Conversation
|
I tried this and it worked. Many great thanks for that! |
|
I tried it and it worked once. But after that it doesn't any more. Trying to figure out what happens... |
|
Should be cookies in Probably, worth cleaning them on 403? |
|
Hm, ok, interesting. But shouldn't the cookies be updated, at least the aws-waf-token which is the one that counts. I'll try/check that. Update: Cleaning the cookies helped. |
|
I manually deleted the Probably, we need to filter it when reading from the cookie file |
|
Generally, the change looks very good. Thanks for the contribution. I'll try to review it more thoroughly later today. |
|
Thanks! I added a fix. We clearly don't need to save the WAF cookie. And if there's one in the file, we need to overwrite it with the fresh one. |
Maybe the WAF token could be stored, though and used. And only if we get a 403 in authentication we update/regenerate it. I guess that would at least improve performance. I don't know whether there's (another) way to check whether the waf token is still valid? |
|
They changed the login yet again it seems, I am getting 405 response code when I try to login via API. |
I saw it failing again and needed to remove the cookies once more, did you try that? I also didn't add the latest commit yet to my build that filters/updates the WAF cookie. |
Didn't affect me with the latest code, works after 2h of the last launch
It's a subsecond. I think automatically obtained token is a safe side: |
Yes, I had the error again, then updated to the latest version and it got resolved.
Probably yes, if we don't have a client-side mechanism to check validity of the token. |
|
@Felixoid Great work on this PR — tested it and the WAF token generation works perfectly. One issue I ran into: the WAF token is fetched using Replacing This might explain why some people in #319 report 405 errors even after applying this fix — it depends on whether TR's ALB enforces TLS fingerprinting for their specific requests/region. Also minor: the WAF host extraction via |
Currently, it's an optional dependency. I can think of conditional import in this place, so if a user has curl_cffi installed, it will be used. Although, for a manual set token it's a slippery slope, since an original browser can be anything. I don't think an issue is a session. Most probably it's an outdated cookie from the file with previous broken code |
After |
There was a state, when It was fixed in c81d47f, please test it |
|
@Felixoid You were right — the 405 I was seeing was caused by stale WAF cookies, not TLS fingerprinting. After updating to your latest commits (cookie cleanup fix), I removed my Tested the full flow end-to-end: WAF token → login → 2FA → websocket data sync. All good on latest Thanks for the quick iteration on the cookie handling! |
|
A formal remark: Could you put the MIT license first in the vendored files and the comment from where it was vendored etc. afterwards? Also, I suggest to remove the additional LICENSE file in the aswwaf subdirectory as it is the same license (MIT) as for the other files and additionally, it is included as file header. |
|
Let me rebase the staff a little bit, so it will be cleaner git log. The work looks finished. |
Parse challenge.js on the fly to extract parameters
We'll squash anyway 😄 |
RealCLanger
left a comment
RealCLanger
left a comment
There was a problem hiding this comment.
OK, this looks close to merging now. Two small remarks in the code.
|
Thanks @Felixoid for this great piece of work. |
|
Hi. I can confirm, that it now works for non programmers as me. Thanks a lot for this. But if I do got the newest version, and it worked. Again. Thanks a lot, this is for others, that might not find the "trick" on their own. Juergen |
Version 0.4.7 with the fix is now officially released and available via standard |
7 participants
The work is done on top of @Rick7221's commit from #319 (comment)
mp_verify, AKA network bandwidth challengefixes #319