signal-cli icon indicating copy to clipboard operation
signal-cli copied to clipboard
verified publisher icon AsamK

Registration fails with: [403] AuthorizationFailedException

Open exquo opened this issue 6 months ago • 3 comments

Trying to register any number:

❯ signal-cli -a +12345678901 register --captcha 'signalcaptcha://signal-hcaptcha.5fad97ac-7d06-4e44-b18a-b950b20148ff.registration.P1_…'

Failed to register: [403] Authorization failed! (AuthorizationFailedException)

The long URL signalcaptcha://… is from https://signalcaptchas.org/registration/generate.html. (Trying a captcha from https://signalcaptchas.org/challenge/generate.html, get Invalid captcha given).

Registering on Android the same number from the same IP succeeds - the verification code gets sent.

Output of the above command in verbose mode (signal-cli -v …): 
2025-06-08T10:34:26.117Z [main] DEBUG org.asamk.signal.App - Starting signal-cli 0.13.16
2025-06-08T10:34:27.573Z [main] DEBUG org.asamk.signal.util.IOUtils - XDG_DATA_HOME not set, falling back to home dir
2025-06-08T10:34:28.126Z [main] INFO  com.zaxxer.hikari.HikariDataSource - HikariPool-1 - Starting...
2025-06-08T10:34:28.301Z [main] INFO  com.zaxxer.hikari.pool.HikariPool - HikariPool-1 - Added connection org.sqlite.jdbc4.JDBC4Connection@1f2f9244
2025-06-08T10:34:28.303Z [main] INFO  com.zaxxer.hikari.HikariDataSource - HikariPool-1 - Start completed.
2025-06-08T10:34:31.765Z [main] INFO  com.zaxxer.hikari.HikariDataSource - HikariPool-1 - Shutdown initiated...
2025-06-08T10:34:31.770Z [main] INFO  com.zaxxer.hikari.HikariDataSource - HikariPool-1 - Shutdown completed.
Failed to register: [403] Authorization failed! (AuthorizationFailedException)
org.whispersystems.signalservice.api.push.exceptions.AuthorizationFailedException: [403] Authorization failed!
    at org.whispersystems.signalservice.api.NetworkResultUtil.toBasicLegacy(NetworkResultUtil.kt:73)
    at org.asamk.signal.manager.util.Utils.handleResponseException(Utils.java:158)
    at org.asamk.signal.manager.util.NumberVerificationUtils.submitCaptcha(NumberVerificationUtils.java:180)
    at org.asamk.signal.manager.util.NumberVerificationUtils.handleVerificationSession(NumberVerificationUtils.java:79)
    at org.asamk.signal.manager.internal.RegistrationManagerImpl.register(RegistrationManagerImpl.java:133)
    at org.asamk.signal.commands.RegisterCommand.register(RegisterCommand.java:80)
    at org.asamk.signal.commands.RegisterCommand.handleCommand(RegisterCommand.java:51)
    at org.asamk.signal.commands.CommandHandler.handleRegistrationCommand(CommandHandler.java:33)
    at org.asamk.signal.App.handleRegistrationCommand(App.java:268)
    at org.asamk.signal.App.handleCommand(App.java:177)
    at org.asamk.signal.App.init(App.java:147)
    at org.asamk.signal.Main.main(Main.java:56)

This is with the latest version of signal-cli (0.13.16), but the results are the same with the previous version.

Is there a way to troubleshoot this further?

exquo avatar Jun 08 '25 12:06 exquo

The same error has been reported here: https://github.com/AsamK/signal-cli/issues/1491#issuecomment-2826211554

Signal-Android by default doesn't use the captcha, but some different google play services based approach. I can only reproduce the 403 error, when using the same captcha code twice. The first time registration works, the second time I get the 403 error. So not sure what's going wrong here. You could try it from another IP address, with another phone number or have a look at the Signal-Server source code what could trigger a 403 response. 😅

AsamK avatar Jun 08 '25 14:06 AsamK

Looking at the Signal-Server source, the relevant code appears to be in VerificationController.java, particularly the /session/{sessionId} API endpoint, which has among its responses:

@ApiResponse(responseCode = "403", description = "The information provided was not accepted (e.g push challenge or captcha verification failed)")

It also invokes checkVerificationAttempt() from spam/RegistrationFraudChecker.java, which can throw a ForbiddenException (that I believe results in the same 403 response code). This makes it uncertain whether AuthorizationFailed happens due to an incorrect submitted captcha code, or to a suspected spam / abuse blocking. I think the abuse blocking mechanism of signal-server is not open-sourced, so we don't know for sure which factors influence it.

Other Singal-Server files that might be relevant here: controllers/RegistrationController.java; auth/PhoneVerificationTokenManager.java.

I have experimented with registering various phone numbers from different IPs, but so far have not discerned a clear pattern. The same number can give AuthFailed, succeed an hour later, and then give AuthFailed an hour later again (holding constant everything else, like the IP address). Numbers that one would expect to be "effectively the same", like +xxxxxxxxx01, +xxxxxxxxx02, …, succeed for some of them and fail for others (again, with other "parameters" held constant).

Some other factors that don't appear to make a difference:

  • Landline vs mobile numbers (for countries that have this distinction)
  • Whether a phone number matches the country of the IP address
  • Using a different browser to solve the captcha (on an off-chance its user-agent gets embedded in the captcha code)

Some numbers (or even the whole country codes) do appear likelier to succeed than others, though.

I can only reproduce the 403 error, when using the same captcha code twice. The first time registration works, the second time I get the 403 error.

Maybe by the second attempt the original registration session had been closed (expired, or registered successfully)? By then the captcha would expire also, and would be rejected with 403 as any other "wrong" captcha. In my experiments, if the verification code gets sent successfully, then running register shortly after on the same number works with any* captcha, or even with no captcha at all. *As long as the captcha string still conforms to the pattern signalcaptcha://signal-hcaptcha.5fad97ac-7d06-4e44-b18a-b950b20148ff.registration.WHATEVER_HERE; and the second attempt is made after some time (~15 seconds ?), to avoid being rate-limited.

Signal-Android by default doesn't use the captcha, but some different google play services based approach.

There is a "push challenge" in VerificationController referenced above; looks like it can be used instead of, or together with a captcha. FWIW I've used an Android phone with no Google services installed, so the captcha must have been the only verification method available.

To sum up: so far, it's not yet clear under what circumstances register returns Authorization Failed, and how to resolve it..

exquo avatar Jun 11 '25 12:06 exquo

Some other factors that don't appear to make a difference:

  • Using a different browser to solve the captcha (on an off-chance its user-agent gets embedded in the captcha code)

Responding to say that this is not correct, I managed to solve my problem by using an antidetect browser (in my case GoLogin) in order to solve the captcha. I had constant fails with different phone numbers, but then switched to GoLogin, and did the flow in the following way:

  1. Clear cookies on the captcha page (if any)
  2. Solve captcha
  3. Use the register command on a phone number for the first time with captcha already supplied
  4. If it returns "Invalid captcha", refresh and try again until works

I was able to register 4 different accounts in a row, all on the same (VPN) IP address, previously I was using Ungoogled Chromium which I encountered issues with, and constantly do :P

rococofinish121-ops avatar Oct 07 '25 17:10 rococofinish121-ops