403 Failed to refresh auth token: new Cloudflare protections

[shifoc]

Hello, I am now getting a 403 Forbidden error

[DobroslavR]

Me too! I just installed it and it does not work :D

[ovasylenko]

After last chatGPT infra update it happens

[abacaj]

Not to plug my own lib, but the fix can be seen here and ported to this lib as well:

https://github.com/abacaj/unofficial-chatgpt-api/commit/cffcd35662a680fe9d06e280e0caaadedf588170

[flolep2607]

It's caused by the addition of cloudflare protection

[PLhery]

Unfortunately cf_clearance, cloudflare's cookie to certify it thinks you're a human (by sometimes showing a captcha), is valid only 30min as far as I know (from the same User-Agent, and the same IP I believe).

[abacaj]

Unfortunately cf_clearance, cloudflare's cookie to certify it thinks you're a human (by sometimes showing a captcha), is valid only 30min as far as I know (from the same User-Agent, and the same IP I believe).

Interesting, will let you know how long it survives for I have a service running already for 20min~

[onion0835]

I think chatgpt had changed its code! It was normal yesterday, but it was wrong today

[khoatran1602]

Access to fetch at 'https://chat.openai.com/api/auth/session' from origin 'http://localhost:3000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled. Does anyone get this issue?

[transitive-bullshit]

Yes, OpenAI added some additional Cloudflare protections that are preventing access token refresh.

https://user-images.githubusercontent.com/552829/206933023-9be39dae-cfd9-4fb7-aa43-472e445c4a37.mp4

NOTE: this is affecting all ChatGPT API wrappers, including the python ones. I'm actively working on a workaround, so please stay tuned. See also the conversation happening over here https://github.com/rawandahmad698/PyChatGPT/issues/71

@abacaj I don't see that as a solution because those CF tokens are too short-lived to be all that useful.

[transitive-bullshit]

I've added a note to the top of the readme to reflect the current status. Will be updating this thread w/ progress.

[DexterStorey]

welcome to the bleeding edge. @transitive-bullshit thanks for the update, looking into it as well - let us know if you need help testing or implementing a fix

[abacaj]

Yes, OpenAI added some additional Cloudflare protections that are preventing access token refresh.

CleanShot.2022-12-11.at.15.26.12.mp4 NOTE: this is affecting all ChatGPT API wrappers, including the python ones. I'm actively working on a workaround, so please stay tuned. See also the conversation happening over here rawandahmad698/PyChatGPT#71

@abacaj I don't see that as a solution because those CF tokens are too short-lived to be all that useful.

Not sure why that was considered spam, was pointing out the cookie was added and it can be worked around if you have the cookie / can refresh it

[transitive-bullshit]

@abacaj just DM'ed you on twitter; sorry about that.

[lethefrost]

Unfortunately cf_clearance, cloudflare's cookie to certify it thinks you're a human (by sometimes showing a captcha), is valid only 30min as far as I know (from the same User-Agent, and the same IP I believe).

Interesting, will let you know how long it survives for I have a service running already for 20min~

any update?

[abacaj]

For reference, so far the cf cookie is still valid after 1 hour

[PLhery]

Awesome news, so it may be the solution indeed! Keep us informed

(the default is 30min but it can be changed according to CF https://developers.cloudflare.com/fundamentals/security/challenge-passage/#:~:text=By%20default%2C%20the%20cf_clearance%20cookie,between%2015%20and%2045%20minutes )

[transitive-bullshit]

https://github.com/transitive-bullshit/chatgpt-api/releases/tag/v2.1.0 adds support for passing the CF clearanceToken. Hat tip to @abacaj

I'm working on a more automated solution to refresh access tokens and clearance tokens. Stay tuned..

[yizhangliu]

https://github.com/transitive-bullshit/chatgpt-api/releases/tag/v2.1.0 adds support for passing the CF clearanceToken. Hat tip to @abacaj

I'm working on a more automated solution to refresh access tokens and clearance tokens. Stay tuned..

Come on. We all love you.

[alex12058]

I'm still getting 403 forbidden errors even with the fix. This may just be because ChatGPT is currently at capacity. If I visit https://chat.openai.com/auth/login I see this message at the top of the page:

We're experiencing exceptionally high demand. Please hang tight as we work on scaling our systems.

and the networks tab shows the session request returned error 403.

[transitive-bullshit]

@alex12058 agreed; I'm seeing the same. Still debugging and not sure whether it's because OpenAI is explicitly tamping down on new sessions to try and curtail usage or whether it's a problem with bot detection.

If anyone finds out more info, feel free to post here as well.

[fffiloni]

according to this message, there is a _cf_bm cookie that is specifically to prevent bots.

[Ademking]

I'm still getting 403 forbidden errors even with the fix. This may just be because ChatGPT is currently at capacity. If I visit https://chat.openai.com/auth/login I see this message at the top of the page:

We're experiencing exceptionally high demand. Please hang tight as we work on scaling our systems.

and the networks tab shows the session request returned error 403.

I think you need to pass "clearanceToken" to ChatGPTAPI

const api = new ChatGPTAPI({
    sessionToken: "TOKEN",
    clearanceToken: "TOKEN"
  })

[alex12058]

@Ademking Thanks. I am passing the clearanceToken to ChatGPTAPI but I am still getting 403 errors.

[abacaj]

Likely the token is tied to your IP address, still digging

[BooBooKittyFck]

Tried a workaround by using cloudscraper instead of requests - it wants me to use a captcha service since it's a hcaptcha. If someone has any captcha service account supported by cloudscraper you could try that way.

[DexterStorey]

If the token is tied to IP - the only way to go might be implementing browser automated login (playwright, puppeteer, etc.) with email and password in order to retrieve the session token and the cf token programatically from the same server that makes the message requests... Looking at #83 and realizing this might be a long night 😭💪

[DexterStorey]

Obviously this would make the repo larger and slower and it looks like a lot of work has gone into removing playwright as a dependancy so in general this is annoying.

@transitive-bullshit are you working on / trying to find a way to handle this new auth process with native fetch or are you thinking we will need to find a way to make something like this work: https://github.com/Mereithhh/chatgpt-token/blob/master/index.cjs

Credit -> @Mereithhh

[fungilation]

Chiming in. "Reverting" to playwright headless browser auth flow and extract cookies for subsequent api use is the way to go, now that the cat and mouse game has escalated

[PLhery]

You have to make sure you send your browser's user-agent, a different one doesn't work. This could be your issue? (Or the IP)

@Ademking Thanks. I am passing the clearanceToken to ChatGPTAPI but I am still getting 403 errors.

[alex12058]

@PLhery. Yes, that is likely my issue! I will try using the same user agent to see if that works.