Epic Games Accessibility hCaptcha not working

[igor-semyonov]

Describe the bug

I am visually impaired and can't do visual captchas. The Epic games login requires an hcaptcha verification. Hcaptcha offers an accessibility workaround in the form of an accessibility cookie. This presumably works for a normal browser, but this does not work with the in-app browser.

The hcaptcha process:

1. Login using epic account
2. Reach hcaptcha
3. Click kibab button in bottom left and select accessibility
4. Click 'learn more about hcaptcha accessibility'
5. Enter email adderss and click submit
6. Check email
7. Click link in email
8. Click 'get cookie' in the page that opens I believe the normal hcaptcha operation is that at this point it should be bypassed. However the cookie is attached to the browser where I opened the link emailed to me.

Possible workaround that I don't know how to implement: Copy cookie from normal browser to Heroic Launcher environment.

Possible fix that might be impossible to implement: Use recaptcha instead of hcaptcha. Recaptcha has an audio captcha option which is selfcontained, instead of requiring leaving the captcha environment. I am guessing this might be impossible since the hcaptcha might be chosen by epic, not Heroic.

Add logs

not applicable

Steps to reproduce

1. Go to '...'
2. Click on '...'
3. Scroll down to '...'
4. See error

Expected behavior

Accessible sign in

Screenshots

No response

Heroic Version

Latest Stable

System Information

• OS Gentoo
• DE Plasma 5.25

Additional information

No response

[flavioislima]

Not sure we can fix that on our end but you can use the alternative epic login. So you will login on the epic games page and then you will need to copy the authorization code and paste on heroic.

[arielj]

Would it help if we add an option to set a given cookie? you would have to copy the cookie from your browser manually but I think it could work (actually I think this is what you meant as a possible workaround)

I've been playing around with the webview component and I think it can be done with some hacky code injection

[arielj]

I think I have an idea on how to solve this without hacky code, we can load a url in the webview and pass extra headers, we could have an input field in the Accessibility screen to set the Epic hCaptcha Accessibility Cookie value and, when we open the epic login page, if we have a value in that setting, we use the webview.loadUrl method that allows passing those extra headers

And then we can use the Set-Cookie header to reload the login screen.

@igor-semyonov it would be useful if you can share how one of those cookies look like, no need to share a real value but it would help me understand what is required in the Set-Cookie header, we have many options that we can pass https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

EDIT: maybe we can do it more like how epic does that, instead of using a setting in the Accessibility section, we can show a small box when we display the login page with a button Add hCaptcha Cookie that prompts the user with a text input and on submit it reloads the page with the same headers, that way it would be more on demand

[igor-semyonov]

My apologies! I did not see (haha) the alternative login method. That worked perfectly.

I think the alternative method is a good solution. I don't think there is a need to add accessibility cookie handling to the main login. Perhaps a note could be added that says something like "if you need accessibility login, use the alternative login method".

Thank you everyone!

[arielj]

The only issue with the alternative method is that the Epic store when you go to the Stores section will always be logged out (and it's really handy to get new free games for example), since you didn't log in properly with Epic inside Heroic.

I think it's still a good idea to provide a solution so it would be the same experience.

I'm happy to try to add the idea I presented before, I would need an example of the cookie but I think it's doable and not that hard to do

[AndhikaWB]

I'm also kinda annoyed that Heroic couldn't log me in when trying to claim this week's free game (because of the captcha). Is this what you need @arielj?

Cookies when successfully logged in Firefox

Heroic cookies when stuck on Epic login captcha

It think it is also possible to replace the cookies file directly from Chromium based browser. I use Firefox though and too lazy to test it. Heroic cookies should be located on ~/.config/heroic/Partitions/epicstore (if anybody want to test it).

[arielj]

I don't know how an hCaptcha accessibility cookie looks like so I don't know if that's what I need

[AndhikaWB]

Okay I experimented which value is needed by deleting the cookie record one by one. It seems that you only need EPIC_SESSION_AP to be able to log in successfully to Epic. All other cookies will be set automatically by Epic if that key/value exist.

[arielj]

Just to clarify, @AndhikaWB are you also a user with the need of the accessibility captcha? since this is about the special cookie needed for visually impaired users, not about generic login issues.

I'm asking because EPIC_SESSION_AP sounds like an epic-specific cooking and not an hCaptcha-specific cookie (but maybe it is, I just don't know)

[AndhikaWB]

Oh my bad, no I'm not. I just searched for captcha login issue and this is the first result from the repo. Sorry, should be more careful.

[arielj]

ok, on the normal captcha, I think it's a captcha issue, sometimes I pick the correct images and it tells me it's incorrect, I try like 4 or 5 times and then it works, happens to me also outside heroic

I think they are using AI generated images so they are not even sure what they are xD

[AndhikaWB]

Sometimes it didn't ask to select images or complete puzzle, it just stuck at checking browser with a loading circle (in my case).

[arielj]

@igor-semyonov another option I'm thinking is to just allow you to copy paste the link that you get in your email directly, it would involve less code, maybe that's enough

I would only need to see one of those links you get in your email to allow that domain (I don't think we want users to be able to open whatever link they want there)

[igor-semyonov]

https://accounts.hcaptcha.com/verify_email/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx where each x is in the set [0123456789abcdef], ie hex digits.

[arielj]

thanks! I'll try to implement something over the weekend

one more question, do you have to be logged in into some hcaptcha account for that link to work? ie: can you copy paste that link in an incognito browser for example and get the cookie set?

because I'm thinking that if that link requires some login, then the link may not work because the webview of Heroic wouldn't be logged in in that site