From fed86c9e858f55809550ce6c3e421e4c0f4bf5fc Mon Sep 17 00:00:00 2001
From: Connor Johnstone <connor.johnstone@arcfield.com>
Date: Fri, 20 Mar 2026 13:38:49 -0400
Subject: [PATCH] Updated the ytmusic cookies situation

---
 frontend/src/api.rs            |  22 +++
 frontend/src/pages/settings.rs | 218 +++++++++++++++++++--
 frontend/src/types.rs          |  31 +++
 frontend/style.css             |   1 +
 src/cookie_refresh.rs          | 107 +++++++++++
 src/lib.rs                     |   1 +
 src/main.rs                    |   4 +
 src/routes/mod.rs              |   4 +-
 src/routes/ytauth.rs           | 341 +++++++++++++++++++++++++++++++++
 src/state.rs                   |   8 +-
 10 files changed, 722 insertions(+), 15 deletions(-)
 create mode 100644 src/cookie_refresh.rs
 create mode 100644 src/routes/ytauth.rs

diff --git a/frontend/src/api.rs b/frontend/src/api.rs
index fcc92e0..7f49d76 100644
--- a/frontend/src/api.rs
+++ b/frontend/src/api.rs
@@ -242,3 +242,25 @@ pub async fn save_config(config: &AppConfig) -> Result<AppConfig, ApiError> {
     }
     resp.json().await.map_err(|e| ApiError(e.to_string()))
 }
+
+// --- YouTube Auth ---
+
+pub async fn get_ytauth_status() -> Result<YtAuthStatus, ApiError> {
+    get_json(&format!("{BASE}/ytauth/status")).await
+}
+
+pub async fn ytauth_login_start() -> Result<serde_json::Value, ApiError> {
+    post_empty(&format!("{BASE}/ytauth/login-start")).await
+}
+
+pub async fn ytauth_login_stop() -> Result<serde_json::Value, ApiError> {
+    post_empty(&format!("{BASE}/ytauth/login-stop")).await
+}
+
+pub async fn ytauth_refresh() -> Result<serde_json::Value, ApiError> {
+    post_empty(&format!("{BASE}/ytauth/refresh")).await
+}
+
+pub async fn ytauth_clear_cookies() -> Result<(), ApiError> {
+    delete(&format!("{BASE}/ytauth/cookies")).await
+}
diff --git a/frontend/src/pages/settings.rs b/frontend/src/pages/settings.rs
index 57834d9..2fd4714 100644
--- a/frontend/src/pages/settings.rs
+++ b/frontend/src/pages/settings.rs
@@ -3,17 +3,20 @@ use web_sys::HtmlSelectElement;
 use yew::prelude::*;
 
 use crate::api;
-use crate::types::AppConfig;
+use crate::types::{AppConfig, YtAuthStatus};
 
 #[function_component(SettingsPage)]
 pub fn settings_page() -> Html {
     let config = use_state(|| None::<AppConfig>);
     let error = use_state(|| None::<String>);
     let message = use_state(|| None::<String>);
+    let ytauth = use_state(|| None::<YtAuthStatus>);
+    let ytauth_loading = use_state(|| false);
 
     {
         let config = config.clone();
         let error = error.clone();
+        let ytauth = ytauth.clone();
         use_effect_with((), move |_| {
             wasm_bindgen_futures::spawn_local(async move {
                 match api::get_config().await {
@@ -21,6 +24,11 @@ pub fn settings_page() -> Html {
                     Err(e) => error.set(Some(e.0)),
                 }
             });
+            wasm_bindgen_futures::spawn_local(async move {
+                if let Ok(status) = api::get_ytauth_status().await {
+                    ytauth.set(Some(status));
+                }
+            });
         });
     }
 
@@ -68,6 +76,195 @@ pub fn settings_page() -> Html {
         return html! { <p class="loading">{ "Loading configuration..." }</p> };
     };
 
+    // Build YouTube auth card HTML outside the main html! macro
+    let ytauth_html = {
+        let ytauth = ytauth.clone();
+        let ytauth_loading = ytauth_loading.clone();
+        let message = message.clone();
+        let error = error.clone();
+        if let Some(ref status) = *ytauth {
+            if status.login_session_active {
+                let vnc_url = status.vnc_url.clone().unwrap_or_default();
+                let on_done = {
+                    let ytauth = ytauth.clone();
+                    let ytauth_loading = ytauth_loading.clone();
+                    let message = message.clone();
+                    let error = error.clone();
+                    Callback::from(move |_: MouseEvent| {
+                        let ytauth = ytauth.clone();
+                        let ytauth_loading = ytauth_loading.clone();
+                        let message = message.clone();
+                        let error = error.clone();
+                        ytauth_loading.set(true);
+                        wasm_bindgen_futures::spawn_local(async move {
+                            match api::ytauth_login_stop().await {
+                                Ok(_) => {
+                                    message.set(Some("YouTube login complete! Cookies exported.".into()));
+                                    if let Ok(s) = api::get_ytauth_status().await {
+                                        ytauth.set(Some(s));
+                                    }
+                                }
+                                Err(e) => error.set(Some(e.0)),
+                            }
+                            ytauth_loading.set(false);
+                        });
+                    })
+                };
+                html! {
+                    <>
+                        <p class="text-sm">{ "Log into YouTube in the browser below, then click Done." }</p>
+                        if !vnc_url.is_empty() {
+                            <p class="text-sm"><a href={vnc_url.clone()} target="_blank">{ "Open login window" }</a></p>
+                            <iframe src={vnc_url} style="width:100%;height:500px;border:1px solid var(--border);border-radius:var(--radius);margin:0.5rem 0;" />
+                        }
+                        <button class="btn btn-primary" onclick={on_done} disabled={*ytauth_loading}>
+                            { if *ytauth_loading { "Finishing..." } else { "Done \u{2014} I've logged in" } }
+                        </button>
+                    </>
+                }
+            } else if status.authenticated {
+                let age_text = status.cookie_age_hours
+                    .map(|h| format!("cookies {h:.0}h old"))
+                    .unwrap_or_else(|| "authenticated".into());
+                let on_refresh = {
+                    let ytauth = ytauth.clone();
+                    let ytauth_loading = ytauth_loading.clone();
+                    let message = message.clone();
+                    let error = error.clone();
+                    Callback::from(move |_: MouseEvent| {
+                        let ytauth = ytauth.clone();
+                        let ytauth_loading = ytauth_loading.clone();
+                        let message = message.clone();
+                        let error = error.clone();
+                        ytauth_loading.set(true);
+                        wasm_bindgen_futures::spawn_local(async move {
+                            match api::ytauth_refresh().await {
+                                Ok(_) => {
+                                    message.set(Some("Cookies refreshed".into()));
+                                    if let Ok(s) = api::get_ytauth_status().await {
+                                        ytauth.set(Some(s));
+                                    }
+                                }
+                                Err(e) => error.set(Some(e.0)),
+                            }
+                            ytauth_loading.set(false);
+                        });
+                    })
+                };
+                let on_clear = {
+                    let ytauth = ytauth.clone();
+                    let message = message.clone();
+                    let error = error.clone();
+                    Callback::from(move |_: MouseEvent| {
+                        let ytauth = ytauth.clone();
+                        let message = message.clone();
+                        let error = error.clone();
+                        wasm_bindgen_futures::spawn_local(async move {
+                            match api::ytauth_clear_cookies().await {
+                                Ok(_) => {
+                                    message.set(Some("YouTube auth cleared".into()));
+                                    if let Ok(s) = api::get_ytauth_status().await {
+                                        ytauth.set(Some(s));
+                                    }
+                                }
+                                Err(e) => error.set(Some(e.0)),
+                            }
+                        });
+                    })
+                };
+                html! {
+                    <>
+                        <p>
+                            <span class="badge badge-success">{ "Authenticated" }</span>
+                            <span class="text-muted text-sm" style="margin-left: 0.5rem;">{ age_text }</span>
+                        </p>
+                        if status.refresh_enabled {
+                            <p class="text-sm text-muted">{ "Auto-refresh is enabled" }</p>
+                        }
+                        <div style="display:flex;gap:0.5rem;margin-top:0.5rem;">
+                            <button class="btn btn-sm btn-secondary" onclick={on_refresh} disabled={*ytauth_loading}>
+                                { if *ytauth_loading { "Refreshing..." } else { "Refresh Now" } }
+                            </button>
+                            <button class="btn btn-sm btn-danger" onclick={on_clear}>
+                                { "Clear Authentication" }
+                            </button>
+                        </div>
+                    </>
+                }
+            } else {
+                let on_start = {
+                    let ytauth = ytauth.clone();
+                    let ytauth_loading = ytauth_loading.clone();
+                    let error = error.clone();
+                    Callback::from(move |_: MouseEvent| {
+                        let ytauth = ytauth.clone();
+                        let ytauth_loading = ytauth_loading.clone();
+                        let error = error.clone();
+                        ytauth_loading.set(true);
+                        wasm_bindgen_futures::spawn_local(async move {
+                            match api::ytauth_login_start().await {
+                                Ok(_) => {
+                                    if let Ok(s) = api::get_ytauth_status().await {
+                                        ytauth.set(Some(s));
+                                    }
+                                }
+                                Err(e) => error.set(Some(e.0)),
+                            }
+                            ytauth_loading.set(false);
+                        });
+                    })
+                };
+                html! {
+                    <>
+                        <p class="text-muted text-sm">
+                            { "Authenticate with YouTube for higher download rate limits (~2000/hr vs ~300/hr) and access to age-restricted content. " }
+                            { "This launches a browser where you log into your Google account." }
+                        </p>
+                        <div class="card" style="border-color: var(--warning); background: rgba(234, 179, 8, 0.08); margin: 0.75rem 0;">
+                            <p class="text-sm" style="margin:0;">
+                                <strong style="color: var(--warning);">{ "Warning: " }</strong>
+                                { "YouTube may permanently suspend accounts that are used with third-party download tools. " }
+                                <strong>{ "Use a throwaway Google account" }</strong>
+                                { " \u{2014} do not log in with your primary account." }
+                            </p>
+                        </div>
+                        <button class="btn btn-primary" onclick={on_start} disabled={*ytauth_loading}>
+                            { if *ytauth_loading { "Starting..." } else { "Authenticate YouTube" } }
+                        </button>
+                    </>
+                }
+            }
+        } else {
+            html! { <p class="text-muted text-sm">{ "Loading..." }</p> }
+        }
+    };
+
+    let ytdlp_version_html = if let Some(ref status) = *ytauth {
+        let version = status.ytdlp_version.clone().unwrap_or_else(|| "not found".into());
+        if status.ytdlp_update_available {
+            let latest = status.ytdlp_latest.clone().unwrap_or_default();
+            html! {
+                <div class="card" style="border-color: var(--warning); background: rgba(234, 179, 8, 0.08); margin: 0 0 0.75rem 0; padding: 0.5rem 0.75rem;">
+                    <p class="text-sm" style="margin:0;">
+                        <strong style="color: var(--warning);">{ "yt-dlp update available: " }</strong>
+                        { format!("{version} \u{2192} {latest}") }
+                        <span class="text-muted">{ " \u{2014} run " }</span>
+                        <code>{ "pip install -U yt-dlp" }</code>
+                    </p>
+                </div>
+            }
+        } else {
+            html! {
+                <p class="text-muted text-sm" style="margin: 0 0 0.75rem 0;">
+                    { format!("yt-dlp {version}") }
+                    <span style="color: var(--success); margin-left: 0.3rem;">{ "\u{2713} up to date" }</span>
+                </p>
+            }
+        }
+    } else {
+        html! {}
+    };
+
     html! {
         <div>
             <div class="page-header">
@@ -211,18 +408,6 @@ pub fn settings_page() -> Html {
                             })}
                         </select>
                     </div>
-                    <div class="form-group">
-                        <label>{ "Cookies Path (optional)" }</label>
-                        <input type="text" value={c.download.cookies_path.clone().unwrap_or_default()}
-                            placeholder="~/.config/shanty/cookies.txt"
-                            oninput={let config = config.clone(); Callback::from(move |e: InputEvent| {
-                                let input: HtmlInputElement = e.target_unchecked_into();
-                                let mut cfg = (*config).clone().unwrap();
-                                let v = input.value();
-                                cfg.download.cookies_path = if v.is_empty() { None } else { Some(v) };
-                                config.set(Some(cfg));
-                            })} />
-                    </div>
                     <div class="form-group">
                         <label>{ "Rate Limit (requests/hour, guest)" }</label>
                         <input type="number" value={c.download.rate_limit.to_string()}
@@ -249,6 +434,13 @@ pub fn settings_page() -> Html {
                     </div>
                 </div>
 
+                // YouTube Authentication
+                <div class="card">
+                    <h3>{ "YouTube Authentication" }</h3>
+                    { ytdlp_version_html }
+                    { ytauth_html }
+                </div>
+
                 // Indexing
                 <div class="card">
                     <h3>{ "Indexing" }</h3>
diff --git a/frontend/src/types.rs b/frontend/src/types.rs
index 581cd69..fa9866e 100644
--- a/frontend/src/types.rs
+++ b/frontend/src/types.rs
@@ -160,6 +160,24 @@ pub struct TrackResult {
     pub score: u8,
 }
 
+// --- YouTube Auth ---
+
+#[derive(Debug, Clone, PartialEq, Deserialize)]
+pub struct YtAuthStatus {
+    pub authenticated: bool,
+    pub cookie_age_hours: Option<f64>,
+    pub cookie_count: Option<i64>,
+    pub refresh_enabled: bool,
+    pub login_session_active: bool,
+    pub vnc_url: Option<String>,
+    #[serde(default)]
+    pub ytdlp_version: Option<String>,
+    #[serde(default)]
+    pub ytdlp_latest: Option<String>,
+    #[serde(default)]
+    pub ytdlp_update_available: bool,
+}
+
 // --- Downloads ---
 
 #[derive(Debug, Clone, PartialEq, Deserialize)]
@@ -303,6 +321,19 @@ pub struct DownloadConfigFe {
     pub rate_limit: u32,
     #[serde(default)]
     pub rate_limit_auth: u32,
+    #[serde(default)]
+    pub cookie_refresh_enabled: bool,
+    #[serde(default = "default_cookie_refresh_hours")]
+    pub cookie_refresh_hours: u32,
+    #[serde(default = "default_vnc_port")]
+    pub vnc_port: u16,
+}
+
+fn default_cookie_refresh_hours() -> u32 {
+    6
+}
+fn default_vnc_port() -> u16 {
+    6080
 }
 
 #[derive(Debug, Clone, PartialEq, Serialize, Deserialize, Default)]
diff --git a/frontend/style.css b/frontend/style.css
index dca5c18..5d42b8e 100644
--- a/frontend/style.css
+++ b/frontend/style.css
@@ -237,6 +237,7 @@ input:focus, select:focus { outline: none; border-color: var(--accent); }
 .badge-pending { background: var(--text-muted); color: white; }
 .badge-failed { background: var(--danger); color: white; }
 .badge-completed { background: var(--success); color: white; }
+.badge-success { background: var(--success); color: white; }
 
 /* Task table fixed column widths */
 table.tasks-table { table-layout: fixed; }
diff --git a/src/cookie_refresh.rs b/src/cookie_refresh.rs
new file mode 100644
index 0000000..9e33987
--- /dev/null
+++ b/src/cookie_refresh.rs
@@ -0,0 +1,107 @@
+//! Background task that periodically refreshes YouTube cookies via headless Firefox.
+
+use std::path::{Path, PathBuf};
+use std::process::Stdio;
+use std::sync::Arc;
+use std::time::Duration;
+
+use tokio::process::Command;
+use tokio::sync::RwLock;
+
+use crate::config::AppConfig;
+
+/// Spawn the cookie refresh background loop.
+///
+/// This task runs forever, sleeping for `cookie_refresh_hours` between refreshes.
+/// It reads the current config on each iteration so changes take effect without restart.
+pub fn spawn(config: Arc<RwLock<AppConfig>>) {
+    tokio::spawn(async move {
+        loop {
+            let (enabled, hours) = {
+                let cfg = config.read().await;
+                (
+                    cfg.download.cookie_refresh_enabled,
+                    cfg.download.cookie_refresh_hours.max(1),
+                )
+            };
+
+            // Sleep for the configured interval
+            tokio::time::sleep(Duration::from_secs(u64::from(hours) * 3600)).await;
+
+            if !enabled {
+                continue;
+            }
+
+            let profile_dir = shanty_config::data_dir().join("firefox-profile");
+            let cookies_path = shanty_config::data_dir().join("cookies.txt");
+
+            if !profile_dir.exists() {
+                tracing::warn!(
+                    "cookie refresh skipped: no Firefox profile at {}",
+                    profile_dir.display()
+                );
+                continue;
+            }
+
+            tracing::info!("starting cookie refresh");
+
+            match run_refresh(&profile_dir, &cookies_path).await {
+                Ok(msg) => tracing::info!("cookie refresh complete: {msg}"),
+                Err(e) => tracing::error!("cookie refresh failed: {e}"),
+            }
+        }
+    });
+}
+
+async fn run_refresh(profile_dir: &Path, cookies_path: &Path) -> Result<String, String> {
+    let script = find_script()?;
+
+    let output = Command::new("python3")
+        .arg(&script)
+        .args([
+            "refresh",
+            &profile_dir.to_string_lossy(),
+            &cookies_path.to_string_lossy(),
+        ])
+        .stdout(Stdio::piped())
+        .stderr(Stdio::piped())
+        .output()
+        .await
+        .map_err(|e| format!("failed to run cookie_manager.py: {e}"))?;
+
+    if !output.status.success() {
+        let stderr = String::from_utf8_lossy(&output.stderr);
+        return Err(format!("cookie_manager.py failed: {stderr}"));
+    }
+
+    let stdout = String::from_utf8_lossy(&output.stdout).to_string();
+
+    // Check for error in JSON response
+    if let Ok(v) = serde_json::from_str::<serde_json::Value>(&stdout)
+        && v.get("status").and_then(|s| s.as_str()) == Some("error")
+    {
+        let err = v.get("error").and_then(|e| e.as_str()).unwrap_or("unknown");
+        return Err(err.to_string());
+    }
+
+    Ok(stdout)
+}
+
+fn find_script() -> Result<PathBuf, String> {
+    let candidates = [
+        std::env::current_exe()
+            .ok()
+            .and_then(|p| p.parent().map(|d| d.join("cookie_manager.py"))),
+        Some(PathBuf::from("/usr/share/shanty/cookie_manager.py")),
+        Some(PathBuf::from("/usr/local/share/shanty/cookie_manager.py")),
+        Some(PathBuf::from("shanty-dl/scripts/cookie_manager.py")),
+    ];
+
+    for candidate in candidates.into_iter().flatten() {
+        if candidate.exists() {
+            return Ok(candidate);
+        }
+    }
+
+    Err("cookie_manager.py not found".into())
+}
diff --git a/src/lib.rs b/src/lib.rs
index bc7037c..58f9295 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -6,6 +6,7 @@
 
 pub mod auth;
 pub mod config;
+pub mod cookie_refresh;
 pub mod error;
 pub mod routes;
 pub mod state;
diff --git a/src/main.rs b/src/main.rs
index 5866a8e..561a140 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -67,8 +67,12 @@ async fn main() -> anyhow::Result<()> {
         config: std::sync::Arc::new(tokio::sync::RwLock::new(config)),
         config_path,
         tasks: TaskManager::new(),
+        firefox_login: tokio::sync::Mutex::new(None),
     });
 
+    // Start background cookie refresh task
+    shanty_web::cookie_refresh::spawn(state.config.clone());
+
     // Resolve static files directory relative to the binary location
     let static_dir = std::env::current_exe()
         .ok()
diff --git a/src/routes/mod.rs b/src/routes/mod.rs
index 79600cf..f8f473c 100644
--- a/src/routes/mod.rs
+++ b/src/routes/mod.rs
@@ -6,6 +6,7 @@ pub mod lyrics;
 pub mod search;
 pub mod system;
 pub mod tracks;
+pub mod ytauth;
 
 use actix_web::web;
 
@@ -19,6 +20,7 @@ pub fn configure(cfg: &mut web::ServiceConfig) {
             .configure(search::configure)
             .configure(downloads::configure)
             .configure(lyrics::configure)
-            .configure(system::configure),
+            .configure(system::configure)
+            .configure(ytauth::configure),
     );
 }
diff --git a/src/routes/ytauth.rs b/src/routes/ytauth.rs
new file mode 100644
index 0000000..c776adf
--- /dev/null
+++ b/src/routes/ytauth.rs
@@ -0,0 +1,341 @@
+use std::path::PathBuf;
+use std::process::Stdio;
+
+use actix_session::Session;
+use actix_web::{HttpResponse, web};
+use serde::Serialize;
+use tokio::process::Command;
+
+use crate::auth;
+use crate::error::ApiError;
+use crate::state::{AppState, FirefoxLoginSession};
+
+pub fn configure(cfg: &mut web::ServiceConfig) {
+    cfg.service(
+        web::scope("/ytauth")
+            .route("/status", web::get().to(status))
+            .route("/login-start", web::post().to(login_start))
+            .route("/login-stop", web::post().to(login_stop))
+            .route("/refresh", web::post().to(refresh))
+            .route("/cookies", web::delete().to(clear_cookies)),
+    );
+}
+
+#[derive(Serialize)]
+struct AuthStatus {
+    authenticated: bool,
+    cookie_age_hours: Option<f64>,
+    cookie_count: Option<i64>,
+    refresh_enabled: bool,
+    login_session_active: bool,
+    vnc_url: Option<String>,
+    ytdlp_version: Option<String>,
+    ytdlp_latest: Option<String>,
+    ytdlp_update_available: bool,
+}
+
+/// GET /api/ytauth/status — check YouTube auth state.
+async fn status(state: web::Data<AppState>, session: Session) -> Result<HttpResponse, ApiError> {
+    auth::require_auth(&session)?;
+
+    let config = state.config.read().await;
+    let profile_dir = shanty_config::data_dir().join("firefox-profile");
+
+    // Check login session
+    let login = state.firefox_login.lock().await;
+    let login_active = login.is_some();
+    let vnc_url = login.as_ref().map(|s| s.vnc_url.clone());
+    drop(login);
+
+    // Run status check via Python script
+    let (authenticated, cookie_age, cookie_count) =
+        if let Ok(result) = run_cookie_manager(&["status", &profile_dir.to_string_lossy()]).await {
+            if let Ok(v) = serde_json::from_str::<serde_json::Value>(&result) {
+                (
+                    v.get("authenticated")
+                        .and_then(|v| v.as_bool())
+                        .unwrap_or(false),
+                    v.get("cookie_age_hours").and_then(|v| v.as_f64()),
+                    v.get("cookie_count").and_then(|v| v.as_i64()),
+                )
+            } else {
+                (false, None, None)
+            }
+        } else {
+            (false, None, None)
+        };
+
+    // Check yt-dlp version (local + latest from PyPI)
+    let (ytdlp_version, ytdlp_latest, ytdlp_update_available) = check_ytdlp_version().await;
+
+    Ok(HttpResponse::Ok().json(AuthStatus {
+        authenticated,
+        cookie_age_hours: cookie_age,
+        cookie_count,
+        refresh_enabled: config.download.cookie_refresh_enabled,
+        login_session_active: login_active,
+        vnc_url,
+        ytdlp_version,
+        ytdlp_latest,
+        ytdlp_update_available,
+    }))
+}
+
+/// POST /api/ytauth/login-start — launch Firefox + noVNC for interactive login.
+async fn login_start(
+    state: web::Data<AppState>,
+    session: Session,
+) -> Result<HttpResponse, ApiError> {
+    auth::require_admin(&session)?;
+
+    let mut login = state.firefox_login.lock().await;
+    if login.is_some() {
+        return Err(ApiError::BadRequest("login session already active".into()));
+    }
+
+    let config = state.config.read().await;
+    let profile_dir = shanty_config::data_dir().join("firefox-profile");
+    let vnc_port = config.download.vnc_port;
+    drop(config);
+
+    let result = run_cookie_manager(&[
+        "login-start",
+        &profile_dir.to_string_lossy(),
+        &vnc_port.to_string(),
+    ])
+    .await
+    .map_err(|e| ApiError::Internal(format!("failed to start login: {e}")))?;
+
+    let v: serde_json::Value = serde_json::from_str(&result)
+        .map_err(|e| ApiError::Internal(format!("bad response from cookie_manager: {e}")))?;
+
+    if v.get("status").and_then(|s| s.as_str()) == Some("error") {
+        let err = v
+            .get("error")
+            .and_then(|e| e.as_str())
+            .unwrap_or("unknown error");
+        return Err(ApiError::Internal(format!("login start failed: {err}")));
+    }
+
+    let vnc_url = v
+        .get("vnc_url")
+        .and_then(|u| u.as_str())
+        .unwrap_or("")
+        .to_string();
+
+    *login = Some(FirefoxLoginSession {
+        vnc_url: vnc_url.clone(),
+    });
+
+    Ok(HttpResponse::Ok().json(serde_json::json!({
+        "status": "running",
+        "vnc_url": vnc_url,
+    })))
+}
+
+/// POST /api/ytauth/login-stop — stop Firefox, export cookies, enable refresh.
+async fn login_stop(
+    state: web::Data<AppState>,
+    session: Session,
+) -> Result<HttpResponse, ApiError> {
+    auth::require_admin(&session)?;
+
+    let mut login = state.firefox_login.lock().await;
+    if login.is_none() {
+        return Err(ApiError::BadRequest("no active login session".into()));
+    }
+
+    let profile_dir = shanty_config::data_dir().join("firefox-profile");
+    let cookies_path = shanty_config::data_dir().join("cookies.txt");
+
+    let result = run_cookie_manager(&[
+        "login-stop",
+        "--profile-dir",
+        &profile_dir.to_string_lossy(),
+        "--cookies-output",
+        &cookies_path.to_string_lossy(),
+    ])
+    .await
+    .map_err(|e| ApiError::Internal(format!("failed to stop login: {e}")))?;
+
+    *login = None;
+
+    let v: serde_json::Value = serde_json::from_str(&result).unwrap_or_default();
+
+    // Update config to use the cookies and enable refresh
+    let mut config = state.config.write().await;
+    config.download.cookies_path = Some(cookies_path.clone());
+    config.download.cookie_refresh_enabled = true;
+    config
+        .save(state.config_path.as_deref())
+        .map_err(ApiError::Internal)?;
+
+    Ok(HttpResponse::Ok().json(serde_json::json!({
+        "status": "stopped",
+        "cookies_exported": v.get("cookies_count").is_some(),
+        "cookies_path": cookies_path.to_string_lossy(),
+    })))
+}
+
+/// POST /api/ytauth/refresh — trigger immediate headless cookie refresh.
+async fn refresh(state: web::Data<AppState>, session: Session) -> Result<HttpResponse, ApiError> {
+    auth::require_admin(&session)?;
+
+    let profile_dir = shanty_config::data_dir().join("firefox-profile");
+    let cookies_path = shanty_config::data_dir().join("cookies.txt");
+
+    if !profile_dir.exists() {
+        return Err(ApiError::BadRequest(
+            "no Firefox profile found — log in first".into(),
+        ));
+    }
+
+    let result = run_cookie_manager(&[
+        "refresh",
+        &profile_dir.to_string_lossy(),
+        &cookies_path.to_string_lossy(),
+    ])
+    .await
+    .map_err(|e| ApiError::Internal(format!("refresh failed: {e}")))?;
+
+    let v: serde_json::Value = serde_json::from_str(&result).unwrap_or_default();
+
+    if v.get("status").and_then(|s| s.as_str()) == Some("error") {
+        let err = v.get("error").and_then(|e| e.as_str()).unwrap_or("unknown");
+        return Err(ApiError::Internal(format!("refresh failed: {err}")));
+    }
+
+    // Ensure config points to cookies
+    let mut config = state.config.write().await;
+    if config.download.cookies_path.is_none() {
+        config.download.cookies_path = Some(cookies_path);
+        config
+            .save(state.config_path.as_deref())
+            .map_err(ApiError::Internal)?;
+    }
+
+    Ok(HttpResponse::Ok().json(v))
+}
+
+/// DELETE /api/ytauth/cookies — clear cookies and Firefox profile.
+async fn clear_cookies(
+    state: web::Data<AppState>,
+    session: Session,
+) -> Result<HttpResponse, ApiError> {
+    auth::require_admin(&session)?;
+
+    let profile_dir = shanty_config::data_dir().join("firefox-profile");
+    let cookies_path = shanty_config::data_dir().join("cookies.txt");
+
+    // Remove cookies file
+    if cookies_path.exists() {
+        std::fs::remove_file(&cookies_path).ok();
+    }
+
+    // Remove Firefox profile
+    if profile_dir.exists() {
+        std::fs::remove_dir_all(&profile_dir).ok();
+    }
+
+    // Update config
+    let mut config = state.config.write().await;
+    config.download.cookies_path = None;
+    config.download.cookie_refresh_enabled = false;
+    config
+        .save(state.config_path.as_deref())
+        .map_err(ApiError::Internal)?;
+
+    Ok(HttpResponse::Ok().json(serde_json::json!({"status": "cleared"})))
+}
+
+// --- Helper ---
+
+/// Find the cookie_manager.py script (same search logic as ytmusic_search.py).
+fn find_cookie_manager_script() -> Result<PathBuf, ApiError> {
+    let candidates = [
+        // Next to the binary
+        std::env::current_exe()
+            .ok()
+            .and_then(|p| p.parent().map(|d| d.join("cookie_manager.py"))),
+        // Standard install locations
+        Some(PathBuf::from("/usr/share/shanty/cookie_manager.py")),
+        Some(PathBuf::from("/usr/local/share/shanty/cookie_manager.py")),
+        // Development: crate root
+        Some(PathBuf::from("shanty-dl/scripts/cookie_manager.py")),
+    ];
+
+    for candidate in candidates.into_iter().flatten() {
+        if candidate.exists() {
+            return Ok(candidate);
+        }
+    }
+
+    Err(ApiError::Internal("cookie_manager.py not found".into()))
+}
+
+/// Run cookie_manager.py with the given arguments and return stdout.
+async fn run_cookie_manager(args: &[&str]) -> Result<String, String> {
+    let script = find_cookie_manager_script().map_err(|e| e.to_string())?;
+
+    let output = Command::new("python3")
+        .arg(&script)
+        .args(args)
+        .stdout(Stdio::piped())
+        .stderr(Stdio::piped())
+        .output()
+        .await
+        .map_err(|e| format!("failed to run cookie_manager.py: {e}"))?;
+
+    if !output.status.success() {
+        let stderr = String::from_utf8_lossy(&output.stderr);
+        return Err(format!("cookie_manager.py failed: {stderr}"));
+    }
+
+    Ok(String::from_utf8_lossy(&output.stdout).to_string())
+}
+
+/// Check installed yt-dlp version and compare to latest on PyPI.
+async fn check_ytdlp_version() -> (Option<String>, Option<String>, bool) {
+    // Get installed version
+    let installed = Command::new("yt-dlp")
+        .arg("--version")
+        .stdout(Stdio::piped())
+        .stderr(Stdio::null())
+        .output()
+        .await
+        .ok()
+        .map(|o| String::from_utf8_lossy(&o.stdout).trim().to_string());
+
+    // Get latest version from PyPI
+    let latest = async {
+        let client = reqwest::Client::builder()
+            .timeout(std::time::Duration::from_secs(5))
+            .build()
+            .ok()?;
+        let resp: serde_json::Value = client
+            .get("https://pypi.org/pypi/yt-dlp/json")
+            .send()
+            .await
+            .ok()?
+            .json()
+            .await
+            .ok()?;
+        resp.get("info")?.get("version")?.as_str().map(String::from)
+    }
+    .await;
+
+    // Normalize version strings for comparison: "2026.03.17" and "2026.3.17" should match.
+    let normalize = |v: &str| -> String {
+        v.split('.')
+            .map(|part| part.trim_start_matches('0'))
+            .map(|p| if p.is_empty() { "0" } else { p })
+            .collect::<Vec<_>>()
+            .join(".")
+    };
+    let update_available = match (&installed, &latest) {
+        (Some(i), Some(l)) => normalize(i) != normalize(l),
+        _ => false,
+    };
+
+    (installed, latest, update_available)
+}
diff --git a/src/state.rs b/src/state.rs
index 8c47cd6..600eb08 100644
--- a/src/state.rs
+++ b/src/state.rs
@@ -1,5 +1,5 @@
 use std::sync::Arc;
-use tokio::sync::RwLock;
+use tokio::sync::{Mutex, RwLock};
 
 use shanty_db::Database;
 use shanty_search::MusicBrainzSearch;
@@ -8,6 +8,11 @@ use shanty_tag::MusicBrainzClient;
 use crate::config::AppConfig;
 use crate::tasks::TaskManager;
 
+/// Tracks an active Firefox login session for YouTube auth.
+pub struct FirefoxLoginSession {
+    pub vnc_url: String,
+}
+
 pub struct AppState {
     pub db: Database,
     pub mb_client: MusicBrainzClient,
@@ -15,4 +20,5 @@ pub struct AppState {
     pub config: Arc<RwLock<AppConfig>>,
     pub config_path: Option<String>,
     pub tasks: TaskManager,
+    pub firefox_login: Mutex<Option<FirefoxLoginSession>>,
 }