Skip to content

fix(auth): use curl_cffi (Chrome TLS impersonation) for Auth0 login#1

Merged
cdamken merged 1 commit into
mainfrom
fix/auth0-curl-cffi-tls
Jun 17, 2026
Merged

fix(auth): use curl_cffi (Chrome TLS impersonation) for Auth0 login#1
cdamken merged 1 commit into
mainfrom
fix/auth0-curl-cffi-tls

Conversation

@cdamken

@cdamken cdamken commented Jun 17, 2026

Copy link
Copy Markdown
Owner

Problem

Server-side programmatic login broke: fetch_wrapper exits 12 AUTH_FAILED
instantly (never reaching 2FA), reporting "Auth0 rejected the email/password"
— but the password is valid.

Root cause (verified live): Scalable's Auth0 fronts the login with Friendly
Captcha bot detection that keys on the TLS/JA3 fingerprint
. Plain requests
gets fingerprinted → Auth0 injects a captcha field the headless client can't
solve → re-serves /u/loginauth.py misreads that as InvalidCredentials.
A real browser (and curl_cffi) is not challenged — proven from the same
server IP, so it's the fingerprint, not the IP/headers/credentials.

Fix

  • _build_session()curl_cffi.requests.Session(impersonate="chrome"),
    which replays Chrome's TLS fingerprint in pure Python (no browser).
    Falls back to plain requests if curl_cffi is missing.
  • login_flow() normalizes the cookie jar via new _to_requests_jar()
    (curl_cffi's jar isn't a RequestsCookieJar; save_jar_to_file iterates
    expecting http.cookiejar.Cookie objects).
  • add curl_cffi>=0.7 dependency; bump 0.0.20.0.3.

Verification

End-to-end on the server: fresh login → push 2FA approved → cookies persisted
→ data fetched, exit 0.

🤖 Generated with Claude Code

Scalable's Auth0 fronts the login with Friendly Captcha bot detection that
triggers on the TLS/JA3 fingerprint of plain `requests` — it injects a
`captcha` field the headless client can't solve, re-renders the login form,
and the old heuristic misread that as InvalidCredentials (exit 12). A real
browser is never challenged; neither is curl_cffi, which replays Chrome's
exact TLS fingerprint from pure Python — no browser, no Chromium.

- _build_session() returns curl_cffi Session(impersonate="chrome"), with a
  plain-requests fallback when curl_cffi is unavailable.
- login_flow() normalizes the cookie jar via new _to_requests_jar()
  (curl_cffi's jar isn't a RequestsCookieJar; save_jar_to_file iterates
  expecting http.cookiejar.Cookie objects).
- add curl_cffi>=0.7 dependency; bump 0.0.2 -> 0.0.3.

Verified end-to-end on the server: fresh login -> push 2FA -> cookies
persisted -> data fetched, exit 0.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@cdamken cdamken merged commit 726f8cd into main Jun 17, 2026
1 check passed
@cdamken cdamken deleted the fix/auth0-curl-cffi-tls branch June 17, 2026 18:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant