From bb6c80aa8118a2aea1057b9e41bad26e62e4f577 Mon Sep 17 00:00:00 2001
From: zxcv1234 <12967848+dzsxf5312@user.noreply.gitee.com>
Date: Sun, 12 Apr 2026 11:37:02 +0800
Subject: [PATCH] fix(oauth): require step9 submit for local cpa and stop step8
 debugger cleanly

---
 README.md                    |  1 +
 background.js                | 15 ++++++++++++++-
 tests/step9-cpa-mode.test.js |  2 +-
 3 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index b3c01da9..42f3e259 100644
--- a/README.md
+++ b/README.md
@@ -304,6 +304,7 @@ Step 3 使用的注册邮箱。
 
 - 自动填写 localhost 回调地址
 - 自动点击“提交回调 URL”
+- 即使 CPA 面板本身部署在 `localhost` / `127.0.0.1`，也不会跳过这一步
 - 必须等到 CPA 面板出现精确的 `认证成功！` 状态徽标后，才判定成功
 - 成功后会自动关闭匹配 `http://localhost:1455/auth` 这一类前缀的 localhost 残留页面
 
diff --git a/background.js b/background.js
index 012d897e..7c9426b2 100644
--- a/background.js
+++ b/background.js
@@ -249,7 +249,10 @@ function isLocalCpaUrl(rawUrl) {
 }
 
 function shouldBypassStep9ForLocalCpa(state) {
-  return Boolean(state?.localhostUrl) && isLocalCpaUrl(state?.vpsUrl);
+  // 即使 CPA 面板本身部署在 localhost，也必须显式执行步骤 9：
+  // 回填 callback URL、点击提交，并等待面板出现“认证成功！”。
+  // 否则会出现步骤 8 捕获到 localhost 后流程直接结束的问题。
+  return false;
 }
 
 function matchesSourceUrlFamily(source, candidateUrl, referenceUrl) {
@@ -1179,6 +1182,8 @@ async function humanStepDelay(min = HUMAN_STEP_DELAY_MIN, max = HUMAN_STEP_DELAY
 }
 
 async function clickWithDebugger(tabId, rect) {
+  throwIfStopped();
+
   if (!tabId) {
     throw new Error('未找到用于调试点击的认证页面标签页。');
   }
@@ -1197,10 +1202,14 @@ async function clickWithDebugger(tabId, rect) {
   }
 
   try {
+    throwIfStopped();
+
     const x = Math.round(rect.centerX);
     const y = Math.round(rect.centerY);
 
     await chrome.debugger.sendCommand(target, 'Page.bringToFront');
+    throwIfStopped();
+
     await chrome.debugger.sendCommand(target, 'Input.dispatchMouseEvent', {
       type: 'mouseMoved',
       x,
@@ -1209,6 +1218,8 @@ async function clickWithDebugger(tabId, rect) {
       buttons: 0,
       clickCount: 0,
     });
+    throwIfStopped();
+
     await chrome.debugger.sendCommand(target, 'Input.dispatchMouseEvent', {
       type: 'mousePressed',
       x,
@@ -1217,6 +1228,8 @@ async function clickWithDebugger(tabId, rect) {
       buttons: 1,
       clickCount: 1,
     });
+    throwIfStopped();
+
     await chrome.debugger.sendCommand(target, 'Input.dispatchMouseEvent', {
       type: 'mouseReleased',
       x,
diff --git a/tests/step9-cpa-mode.test.js b/tests/step9-cpa-mode.test.js
index 0c2d8e73..e9bc7a58 100644
--- a/tests/step9-cpa-mode.test.js
+++ b/tests/step9-cpa-mode.test.js
@@ -43,7 +43,7 @@ assert.strictEqual(api.isLocalCpaUrl('notaurl'), false, '非法 URL 不应视为
 assert.strictEqual(api.shouldBypassStep9ForLocalCpa({
   vpsUrl: 'http://127.0.0.1:8317/management.html#/oauth',
   localhostUrl: 'http://127.0.0.1:8317/codex/callback?code=abc&state=xyz',
-}), true, '本地 CPA 且已有 callback 时应跳过远程提交流程');
+}), false, '即使 CPA 在本地，也不应跳过步骤 9 的回填提交流程');
 
 assert.strictEqual(api.shouldBypassStep9ForLocalCpa({
   vpsUrl: 'https://example.com/management.html#/oauth',