emersion
Authentication fails on onion API
To authenticate with the onion site, I took the most meticulous steps as follows:
- obtain user agent string by visiting https://www.whatismybrowser.com/detect/what-is-my-user-agent/ in the same GUI browser that will be used for login.
- edit
protonmail.goline 122 to reflect the user agent from the previous step. - recompile (
GO111MODULE=on go build ./cmd/hydroxide) - login to PM’s onion site¹ using the same GUI browser used in step 1.
- obtain the session cookie within the protonmail tab (f12→network→«click any object arbitrarily in the left frame»→right frame: “Cookies”→Session-Id)
Two different syntaxes were attempted.
Torsocks approach:
$ torsocks hydroxide -api-endpoint "$onion_url"/api auth "$UID" "$sessionID"
result:
«timestamp» Post "https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion/api/auth/info": dial tcp 127.42.42.0:443: connect: connection refused
Proxy variable approach:
$ HTTPS_PROXY='socks5://127.0.0.1:9050' hydroxide -api-endpoint "$onion_url"/api auth "$UID" "$sessionID"
result:
«timestamp» invalid character '<' looking for beginning of value
version: latest clone as of today.
Did I overlook anything to more closely mirror a non-hydroxide session? User agent and cookie is all I know to account for.
Footnotes:
onion_url=https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion
If I simply browse to this URL in a GUI browser, I get a 404:
https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion/api
So that URL is suspect. Consequently I also tried removing the trailing “/api” but that made no difference.
(edit) I am told that the standard non-forked version of hydroxide does not support a session ID argument. OTOH, it still makes no difference if the session ID is removed in the cases tested; same behavior.
You have to use https://mail.protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion/api since the clearnet API URL is mail.proton.me/api.
