From 708a45ba16ad55de7ec89d600536f17d4af6eb9a Mon Sep 17 00:00:00 2001 From: Xu Liang Date: Sat, 9 May 2026 17:46:37 +0800 Subject: [PATCH] fix(desktop): skip obfuscation for electron main to preserve page.evaluate Playwright serializes page.evaluate callbacks via Function.prototype.toString and runs them in the target page context. Obfuscating the main bundle injected string-array helper references that the browser page could not resolve, surfacing as `ReferenceError: wO is not defined` for bilibili and dongchedi publishes. Mirrors the existing Vite `minify: false` guard for main/preload. Co-Authored-By: Claude Opus 4.7 (1M context) --- apps/desktop-client/scripts/obfuscate.cjs | 12 ++++++------ findings.md | 6 ++++++ progress.md | 12 ++++++++++++ 3 files changed, 24 insertions(+), 6 deletions(-) diff --git a/apps/desktop-client/scripts/obfuscate.cjs b/apps/desktop-client/scripts/obfuscate.cjs index a948aea..7e37460 100644 --- a/apps/desktop-client/scripts/obfuscate.cjs +++ b/apps/desktop-client/scripts/obfuscate.cjs @@ -42,12 +42,12 @@ const baseOptions = { } const targets = [ - { - label: 'main', - dir: path.join(outDir, 'main'), - match: (name) => name.endsWith('.cjs'), - options: { ...baseOptions, target: 'node' }, - }, + // Keep the Electron main process unobfuscated. It owns the Playwright + // adapters, and Playwright serializes `page.evaluate` callbacks with + // Function.prototype.toString(). Obfuscator string-array helpers live in the + // main bundle, not in the target web page, so packaged media publishers such + // as bilibili and dongchedi can fail with "ReferenceError: is not + // defined" inside the browser context. { label: 'renderer', dir: path.join(outDir, 'renderer', 'assets'), diff --git a/findings.md b/findings.md index 2d19429..e66e3ae 100644 --- a/findings.md +++ b/findings.md @@ -286,3 +286,9 @@ - Migration `20260506120000_scope_platform_accounts_to_desktop_client` replaces the active platform-account uniqueness index with `(workspace_id, client_id, platform_id, platform_uid)`. - Desktop client IDs are still stable hardware-derived UUIDs, but the seed intentionally includes tenant/workspace/user scope so two users on the same physical computer do not share one client record/token. - Device fingerprinting now prefers OS-level machine IDs and uses a filtered MAC-address fingerprint only when OS machine IDs are unavailable; raw hardware identifiers are hashed locally and are not sent to the server. + +## Desktop Publisher Playwright Packaging - 2026-05-09 +- Bilibili and dongchedi publish failures with `page.evaluate: ReferenceError: wO is not defined` are caused by the packaged `build:obf` path, not by the target sites themselves. +- The Electron main bundle owns Playwright adapters. Playwright serializes `page.evaluate` callbacks with `Function.prototype.toString()` and runs them in the target web page. When `javascript-obfuscator` rewrites main-process evaluate callbacks, string-array helper identifiers remain in the function body but are not defined in the browser page context. +- `electron.vite.config.ts` already disables Vite minification for main for the same reason; the remaining failure path was `scripts/obfuscate.cjs` obfuscating `out/main/*.cjs` after build. +- Fix: keep the main process bundle unobfuscated and only obfuscate renderer assets. `pnpm --filter @geo/desktop-client build:obf` now rebuilds main cleanly and obfuscates renderer only. diff --git a/progress.md b/progress.md index cac5838..c7181e1 100644 --- a/progress.md +++ b/progress.md @@ -812,5 +812,17 @@ - Started Phase 48/49 for the user's content-management "发文管理" request. - Confirmed desktop-client already has a publish management table with the requested columns/actions, but admin-web needs tenant HTTP APIs because Electron IPC is unavailable in the browser. + +## 2026-05-09T17:40:00+08:00 - Desktop publisher page.evaluate packaging fix + +- Investigated `page.evaluate: ReferenceError: wO is not defined` reported for desktop-client Bilibili publishing and then confirmed dongchedi has the same risk pattern. +- Root cause: packaged desktop builds run `build:obf`; `scripts/obfuscate.cjs` obfuscated `out/main/*.cjs`, and Playwright `page.evaluate` callbacks then carried obfuscator helper names into the browser page context where those helpers do not exist. +- Updated `apps/desktop-client/scripts/obfuscate.cjs` so the Electron main bundle is left unobfuscated and only renderer assets are obfuscated. This aligns the post-build obfuscation step with the existing Vite main-process `minify: false` guard. +- Verification passed: + - `pnpm --filter @geo/desktop-client typecheck` + - `pnpm --filter @geo/desktop-client build:obf` + - `pnpm --filter @geo/desktop-client exec vitest run src/main/adapters/dongchedi.test.ts` + - `pnpm --filter @geo/desktop-client exec vitest run src/main/adapters/baijiahao.test.ts` + - Searched `apps/desktop-client/out/main/bootstrap.cjs` for `wO`, `_0x...`, `stringArray`, `javascript-obfuscator`, and `['evaluate']`; no obfuscator helper traces were present after `build:obf`. - Scoped implementation to tenant publish task list/retry endpoints plus a new admin-web `/publish-management` page under 内容管理. - Noted existing dirty files in i18n/Knowledge/TemplateWizard/config/swagger/knowledge service and will avoid reverting or overwriting unrelated changes.