Open Rishikant181 opened 1 month ago
Here is a temporary workaround:
auth_token
, ct0
, kdt
, twid
. Store them temporarily somewhere.btoa("auth_token=<auth_token_value>;ct0=<ct0_value>;kdt=<kdt_value>;twid=<twid_value>")
You only need to do this once to get the API_KEY. The API_KEY should be valid for a year, so no need to do this repeatedly.
Note: If you don't want to remain logged into the browser, just follow this process in incognito/private mode of your browser and after generating the API_KEY, just exit incognito/private mode. That way, you won't stay logged in to the browser and at the same time, the API_KEY will remain valid.
So I managed to somewhat reproduce the issue. What I did was tried repeated login as well tried to create an account locally, then login to that account using a proxy, which triggered the following response from Twitter while logging in:
We blocked an attempt to access your account because we weren't sure it was really you.
This happens when we notice unusual login activity, like an attempt to log in too many times, or from a different location or device.
You'll need to wait before trying to log in again. Some blocks are removed automatically.
Get help with login issues.
So, from preliminary examination, it seems that login fails in the following cases:
As it turns out, I am at my wits end. You input highly appreciated in fixing this issue.
As a side note, the 'ideal' usage is:
I followed your instructions to get the api key, but I still get this error when sending the request to get the list of followers of a user:
Error fetching user details: DataValidationError { name: 'VALIDATION_ERROR', message: 'One or more validation error(s) occured, check details field.', details: [ ValidationErrorDetails { field: 'id', constraints: [Array] } ] }
@gabrielepinto The problems is that you are supplying user.followers
a username
where it expects a numeric id
of the user. The id
is obtained using the user.details
method, which takes the username
as input. You can see the same by inspecting the constraints
field of the line, as follows:
Any further discussions regarding your issue will take place in a separate issue thread. This thread is reserved for issues while logging in using rettiwt auth login
method.
Here is a temporary workaround:
1. Open your browser and go to twitter/X. 2. Open browser developer tools. 3. Navigate to Applications->Cookies (for Chrome) or Storage->Cookies (for Firefox). 4. Copy the values of the 4 fields: `auth_token`, `ct0`, `kdt`, `twid`. Store them temporarily somewhere. 5. Open NodeJS in a terminal and execute the command: `btoa("auth_token=<auth_token_value>;ct0=<ct0_value>;kdt=<kdt_value>;twid=<twid_value>")` 6. The output string is your API_KEY.
You only need to do this once to get the API_KEY. The API_KEY should be valid for a year, so no need to do this repeatedly.
Bro i did this and it works if the account is still active in the browser if i log out in my browser is not working anymore
@Elyoussf You can use incognito/private mode to do the same thing, and after generating API_KEY, just exit incognito/private mode. That way, you will not remain logged in to the browser, at the same time, the API_KEY will remain valid since you never "logged out".
Login via CLI does not seem to work, only return empty JSON
{}
Usage like rettiwt auth login test@test.com test test
(tried both with and without " around the string values and of course used real values)
@improwise Twitter/X's suspicious login measures might have been triggered. This usually happens when you try to login from a seemingly different location by using methods such as VPN, proxy, cloud services, etc. To confirm, can you check the associated email to see if you have received in email from Twitter/X related to a suspicious login or any login code?
@improwise Twitter/X's suspicious login measures might have been triggered. This usually happens when you try to login from a seemingly different location by using methods such as VPN, proxy, cloud services, etc. To confirm, can you check the associated email to see if you have received in email from Twitter/X related to a suspicious login or any login code?
Thanks for responding and for providing this repo.
I worked find to login in browser(s) even though I was eventually locked out after trying the rettiwt auth login to many times so it seems it was communicating as it should with something at the other end. Is the command supposed to be with " for the values or not?
I noticed that when I tried without ", it complained about the last characters in my password (which is quite complex), could there be an issue with password length or some special characters? When using the command with the "", it got no error, just the empty response.
BTW, noticed that in the readme there was both "rettiwt auth login" and "rettiwt-auth login" with a dash, not sure if that is a typo.
@improwise
Is the command supposed to be with " for the values or not?
Yes, to avoid the following problem:
it complained about the last characters in my password
Since, some characters might convey special meaning to the shell when not enclosed inside quotes.
BTW, noticed that in the readme there was both "rettiwt auth login" and "rettiwt-auth login" with a dash, not sure if that is a typo.
It's a typo, will fix it tomorrow.
As for the issue, the CLI login works best when you use it from a local machine. In my case, I usually use Twitter/X from my PC and when I use the CLI to login from the same PC, I never faced an issue, except ofcourse when I tried logging in repeatedly 3 times or more in a row (for testing purpose), in which case, it triggers the suspicious activity measures. After some time, trying again from the CLI works.
Does the browser workaround work for you?
@improwise Another thing I notices is that, if you login to Twitter/X from the browser using you email first, followed by the password, the CLI command that usually works is: rettiwt auth login "<email>" "<username>" "<password>"
If, however, you use your username to login from the browser, the CLI command that usually works is: rettiwt auth login "<username>" "<email>" "<password>"
In short, email and username can be interchanged, depending on which one you use to login to Twitter/X from the browser.
@improwise Another thing I notices is that, if you login to Twitter/X from the browser using you email first, followed by the password, the CLI command that usually works is:
rettiwt auth login "<email>" "<username>" "<password>"
If, however, you use your username to login from the browser, the CLI command that usually works is:
rettiwt auth login "<username>" "<email>" "<password>"
In short, email and username can be interchanged, depending on which one you use to login to Twitter/X from the browser.
Hi,
So, I debugged the traffic to the Twitter API https://api.twitter.com/1.1/onboarding/task.json and it is basically telling me that the call is suspicious and have been blocked. They are still returning status 200 so that is why it does not get picked up by the error handing.
In detail, it seems like the request with
"subtask_id": "LoginEnterUserIdentifierSSO"
is getting a response with
"subtask_id": "DenyLoginSubtask"
Not sure if it matters but I see that the user agent is
User-Agent: axios/1.6.3
Maybe that gives it away?
@improwise Are you using a VPN, Proxy or a Cloud Deployement?
@Rishikant181 VPN, but that works when logging into X with a browser running on the same computer.
@improwise VPN might be the issue. Try logging in without VPN.
@Rishikant181 I just tried the "cookie hack" to get an API key and that seemed to work and also running authenticated calls using it.
@improwise The "cookie hack" always works. Authentication using CLI has been wonky since it's tries so hard to mimic the login process. I have an alternate method in mind, which might become the primary method if it seems viable.
@Rishikant181 Again, thanks for all the hard work you have put in and is putting into this.
You can now use you browser (Chromium-based browser only) to generate the API_KEY using this extension, which can help getting the API_KEY, and it always works:
Get Key
. The API_KEY will be generated.Copy key
or manually copy the generated API_KEY, and store it somewhere secure for later use.Note: The API_KEY will be valid as long as you do not log out from the browser. If you want the API_KEY to be valid for a year, just use incognito mode to repeat the above steps and remember to not log out, but just exit incognito mode. That way, your browser session will be closed and you will not stay logged in (since it was incognito mode), while the API_KEY will be still valid (since you never really "logged out").
As for Firefox users, the extension will soon be ported.
Browser-based authentication method has been finalized. Please refer to the README for the how-to.
P.S: Both Chrome and Firefox , as well as their derivatives, are supported.
Hi, im having an issue with the package. I would appreciate if someone could help. Receiving "{}" responce when trying to generate cookies for authorization (apikey) using cli. Also I got this error when using it as a package for my project: "Failed to authenticate using the given account Credentials".
Im not using vpn, it's my personal local account and I have no issues with login in the browser.
@Rishikant181
Is it possible for you to use the browser extensions as an alternative login method?
Is it possible for you to use the browser extensions as an alternative login method?
unfortunately It's not a solution for me since I need too many accounts.
@bircher044 This usually happens when Twitter/X notices the unusual login activity to the account, and most of the times, it's a hit and miss. Can you confirm if you are receiving any form of email from Twitter/X regarding login to the given account(s)?
@Rishikant181 im only receiving "We noticed a login to your account" when i login from the browser. Nothing related not confirmation code or anything like that.
when im trying to auth using package, im getting a problem on 5th subtask ELoginSubtasks.ACCOUNT_DUPLICATION_CHECK. All subtasks before have status: 'success',.
I also tried to login via browser and track my network. So I see only first 4 subtasks. At the same time when i remove that 5th task from your package, i managed to receive this cookies but they are weird (without authToken).
Response
AuthCredential {
authToken: 'AAAAAAAAAAAAAAAAAAAAANRILgAAAAAAnNwIzUejRCOuH5E6I8xnZz4pu************************************CpTnA',
guestToken: '18346**********33871854',
cookies: 'guest_id_marketing=v1%3A***********961362; Max-Age=63072000; Expires=Sun, 13 Sep 2026 15:12:20 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None;guest_id_ads=v1%3A1726***********1362; Max-Age=63072000; Expires=Sun, 13 Sep 2026 15:12:20 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None;personalization_id="v1_/UUDPvvnXi+1dZxA++bZIQ=="; Max-Age=63072000; Expires=Sun, 13 Sep 2026 15:12:20 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None;guest_id=v1%3A1726**********8961362; Max-Age=63072000; Expires=Sun, 13 Sep 2026 15:12:20 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None;att=1-3ou0ET***************************kaQVH65wv; Max-Age=86400; Expires=Sat, 14 Sep 2024 15:12:20 GMT; Path=/; Domain=.twitter.com; Secure; HTTPOnly; SameSite=None'
}
I replaced some info with "*" just in case.
@bircher044 Thanks for the specific internal error info. As I've not been able to reproduce the issue, this provided some insight as to what to look out for. I'll be trying to debug this specific test.
Sorry for the issue. As it stands, trying to reproduce and fix it is all I can do, with no known workarounds (except the browser method).
Thanks for the feedback.
@bircher044 On a side note, do you have any proxies that you can test the login with?
@Rishikant181 thank you for supporting this package for such a long term.
I tried to use a proxy yesterday, both using your package and globally in my IDE. Had the same "{}" problem. I didnt check subtasks but anyway i think the problem was the same.
All issues related to logging in will be discussed here.