Nico new (forced) 2-factor login

AlexAplin / nndownload

Download and process links from Niconico (nicovideo.jp)

MIT License

213 stars 28 forks source link

Nico new (forced) 2-factor login #118

Closed fireattack closed 2 years ago

fireattack commented 2 years ago

When I tried to login today, Niconico asked me to input the verification code sent to my email (it did send), which obviously nndownload didn't handle well.

This is probably something new, as I've never seen it before.

Logging in...
Failed to login.
Traceback (most recent call last):
  File "G:\_temp\nndownload\nndownload\nndownload.py", line 1757, in main
    session = login(account_username, account_password, session_cookie)
  File "G:\_temp\nndownload\nndownload\nndownload.py", line 1647, in login
    raise AuthenticationException("Failed to login. Please verify your account email/telephone and password")
nndownload.nndownload.AuthenticationException: Failed to login. Please verify your account email/telephone and password

fireattack commented 2 years ago

The webpage looks like this:

AlexAplin commented 2 years ago

Flow:

POST to https://account.nicovideo.jp/login/redirector?show_button_twitter=1&site=niconico&show_button_facebook=1&sec=header_pc&next_url=%2F with usual cookies and form data
Follow Location and GET https://account.nicovideo.jp/mfa?continue=https://account.nicovideo.jp/login/mfa/callback?site%3Dniconico%26sec%3Dheader_pc...
POST the 2FA code to https://account.nicovideo.jp/mfa?site=niconico&continue=https%3A%2F%2Faccount.nicovideo.jp%2Flogin%2Fmfa%2Fcallback%3Fsite%3Dniconico%26sec%3Dheader_pc%26... as form data (otp, is_mfa_trusted_dace boolean to mark as trusted device)
On 302 response, follow Location and GET https://account.nicovideo.jp/login/mfa/callback?site=niconico&sec=header_pc...
- If 200 response, the code was invalid
Callback sets session cookies

Trusting the device seems to do nothing for me, I'm prompted for a code each time. Maybe related to browser privacy fingerprinting.

AlexAplin commented 2 years ago

Basic scaffolding for this is done. Further detail:

Even specifying a device name in our request, nndownload will show up as ブラウザ for the device name in the Nico account panel login history
This is considered distinct from the normal 2FA process. I have 2段階認証の設定 disabled in my account but I'm getting prompted for this each login. Definitely seems like a check against suspicious requests, compromised accounts, etc.
Session cookies (--session-cookie) should work as they always have, nothing has changed in how the session actually works
OTP fails after 10 incorrect codes and requires restarting the auth flow

AlexAplin commented 2 years ago

@fireattack Can you try with the branch and tell me how it works for you?

fireattack commented 2 years ago

Looks good to me!

Given the circumstance, should we start considering saving session or session cookie (even by default, but at least having option) so we can re-use it without re-entering the code every time?

AlexAplin commented 2 years ago

Great! That also seems like a good idea -- probably a dedicated file similar to how we do --netrc but likely user-specified. I'll consider how to approach that.