Closed nomis51 closed 4 years ago
Hey, thanks for the investigation. You raise a good point; we don't need to try to authenticate the user when we already have the POESESSID, so this sounds like a reasonable solution. Are you planning on sending a PR based on your tests?
Here is the 2 lines required to get it work again
POEApi.Transport.HttpTransport.cs Line 26
private const string LoginURL = @"https://www.pathofexile.com/login";
// ******* Cloudflare login workaround //
private const string AccountURL = @"https://www.pathofexile.com/my-account";
// ******* //
private const string AccountNameURL = @"https://www.pathofexile.com/character-window/get-account-name?realm={0}";
POEApi.Transport.HttpTransport.cs Line 110
private void TraditionalSessionIdLogin() {
// ******* Cloudflare login workaround //
// using (var sessionIdLoginResponse = BuildHttpRequestAndGetResponse(HttpMethod.GET, LoginURL)) {
using (var sessionIdLoginResponse = BuildHttpRequestAndGetResponse(HttpMethod.GET, AccountURL)) {
// ******* //
if (sessionIdLoginResponse.ResponseUri.ToString() == AccountURL) {
// Login succeeded, otherwise the POESESSID is wrong
}
// If the response URI is the login URL, then the login action failed.
if (sessionIdLoginResponse.ResponseUri.ToString() == LoginURL) {
throw new LogonFailedException();
}
}
}
I submitted a pull request based on nomis51's code, which does allow me to bypass the error as well.
I can confirm that the workaround is working as expected. Pulled @Brian-K-Smith's pull request and it is now working.
Would anyone perhaps be able to provide binaries until the pull request is (hopefully) committed and released?
A binary for that pull request is available here, with the usual caveats for auto-generated binaries for pull requests (that is, only exists for six months).
Procurement 1.29.0 has been released, which includes @thailyn's fixes as per the build he provided above.
Hi,
I've cloned the repo, and I managed to get the login work properly by avoiding the Cloudflare DDoS protection.
The fix is simple : Currently Procurement is querying the /login page to validate that the POESESSID provided by the user is good and that the user can be authenticated successfully. But, in fact, you don't need to mess at all with the /login page, because the /login page is actually there to get the POESESSID, but it's already provided by the user... So no needs to mess with the /login page and Cloudflare.
Instead you just have to query /my-account page. There are two possible results :
And, I guess it's more legit to query a simple HTML page, then trying to solve with a program a DDoS protection service that has been created to counter such programs :p
For future updates: Even if there are changes made to website, like putting Cloudflare on the account page for example. We can still query any other page and look for the user portrait informations to see if we are authenticated or not. Or even just query api routes, like the one to get the stash tabs, if it fails, that's because we're not authenticated correctly.