bitlbee-discord
bitlbee-discord copied to clipboard
sm00th
reCAPTCHA causing null input error
I kept getting the null error when attempting to log into Discord, and a quick debug output shows that login is failing because the reCAPTCHA code section is blank and required (thus returning a 400).
Not exactly sure how this could be bypassed given Discord doesn't like botting into user accounts; I suppose theoretically one could MAC spoof to authenticate beforehand?
aw snap, they've added captcha now? do you have debug output for this? (remember to remove any passwords/tokens before posting it) I am not getting these atm, but I guess thats because I connect from an ip that is already known
Yep! Here's some output:
HTTP response headers:
HTTP/1.1 400 BAD REQUEST
Date: Wed, 06 Dec 2017 12:14:20 GMT
Content-Type: application/json
Content-Length: 37
Connection: keep-alive
Set-Cookie: __cfduid=(not sure if this is important so I removed it); expires=Thu, 06-Dec-18 12:14:20 GMT; path=/; domain=.discordapp.com; HttpOnly
Strict-Transport-Security: max-age=31536000; includeSubDomains
Via: 1.1 google
Alt-Svc: clear
Server: cloudflare-nginx
CF-RAY: 3c8f2a128e8e6c3a-SJC
Finishing HTTP request with status: 400 BAD REQUEST
[04:14:20] <<< ((null)) discord_http_login_cb [400] 37
{"captcha_key": ["captcha-required"]}
I also tried logging out of Discord and logging back in on several of my devices; they all required me to do captcha sign-in. I also tried to use my server as a SOCK5 proxy + Firefox and logged in successfully, but still received the captcha error, so I'm guessing I would have to spoof to appear to be the application itself.
So it doesn't work even after a succesfull login from a browser? I wonder why. I thought mine worked because I already had an auth token, but after resetting it biltbee-discord managed to get a new one without an issue.
I'm not quite following you, forgive me; how are you using an auth-token to sign into your account? (I'm just using my email/password since I thought auths are only for bots)
Discord requires an auth token for every request bitlbee-discord does, so it actually caches the auth token and uses that till it gets invalidated and only after that it sends the credentials to get a new one. My idea was that discord applies captcha to login page only.
It could be set on a per-account basis, maybe too many incorrect logins?
Or worse, it could be the testing phase of a wider rollout.
Probably should add support for logging in with a token now, it's not hard to get
Probably should add support for logging in with a token now, it's not hard to get
The option is there, it is just hidden
acc off discord
acc discord set token_cache xxxxxxxx
Can confirm directly setting the token allows me to log in from any previously unauthorized device. Thanks a bunch guys!
Let's leave it open since we still have to deal with the capcha somehow. Also people would be able to find the workaround here until the issue is really solved.
How do I get a token?
You can login with your browser with "Web Developer"(in firefox)/"Developer Tools"(in chrome) in "network" mode. You should see a POST request to "login" with a response like {"token": "xxxxxxx"}
Chrome's token can also be accessed under Developer Tools --> Application, where under the local storage dropdown, select https://discordapp.com and one of the Key/Value pairs is token/(your token).
Neat, apparently FF has something similar: Web Developer -> Storage Inspector -> Local Storage -> http://discordapp.com -> token
This is way easier than monitoring "network", thanks.
Thanks for keeping this open. Would've never figured out what to do without this issue.
At least on firefox, the token only appears for a few moments until discord loads completely. So I had to ctrl+f5 and copy it really quickly before it disappears.
Looks like discord changed this behavior and it would probably be easier to use the method from my earlier comment https://github.com/sm00th/bitlbee-discord/issues/118#issuecomment-351379422
For other folks looking, if you've got MFA on, it's on the response to the POST to https://discordapp.com/api/v6/auth/mfa/totp (rather than to login) :)
What is "MFA on"?
I see in that link a method not allowed error. Not sure what/how to affect that in bitlbee.
I've looked at my qutebrowser (chromium based) local storage with sqlite3 and it shows token as X'......' I wasn't sure whether to include the X'' in the token setting, but neither seems to work anyway.
I'm logged in right now in my browser (after having to do a shedload of captchas, and responding to emails), but bitlbee is failing to login. If it matters, I need to use a proxy to connect out and I've set it in the /etc/bitlbee/ conf file. I don't have any other accounts in bitlbee so I can't tell if it's a proxy issue or not.
How can I debug the connection attempts? All I'm seeing is login error. Failed to get info about self.
MFA/2FA is multi- or two-step factor authentication, means each client has to be authorized by other means (usually one-time password generated by some other device). It's on your account settings page.
I'm not a developer, but if you have to deal with captchas, bitlbee might not be able to make it past them.
Ah right. I didn't set up two-factor because I assumed it might involve giving them my mobile number, and nobody gets that apart from some important sites like my bank.
Hi @slackhead, please see the "Debugging" section at the bottom of README. This will help you get exact requests and responses bitlbee and discord are exchanging.
Thanks.
OK. I can see a lot of 400 bad requests. There are no messages about captchas in there at all.
About to send HTTP request:
GET /api/gateway HTTP/1.1
Host: https://discordapp.com
User-Agent: Bitlbee-Discord
Content-Type: application/json
authorization: (my token)
This is followed by:
HTTP/1.1 400 Bad Request
Server: cloudflare
Date: Tue, 26 Feb 2019 17:35:41 GMT
Content-Type: text/html
Content-Length: 171
Connection: close
CF-RAY: -
Finishing HTTP request with status: 400 Bad Request
<<< ((null)) discord_http_gateway_cb [400] 171
<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>cloudflare</center>
</body>
</html>```
By the way, neither my password nor login name/email are mentioned in the debug output.
The password/login won't be used when you have the token set. Are you sure you are using the right token? I think all of the chromium-based browsers should have 'developer tools' and should be able to use the method from comment#18
I didn't open the dev tools yet. I just looked in ~/.local/share/qutebrowser/webengine/Local\ Storage for a discordapp.com file.
I didn't want to get logged out and then spend another 10 minutes clicking fire hydrants and clicking email links :)
I'll have a look now.
Well, I found that the token was correct, although it shows something completely different in the inspector.
Anyway I changed the host from https://discordapp.com to just discordapp.com and got a little further.
Now I'm getting 200s back, but in weechat it says 'failed to switch to websocket mode'.