, lang, _twitter_sess,
personalization_id, etc.), the verify call lands with a proper
cookie set, UserByRestId returns 200, and the user sees their handle.

No TLS impersonation needed.

Author: lroolle

api/client.go

@@ -204,30 +204,31 @@ func (c *Client) request(ctx context.Context, method, rawURL string, body io.Rea
 	return nil, lastErr
 }
 
+// applyHeaders builds the request header set that X's GraphQL/REST
+// gateways accept.
+//
+// We deliberately mirror XActions' "tool/SDK" header profile, NOT a
+// modern browser's profile. Real browsers send sec-ch-ua, sec-fetch-*,
+// Origin, Referer, and X validates those against TLS fingerprint and
+// HTTP/2 frame ordering. With Go's stdlib net/http we cannot match
+// Chrome's TLS or H2 layer, so declaring browser-like headers makes
+// X catch the lie and 403 the request. The bare bearer+cookies+csrf
+// path that XActions and twikit use treats us as a tool, accepts the
+// non-browser TLS fingerprint, and works.
+//
+// If a future commit wires utls + bogdanfinn/tls-client to fully
+// impersonate Chrome, we can switch to the browser header profile
+// then. Until then: keep this minimal.
 func (c *Client) applyHeaders(req *http.Request, opts requestOpts) {
 	bearer := c.endpoints.Bearer
 	req.Header.Set("Authorization", "Bearer "+bearer)
 	req.Header.Set("User-Agent", c.userAgent)
 	req.Header.Set("Accept", "*/*")
 	req.Header.Set("Accept-Language", "en-US,en;q=0.9")
+	req.Header.Set("Content-Type", "application/json")
 	req.Header.Set("x-twitter-active-user", "yes")
 	req.Header.Set("x-twitter-client-language", "en")
 
-	// Origin + Referer are required for X's same-origin CSRF check.
-	// Without them the gateway treats the call as cross-site and 403s
-	// authenticated reads. Real browsers add these automatically; Go's
-	// net/http does not, so we set them ourselves.
-	req.Header.Set("Origin", "https://x.com")
-	req.Header.Set("Referer", "https://x.com/")
-
-	// Client-hint headers matched to the UA. Pinned, not rotated per-request.
-	req.Header.Set("sec-ch-ua", `"Not_A Brand";v="8", "Chromium";v="120", "Google Chrome";v="120"`)
-	req.Header.Set("sec-ch-ua-mobile", "?0")
-	req.Header.Set("sec-ch-ua-platform", `"macOS"`)
-	req.Header.Set("sec-fetch-dest", "empty")
-	req.Header.Set("sec-fetch-mode", "cors")
-	req.Header.Set("sec-fetch-site", "same-origin")
-
 	if opts.authenticated {
 		c.sessionMu.RLock()
 		cookies := c.session.Cookies
@@ -241,10 +242,6 @@ func (c *Client) applyHeaders(req *http.Request, opts requestOpts) {
 		c.sessionMu.RUnlock()
 	}
 
-	if req.Body != nil && req.Header.Get("Content-Type") == "" {
-		req.Header.Set("Content-Type", "application/json")
-	}
-
 	for k, v := range opts.extraHeaders {
 		req.Header.Set(k, v)
 	}

api/client_test.go

@@ -55,11 +55,18 @@ func TestApplyHeadersUnauthenticated(t *testing.T) {
 	if got := captured.Get("User-Agent"); !strings.Contains(got, "Chrome") {
 		t.Errorf("User-Agent = %q", got)
 	}
-	if got := captured.Get("sec-ch-ua"); got == "" {
-		t.Errorf("missing sec-ch-ua client hint")
+	if got := captured.Get("Content-Type"); got != "application/json" {
+		t.Errorf("Content-Type = %q (XActions sends application/json on every request)", got)
 	}
-	if got := captured.Get("sec-fetch-dest"); got != "empty" {
-		t.Errorf("sec-fetch-dest = %q", got)
+	if got := captured.Get("x-twitter-active-user"); got != "yes" {
+		t.Errorf("x-twitter-active-user = %q", got)
+	}
+	// We DELIBERATELY do NOT send browser-fingerprint headers — see the
+	// rationale comment on applyHeaders.
+	for _, name := range []string{"sec-ch-ua", "sec-fetch-dest", "sec-fetch-mode", "sec-fetch-site", "Origin", "Referer"} {
+		if got := captured.Get(name); got != "" {
+			t.Errorf("%s should not be sent (browser-fingerprint header), got %q", name, got)
+		}
 	}
 	if got := captured.Get("x-csrf-token"); got != "" {
 		t.Errorf("unauthenticated request should not carry x-csrf-token, got %q", got)

internal/browsercookies/browsercookies.go

@@ -96,10 +96,23 @@ func Load(ctx context.Context, browser, profile, domain string) (*Result, error)
 	var order []storeKey
 	stores := map[storeKey]*bucket{}
 
-	for c, err := range kooky.TraverseCookies(ctx, kooky.Valid, kooky.DomainHasSuffix(domain)) {
+	// NB: kooky.DomainHasSuffix does a literal string suffix match
+	// against the cookie's Domain attribute. That's dangerously loose —
+	// "yandex.com" literally ends in the string "x.com", so passing
+	// DomainHasSuffix("x.com") to kooky pulls in every cookie from
+	// yandex.com, unix.com, pix.com, nhx.com, and anything else that
+	// happens to end in those three characters.
+	//
+	// We use kooky.Valid (drop expired cookies) and do the registrable-
+	// domain check ourselves in isDomainMatch. No more yandex cookies
+	// leaking into the x.com request.
+	for c, err := range kooky.TraverseCookies(ctx, kooky.Valid) {
 		if err != nil || c == nil || c.Browser == nil {
 			continue
 		}
+		if !isDomainMatch(domain, c.Cookie.Domain) {
+			continue
+		}
 		actualBrowser := c.Browser.Browser()
 		actualProfile := c.Browser.Profile()
 		actualPath := c.Browser.FilePath()
@@ -162,6 +175,10 @@ func Load(ctx context.Context, browser, profile, domain string) (*Result, error)
 // List enumerates every cookie store that has at least one cookie for
 // the given domain. Used by `x auth browsers` to show the user which
 // (browser, profile) pairs are available before they pin one.
+//
+// Uses the same strict isDomainMatch check as Load so yandex.com,
+// unix.com, pix.com, etc. don't show up as false-positive "x.com
+// sessions".
 func List(ctx context.Context, domain string) ([]Match, error) {
 	if domain == "" {
 		return nil, errors.New("browsercookies: domain required")
@@ -171,10 +188,13 @@ func List(ctx context.Context, domain string) ([]Match, error) {
 	}
 	seen := map[key]int{}
 	var order []key
-	for c, err := range kooky.TraverseCookies(ctx, kooky.Valid, kooky.DomainHasSuffix(domain)) {
+	for c, err := range kooky.TraverseCookies(ctx, kooky.Valid) {
 		if err != nil || c == nil || c.Browser == nil {
 			continue
 		}
+		if !isDomainMatch(domain, c.Cookie.Domain) {
+			continue
+		}
 		k := key{
 			browser: c.Browser.Browser(),
 			profile: c.Browser.Profile(),
@@ -197,6 +217,34 @@ func List(ctx context.Context, domain string) ([]Match, error) {
 	return out, nil
 }
 
+// isDomainMatch returns true when `cookieDomain` belongs to `want` as a
+// registrable-domain match. Crucially, it is NOT a string suffix match:
+//
+//	isDomainMatch("x.com", "x.com")          → true
+//	isDomainMatch("x.com", ".x.com")         → true
+//	isDomainMatch("x.com", "api.x.com")      → true
+//	isDomainMatch("x.com", ".help.x.com")    → true
+//
+//	isDomainMatch("x.com", "yandex.com")     → false  ← the bug fix
+//	isDomainMatch("x.com", ".yandex.com")    → false
+//	isDomainMatch("x.com", "unix.com")       → false
+//	isDomainMatch("x.com", "pix.com")        → false
+//
+// Without this check, kooky.DomainHasSuffix("x.com") matches every
+// cookie whose domain literally ends in the three characters "x.com"
+// (yande-x.com, uni-x.com, pi-x.com, ADGRX.com, etc.), which is every
+// tracker / ad network / third-party site the user has ever visited.
+// Those get stuffed into the Cookie: header for the real x.com request
+// and X's gateway 403s the resulting jumble.
+func isDomainMatch(want, cookieDomain string) bool {
+	if cookieDomain == "" || want == "" {
+		return false
+	}
+	d := strings.ToLower(strings.TrimPrefix(cookieDomain, "."))
+	w := strings.ToLower(want)
+	return d == w || strings.HasSuffix(d, "."+w)
+}
+
 // profileMatches returns true when `want` (the user-supplied --profile
 // substring) matches either the human profile name from kooky (e.g.
 // "Tammie", "Default", "Work") OR a path component of the cookie file

internal/browsercookies/browsercookies_test.go

@@ -84,6 +84,44 @@ func TestListEmptyDomain(t *testing.T) {
 	}
 }
 
+func TestIsDomainMatch(t *testing.T) {
+	cases := []struct {
+		want, cookie string
+		expect       bool
+	}{
+		// Exact and leading-dot match
+		{"x.com", "x.com", true},
+		{"x.com", ".x.com", true},
+		// Subdomains
+		{"x.com", "api.x.com", true},
+		{"x.com", ".api.x.com", true},
+		{"x.com", "help.x.com", true},
+		// Case insensitivity
+		{"x.com", "X.COM", true},
+		{"x.com", ".X.COM", true},
+		// The bug: yandex.com ends in the literal string "x.com" but is
+		// NOT a subdomain of x.com. MUST NOT match.
+		{"x.com", "yandex.com", false},
+		{"x.com", ".yandex.com", false},
+		{"x.com", "unix.com", false},
+		{"x.com", "pix.com", false},
+		{"x.com", "foo.unix.com", false},
+		// Totally unrelated
+		{"x.com", "twitter.com", false},
+		{"x.com", "google.com", false},
+		// Empty inputs
+		{"x.com", "", false},
+		{"", "x.com", false},
+		{"", "", false},
+	}
+	for _, tc := range cases {
+		if got := isDomainMatch(tc.want, tc.cookie); got != tc.expect {
+			t.Errorf("isDomainMatch(%q, %q) = %v, want %v",
+				tc.want, tc.cookie, got, tc.expect)
+		}
+	}
+}
+
 func TestProfileMatches(t *testing.T) {
 	cases := []struct {
 		want   string