fix(auth): use curl_cffi (Chrome TLS impersonation) for Auth0 login#1
Merged
Conversation
Scalable's Auth0 fronts the login with Friendly Captcha bot detection that triggers on the TLS/JA3 fingerprint of plain `requests` — it injects a `captcha` field the headless client can't solve, re-renders the login form, and the old heuristic misread that as InvalidCredentials (exit 12). A real browser is never challenged; neither is curl_cffi, which replays Chrome's exact TLS fingerprint from pure Python — no browser, no Chromium. - _build_session() returns curl_cffi Session(impersonate="chrome"), with a plain-requests fallback when curl_cffi is unavailable. - login_flow() normalizes the cookie jar via new _to_requests_jar() (curl_cffi's jar isn't a RequestsCookieJar; save_jar_to_file iterates expecting http.cookiejar.Cookie objects). - add curl_cffi>=0.7 dependency; bump 0.0.2 -> 0.0.3. Verified end-to-end on the server: fresh login -> push 2FA -> cookies persisted -> data fetched, exit 0. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Server-side programmatic login broke:
fetch_wrapperexits12 AUTH_FAILEDinstantly (never reaching 2FA), reporting "Auth0 rejected the email/password"
— but the password is valid.
Root cause (verified live): Scalable's Auth0 fronts the login with Friendly
Captcha bot detection that keys on the TLS/JA3 fingerprint. Plain
requestsgets fingerprinted → Auth0 injects a
captchafield the headless client can'tsolve → re-serves
/u/login→auth.pymisreads that asInvalidCredentials.A real browser (and
curl_cffi) is not challenged — proven from the sameserver IP, so it's the fingerprint, not the IP/headers/credentials.
Fix
_build_session()→curl_cffi.requests.Session(impersonate="chrome"),which replays Chrome's TLS fingerprint in pure Python (no browser).
Falls back to plain
requestsifcurl_cffiis missing.login_flow()normalizes the cookie jar via new_to_requests_jar()(curl_cffi's jar isn't a
RequestsCookieJar;save_jar_to_fileiteratesexpecting
http.cookiejar.Cookieobjects).curl_cffi>=0.7dependency; bump0.0.2→0.0.3.Verification
End-to-end on the server: fresh login → push 2FA approved → cookies persisted
→ data fetched,
exit 0.🤖 Generated with Claude Code