emersion
CAPTCHA breaks login workflow
When using hydroxide auth <username>, it will lead to a captcha being displayed on the website; which seems to break the login/auth mechanism:
2022/11/04 08:45:47 request failed: POST https://mail.proton.me/api/auth: [9001] For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/abuse
2022/11/04 08:45:47 [9001] For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/abuse
Are there any ways to maybe login via Browser and export/reuse the cookies or similar?
I'm able to reproduce this behavior regardless of if I'm using Tor, a normal proxy, or a VPN. Would being able to use cookies from a browser be related to #218?
Yes, indeed a cookie jar implementation would help to allow users to temporarily bypass the login procedure within their web browser, and to export the cookie jar file (netscape format?) then.
I've made a Browser Extension that exports the cookie jar, for tools like yt-dlp and other scrapers: https://github.com/cookiengineer/me-want-cookies
How does hydroxide currently store cookies? Maybe there's a more manual method to bypass it for the time being?
It does not preserve cookies across requests, and #218 is about fixing that.
Is there anything I can do about this? Or can I just never connect a new device? Does that mean if the config for my current devices is lost, I won't be able to log them back in again either?
Does that mean if the config for my current devices is lost, I won't be able to log them back in again either?
Yeah, it probably does. I tried to use hydroxide for the first time, and I can't use it because of this problem.
For anyone else who runs into this, the change in https://github.com/emersion/hydroxide/pull/225 fixed the issue for me.
For anyone else who runs into this, the change in #225 fixed the issue for me.
Tried the master branch of this repo and the change in #225, neither helped. Unfortunately I don't know Go so I can't help on this one, but I hope someone can fix this soon.
I went down this rabbit hole, and if you are really stuck, the official proton-bridge might help. It can be built without the GUI(make build-nogui) , but requires at least "pass" to be installed and doesn't build out-of-the-box on *BSD.
I created a FreeBSD port for hydroxide.. that's what I am using at the moment: https://github.com/0x1eef/ports/tree/main/freebsd/mail/hydroxide. It pulls in the patch from #225 during build time. I'm not sure why it works for some, and not others. I also don't know Go to help further than that.
The most proper fix would be for hydroxide to seamlessly launch the CAPTCHA puzzle instead of crapping out. From there, everything else is just hacks & workarounds (all of which are less convenient than if hydroxide were to render the puzzle on demand).
That said, I’ve heard rumors that the CAPTCHA is never sent to onion users. If you’re using a Tor exit node to reach the clearnet API, it’s a recipe for CAPTCHA hell. Theoretically, you can reach the onion API by following the steps in bug #239. (Of course the caveat at the moment is that the auth command fails in that scenario).
@0x1eef but how did you launch the official proton-bridge after building?
[user@nuc proton-bridge]$ make build-nogui
#successfully install process
[user@nuc proton-bridge]$ ls
bridge Changelog.md CONTRIBUTING.md dist extern go.sum LICENSE pkg README.md tests utils
BUILDS.md cmd COPYING_NOTES.md doc go.mod internal Makefile proton-bridge release-notes TODO.md
[user@nuc proton-bridge]$ ./proton-bridge
FATA[Dec 24 10:44:21.808] No executable in launcher directory error="no executable found" exe_to_launch=bridge-gui launcher_path=/home/user/proton-bridge/proton-bridge launcher_version=3.0.6+git
@Staubgeborener
Try ./proton-bridge --cli.
I wasn't able to build proton-bridge on (Free|Open)BSD. It is not platform neutral. It expects to be built on either Windows, Linux, or OS X.
I get this from proton-bridge:
Server error: paid subscription plan is required
So no, proton-bridge is not an alternative to hydroxide.
As far as I know a paid subscription is required regardless of whether or not hydroxide is being used.
That's good, and surprising. I wouldn't have thought Proton would let you generate a bridge password without a paid subscription.
When will this issue be fixed? I really want to get ProtonMail working with Thunderbird.
Recently it stopped giving me this message and started working again.
Try to enable 2FA on your account.
I enabled 2FA, still
[user@host hydroxide]$ ./hydroxide auth [email protected]
Password:
2023/05/11 19:20:13 request failed: POST https://mail.proton.me/api/auth: [9001] For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/abuse
2023/05/11 19:20:13 [9001] For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/abuse
Edit: So this is the final answer for this problem. Adding req.Header.Set("x-pm-appversion", "Other") to protonmail.go (line 123) together with 2FA is fixing this issue.
Try to enable 2FA on your account.
I enabled 2FA, still
[user@host hydroxide]$ ./hydroxide auth [email protected] Password: 2023/05/11 19:20:13 request failed: POST https://mail.proton.me/api/auth: [9001] For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/abuse 2023/05/11 19:20:13 [9001] For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/abuseEdit: So this is the final answer for this problem. Adding
req.Header.Set("x-pm-appversion", "Other")toprotonmail.go(line 123) together with 2FA is fixing this issue.
I just tried that combination and it did not skip the Captcha challenge for me.
Try to enable 2FA on your account.
I enabled 2FA, still
[user@host hydroxide]$ ./hydroxide auth [email protected] Password: 2023/05/11 19:20:13 request failed: POST https://mail.proton.me/api/auth: [9001] For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/abuse 2023/05/11 19:20:13 [9001] For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/abuseEdit: So this is the final answer for this problem. Adding
req.Header.Set("x-pm-appversion", "Other")toprotonmail.go(line 123) together with 2FA is fixing this issue.I just tried that combination and it did not skip the Captcha challenge for me.
The response the /api/auth POST is the following message:
{
"Code": 9001,
"Details": {
"Description": "",
"Direct": 1,
"HumanVerificationMethods": [
"captcha"
],
"HumanVerificationToken": "FXO12rGNIDTlbXH2l6l7YYnw",
"Title": "Human Verification"
},
"Error": "For security reasons, please complete CAPTCHA. If you can't pass it, please try updating your app or contact us here: https://proton.me/support/abuse"
}
The response also includes a session cookie.
I am also still having problems with solving CAPTCH-a. Are there any new workarounds? Tried the extra code added to protonmail.go - no luck and tried to authenticate with session ID as mentioned but didn't work. If anyone got around it i kindly ask for help. Thanks.
I've had this captcha solver on the side for a while now. If anybody wants to implement this into hydroxide, you're free to do so. Sorry if some imports are missing but the most important parts are there. 100% solve rate so far.
If we have to solve CAPTCHA somehow, could we have an interactive way to (temporarily?) pass the authentication? Prompting an image URL and let the user type the answer is good enough to me, assuming the CAPTCHA only occur sometimes during logining which is interactive anyway. But currently it just fail and give up with an escape hatch.
I have a workaround to CAPTCHA. Maybe someone would feel like to give it a try. https://github.com/emersion/hydroxide/issues/268#issuecomment-1985061273
The work around i used was login to my ProtonMail account from the official domain, completed the displayed CAPTCHA and then i was able to login with hydroxide again.
