cloudflare
🐛 BUG: `wrangler login` behind a VPN
Which Cloudflare product(s) does this pertain to?
Wrangler core
What version(s) of the tool(s) are you using?
3.3.0 [wrangler]
What version of Node are you using?
20.4.0
What operating system are you using?
Mac
Describe the Bug
$ wrangler login
⛅️ wrangler 3.3.0
------------------
Attempting to login via OAuth...
Opening a link in your default browser: https://dash.cloudflare.com/oauth2/auth.....
-> Browser opens, I press Allow
-> Browser redirects to localhost:8976/... but shows "Unable to connect"
There's an exception in the terminal:
/Users/rigor789/.nvm/versions/node/v20.4.0/lib/node_modules/wrangler/wrangler-dist/cli.js:30633
throw a;
^
SyntaxError: Unexpected token '<', "<!DOCTYPE "... is not valid JSON
at JSON.parse (<anonymous>)
at parseJSONFromBytes (/Users/rigor789/.nvm/versions/node/v20.4.0/lib/node_modules/wrangler/wrangler-dist/cli.js:6565:19)
at successSteps (/Users/rigor789/.nvm/versions/node/v20.4.0/lib/node_modules/wrangler/wrangler-dist/cli.js:6536:27)
at /Users/rigor789/.nvm/versions/node/v20.4.0/lib/node_modules/wrangler/wrangler-dist/cli.js:5099:83
at node:internal/process/task_queues:140:7
at AsyncResource.runInAsyncScope (node:async_hooks:206:9)
at AsyncResource.runMicrotask (node:internal/process/task_queues:137:8)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
Node.js v20.4.0
Turns out this is caused by certain network conditions such as using a VPN that seemingly triggers a bot verification, that's not accounted for in the wrangler login flow.
Inspecting the response that's being parsed shows a html page titled "Just a moment..." with some javascript presumably for verifying the user. Seems like this contains sensitive info, hence I'm not sharing it here.
Disabling the VPN fixes the issue.
Additional notes
Sounds like others have ran into this issue recently based on a Discord conversation: https://discord.com/channels/595317990191398933/799437470004412476/1133135405928173638
Please provide a link to a minimal reproduction
No response
Please provide any relevant error logs
No response
For some additional context, it seems it's the POST https://dash.cloudflare.com/oauth2/token call that 403s due to BM. Disabling BM on this endpoint would probably be a good idea if it's going to be used by wrangler.
I've been experiencing this issue while using a self-hosted Outline VPN instance on DigitalOcean. Temporary switching to an instance on Oracle Cloud allowed me to authorize Wrangler
Same issue here but not using any VPN. No change in my system. It just stopped working and I get that error at the login redirection step:
/home/user/.nvm/versions/node/v20.11.1/lib/node_modules/wrangler/wrangler-dist/cli.js:29747 throw a; ^
SyntaxError: Unexpected token '<', "<!DOCTYPE "... is not valid JSON
Same issue here.
OS: Windows 11 23H2 wrangler: 3.61.0 node: v22.2.0
C:\Users\<User>\Documents\Code\<project_name>\node_modules\.pnpm\[email protected]_@[email protected]\node_modules\wrangler\wrangler-dist\cli.js:29747
throw a;
^
SyntaxError: Unexpected token '<', "<!DOCTYPE "... is not valid JSON
at JSON.parse (<anonymous>)
at parseJSONFromBytes (C:\Users\<User>\Documents\Code\<project_name>\node_modules\.pnpm\[email protected]_@[email protected]\node_modules\wrangler\wrangler-dist\cli.js:5287:19)
at successSteps (C:\Users\<User>\Documents\Code\<project_name>\node_modules\.pnpm\[email protected]_@[email protected]\node_modules\wrangler\wrangler-dist\cli.js:5258:27)
at fullyReadBody (C:\Users\<User>\Documents\Code\<project_name>\node_modules\.pnpm\[email protected]_@[email protected]\node_modules\wrangler\wrangler-dist\cli.js:3755:9)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async specConsumeBody (C:\Users\<User>\Documents\Code\<project_name>\node_modules\.pnpm\[email protected]_@[email protected]\node_modules\wrangler\wrangler-dist\cli.js:5267:7)
at async exchangeAuthCodeForAccessToken (C:\Users\<User>\Documents\Code\<project_name>\node_modules\.pnpm\[email protected]_@[email protected]\node_modules\wrangler\wrangler-dist\cli.js:154542:31)
at async Server.<anonymous> (C:\Users\<User>\Documents\Code\<project_name>\node_modules\.pnpm\[email protected]_@[email protected]\node_modules\wrangler\wrangler-dist\cli.js:154703:30)
Node.js v22.2.0
ELIFECYCLE Command failed with exit code 7.
Please can you all try using wrangler@beta since this contains additional logging.
We believe that the cause is a bot-challenge on one of the REST API endpoints that our login flow uses.
✘ [ERROR] The body of the response was HTML rather than JSON. Check the debug logs to see the full body of the response.
✘ [ERROR] It looks like you might have hit a bot challenge page. This may be transient but if not, please contact Cloudflare to find out what can be done.
/foo/node_modules/wrangler/wrangler-dist/cli.js:29747
throw a;
^
Error: Invalid JSON in response: status: 403 Forbidden
at getJSONFromResponse (/foo/node_modules/wrangler/wrangler-dist/cli.js:155262:11)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async exchangeAuthCodeForAccessToken (/foo/node_modules/wrangler/wrangler-dist/cli.js:154894:31)
at async Server.<anonymous> (/foo/node_modules/wrangler/wrangler-dist/cli.js:155055:30) {
[cause]: SyntaxError: Unexpected token '<', "<!DOCTYPE "... is not valid JSON
at JSON.parse (<anonymous>)
at getJSONFromResponse (/foo/node_modules/wrangler/wrangler-dist/cli.js:155249:17)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async exchangeAuthCodeForAccessToken (/foo/node_modules/wrangler/wrangler-dist/cli.js:154894:31)
at async Server.<anonymous> (/foo/node_modules/wrangler/wrangler-dist/cli.js:155055:30)
}
The result of utf8DecodeBytes(bytes) in parseJSONFromBytes when using wrangler@latest
<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
<!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->
<!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->
<head>
<title>Attention Required! | Cloudflare</title>
<meta charset="UTF-8" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width,initial-scale=1" />
<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />
<!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]-->
<style>body{margin:0;padding:0}</style>
<!--[if gte IE 10]><!-->
<script>
if (!navigator.cookieEnabled) {
window.addEventListener('DOMContentLoaded', function () {
var cookieEl = document.getElementById('cookie-alert');
cookieEl.style.display = 'block';
})
}
</script>
<!--<![endif]-->
</head>
<body>
<div id="cf-wrapper">
<div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div>
<div id="cf-error-details" class="cf-error-details-wrapper">
<div class="cf-wrapper cf-header cf-error-overview">
<h1 data-translate="block_headline">Sorry, you have been blocked</h1>
<h2 class="cf-subheadline"><span data-translate="unable_to_access">You are unable to access</span> dash.cloudflare.com</h2>
</div><!-- /.header -->
<div class="cf-section cf-highlight">
<div class="cf-wrapper">
<div class="cf-screenshot-container cf-screenshot-full">
<span class="cf-no-screenshot error"></span>
</div>
</div>
</div><!-- /.captcha-container -->
<div class="cf-section cf-wrapper">
<div class="cf-columns two">
<div class="cf-column">
<h2 data-translate="blocked_why_headline">Why have I been blocked?</h2>
<p data-translate="blocked_why_detail">This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.</p>
</div>
<div class="cf-column">
<h2 data-translate="blocked_resolve_headline">What can I do to resolve this?</h2>
<p data-translate="blocked_resolve_detail">You can email the site owner to let them know you were blocked. Please include what you were doing when this page came up and the Cloudflare Ray ID found at the bottom of this page.</p>
</div>
</div>
</div><!-- /.section -->
<div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300">
<p class="text-13">
<span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">89c7a1adcee1642e</strong></span>
<span class="cf-footer-separator sm:hidden">•</span>
<span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1">
Your IP:
<button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button>
<span class="hidden" id="cf-footer-ip">240e:390:c57:13f0:1436:a80b:3985:7d84</span>
<span class="cf-footer-separator sm:hidden">•</span>
</span>
<span class="cf-footer-item sm:block sm:mb-1"><span>Performance & security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span>
</p>
<script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script>
</div><!-- /.error-footer -->
</div><!-- /#cf-error-details -->
</div><!-- /#cf-wrapper -->
<script>
window._cf_translation = {};
</script>
<script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'89c7a1adcee1642e',t:'MTcxOTg0OTg2My4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)document.addEventListener('DOMContentLoaded',c);else{var e=document.onreadystatechange||function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();</script></body>
</html>
I got the same issue multiple times a day, no VPNs, but still the same issue.
SyntaxError: Unexpected token '<', "<!DOCTYPE "... is not valid JSON
at JSON.parse (<anonymous>)
at parseJSONFromBytes (C:\Users\Administrator\AppData\Roaming\npm\node_modules\wrangler\wrangler-dist\cli.js:5287:19)
at successSteps (C:\Users\Administrator\AppData\Roaming\npm\node_modules\wrangler\wrangler-dist\cli.js:5258:27)
at fullyReadBody (C:\Users\Administrator\AppData\Roaming\npm\node_modules\wrangler\wrangler-dist\cli.js:3755:9)
at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
at async specConsumeBody (C:\Users\Administrator\AppData\Roaming\npm\node_modules\wrangler\wrangler-dist\cli.js:5267:7)
at async exchangeAuthCodeForAccessToken (C:\Users\Administrator\AppData\Roaming\npm\node_modules\wrangler\wrangler-dist\cli.js:154542:31)
at async Server.<anonymous> (C:\Users\Administrator\AppData\Roaming\npm\node_modules\wrangler\wrangler-dist\cli.js:154703:30)
Node.js v20.13.1
And it's also sad to find that the wrangler login with auth token won't work anymore, each time I need to login and do a deployment. So annoy
We are currently working on an internal fix to resolve this. Sorry for the problems with logging in.
We've released a fix for this—please let us know if you're still running into issues!
@penalosa Its working now without any issues, many thanks! Tested it a few times on my machine.
I am still expierence the issue with running wrangler behind the vpn:
wrangler 3.64.0 vpn - self-hosted on hezner
the console log: ✘ [ERROR] The body of the response was HTML rather than JSON. Check the debug logs to see the full body of the response.
✘ [ERROR] It looks like you might have hit a bot challenge page. This may be transient but if not, please contact Cloudflare to find out what can be done.
yo it's still broken in 3.65.1
really appreciate the effort but I still cannot use wrangler when behind a proxy
X [ERROR] The body of the response was HTML rather than JSON. Check the debug logs to see the full body of the response.
X [ERROR] It looks like you might have hit a bot challenge page. This may be transient but if not, please contact Cloudflare to find out what can be done.
what do I do with it now ?
also, why the heck is there even a captcha on that endpoint? is it one of those great engineering practices where you put it everywhere just in case that's not even reachable?
I am still expierence the issue with running wrangler behind the vpn:
wrangler 3.64.0 vpn - self-hosted on hezner
the console log: ✘ [ERROR] The body of the response was HTML rather than JSON. Check the debug logs to see the full body of the response.
✘ [ERROR] It looks like you might have hit a bot challenge page. This may be transient but if not, please contact Cloudflare to find out what can be done.
I have exactly the same issue running a vpn (wireguard) on a hetzner server. Issue is not resolved in the latest version.
If anyone is still running into this, could you try the prerelease from #6315? npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/10046908126/npm-package-wrangler-6315 login. That should print out some more debugging information which we can use to diagnose this further.
A workaround here is using CLOUDFLARE_ACCOUNT_ID and CLOUDFLARE_API_TOKEN, as documented here: https://developers.cloudflare.com/workers/wrangler/ci-cd/#1-authentication
If anyone is still running into this, could you try the prerelease from #6315?
npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/10046908126/npm-package-wrangler-6315 login. That should print out some more debugging information which we can use to diagnose this further.
Interesting how apparently it is fixed by explicitly using an API token but doesn't work with wrangler's own auth flow. Maybe the problem is not in wrangler itself but in API endpoint? You guys have too much captchas over there, especially for endpoints that aren't even accessible for a random bot from the outside. I mean, before redirecting there a user is literally taken to page and only after interacting with the page a token is generated. I don't know, makes no sense to me.
@maddsua - indeed you are mostly correct.
The problem you are seeing is that occasionally the API endpoint that Wrangler uses to do the OAuth flow hits our bot challenge. The normal endpoints that Wrangler uses to do its day to day work are different and very rarely (if ever) hit bot challenges.
The work we have done recently (3 weeks ago) was to give the OAuth endpoint an exception from bot-challenge so it should not be triggering.
But there may still be some cases where the request is still deemed to be a potential bot (e.g. a shared VPN IP address, for example) and that is probably what you are seeing here. If there are many bots using the VPN service you are also using then it likely that it will trigger a bot challenge.
I use private vpn on a tiny helmet vm that does not has any other functionality except serving as a vpn server for my iPhone and windows pc…
On Tue, 23 Jul 2024 at 16:45, Pete Bacon Darwin @.***> wrote:
@maddsua https://github.com/maddsua - indeed you are mostly correct.
The problem you are seeing is that occasionally the API endpoint that Wrangler uses to do the OAuth flow hits our bot challenge. The normal endpoints that Wrangler uses to do its day to day work are different and very rarely (if ever) hit bot challenges.
The work we have done recently (3 weeks ago) was to give the OAuth endpoint an exception fro bot-challenge so it should not be triggering.
But there may still be some cases where the request is still deemed to be a potential bot (e.g. a shared VPN IP address, for example) and that is probably what you are seeing here. If there are many bots using the VPN service you are also using then it likely that it will trigger a bot challenge.
— Reply to this email directly, view it on GitHub https://github.com/cloudflare/workers-sdk/issues/3672#issuecomment-2245302787, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZRGCTUEX56VIVCYZ4CS3XDZNZM6FAVCNFSM6AAAAAA2WDR6KKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBVGMYDENZYG4 . You are receiving this because you commented.Message ID: @.***>