"Error occurred during login..." 401 Authorization Required

[ripple7511]

Vivint is throwing errors this afternoon, and showing the below in the console.

I'm able to successfully get a cookie (though it begins with "__CF_bm=" which I don't think it used to do?), but always get a 401 Authorization Required error.

I'm using a Homebridge-specific account on Vivint that I can successfully login using on the Vivint app itself, and MFA is disabled for the account. I've even tried to use my main Vivint account as a test, but the MFA portion fails even though the code is correct. I've verified that I'm able to successfully login to the Vivint app using the code successfully.

I've tried running the "npm run mfa" from the terminal, but am getting a "Missing script: mfa" error while doing that. "npm run" returns no scripts whatsoever. I've tried installing and re-installing different versions of the same plugin with nothing working.

I'm running Homebridge as an LXC on ProxMox for more than a year now without any issues. Anyone have ideas as to what I can try next?

---

LOG (with cookie data and any other long strings of potentially-important characters removed...)

[@balansse/homebridge-vivint] Error occurred during login, retrying in 60 seconds... StatusCodeError: 401 - "\r\n\r\n\r\n

401 Authorization Required

\r\n

---

nginx\r\n\r\n\r\n" at new StatusCodeError (/var/lib/homebridge/node_modules/@balansse/homebridge-vivint/node_modules/request-promise-core/lib/errors.js:32:15) at Request.plumbing.callback (/var/lib/homebridge/node_modules/@balansse/homebridge-vivint/node_modules/request-promise-core/lib/plumbing.js:104:33) at Request.RP$callback [as _callback] (/var/lib/homebridge/node_modules/@balansse/homebridge-vivint/node_modules/request-promise-core/lib/plumbing.js:46:31) at Request.self.callback (/var/lib/homebridge/node_modules/@balansse/homebridge-vivint/node_modules/request/request.js:185:22) at Request.emit (node:events:513:28) at Request. (/var/lib/homebridge/node_modules/@balansse/homebridge-vivint/node_modules/request/request.js:1154:10) at Request.emit (node:events:513:28) at IncomingMessage. (/var/lib/homebridge/node_modules/@balansse/homebridge-vivint/node_modules/request/request.js:1076:12) at Object.onceWrapper (node:events:627:28) at IncomingMessage.emit (node:events:525:35) { statusCode: 401, error: '\r\n' + '\r\n' + '\r\n' + '

401 Authorization Required

\r\n' + '

---

nginx\r\n' + '\r\n' + '\r\n', options: { url: 'https://www.vivintsky.com/api/authuser', headers: { Cookie: '__cf_bm=' }, resolveWithFullResponse: true, callback: [Function: RP$callback], transform: undefined, simple: true, transform2xxOnly: false }, response: <ref *1> IncomingMessage { _readableState: ReadableState { objectMode: false, highWaterMark: 16384, buffer: BufferList { head: null, tail: null, length: 0 }, length: 0, pipes: [], flowing: true, ended: true, endEmitted: true, reading: false, constructed: true, sync: true, needReadable: false, emittedReadable: false, readableListening: false, resumeScheduled: false, errorEmitted: false, emitClose: true, autoDestroy: true, destroyed: true, errored: null, closed: true, closeEmitted: true, defaultEncoding: 'utf8', awaitDrainWriters: null, multiAwaitDrain: false, readingMore: true, dataEmitted: true, decoder: null, encoding: null,

},
_events: [Object: null prototype] {
  end: [Array],
  close: [Array],
  data: [Function (anonymous)],
  error: [Function (anonymous)]
},
_eventsCount: 4,
_maxListeners: undefined,
socket: TLSSocket {
  _tlsOptions: [Object],
  _secureEstablished: true,
  _securePending: false,
  _newSessionPending: false,
  _controlReleased: true,
  secureConnecting: false,
  _SNICallback: null,
  servername: 'www.vivintsky.com',
  alpnProtocol: false,
  authorized: true,
  authorizationError: null,
  encrypted: true,
  _events: [Object: null prototype],
  _eventsCount: 10,
  connecting: false,
  _hadError: false,
  _parent: null,
  _host: 'www.vivintsky.com',
  _closeAfterHandlingError: false,
  _readableState: [ReadableState],
  _maxListeners: undefined,
  _writableState: [WritableState],
  allowHalfOpen: false,
  _sockname: null,
  _pendingData: null,
  _pendingEncoding: '',
  server: undefined,
  _server: null,
  ssl: [TLSWrap],
  _requestCert: true,
  _rejectUnauthorized: true,
  parser: null,
  _httpMessage: [ClientRequest],
  [Symbol(res)]: [TLSWrap],
  [Symbol(verified)]: true,
  [Symbol(pendingSession)]: null,
  [Symbol(async_id_symbol)]: 34,
  [Symbol(kHandle)]: [TLSWrap],
  [Symbol(lastWriteQueueSize)]: 0,
  [Symbol(timeout)]: null,
  [Symbol(kBuffer)]: null,
  [Symbol(kBufferCb)]: null,
  [Symbol(kBufferGen)]: null,
  [Symbol(kCapture)]: false,
  [Symbol(kSetNoDelay)]: false,
  [Symbol(kSetKeepAlive)]: false,
  [Symbol(kSetKeepAliveInitialDelay)]: 0,
  [Symbol(kBytesRead)]: 0,
  [Symbol(kBytesWritten)]: 0,
  [Symbol(connect-options)]: [Object]
},
httpVersionMajor: 1,
httpVersionMinor: 1,
httpVersion: '1.1',
complete: true,
rawHeaders: [
  'Date',
  'Fri, 20 Oct 2023 18:50:08 GMT',
  'Content-Type',
  'text/html',
  'Content-Length',
  '172',
  'Connection',
  'close',
  'Www-Authenticate',
  'Bearer scope="openid email",redirect_uri="https://www.vivintsky.com/api/oauth-redirect/<redacted>",realm="vivintsky",response_type="code",state="<redacted>",client_id="<redacted>"',
  'CF-Cache-Status',
  'DYNAMIC',
  'Server',
  'cloudflare',
  'CF-RAY',
  '819371db6de1c374-SEA'
],
rawTrailers: [],
joinDuplicateHeaders: undefined,
aborted: false,
upgrade: false,
url: '',
method: null,
statusCode: 401,
statusMessage: 'Unauthorized',
client: TLSSocket {
  _tlsOptions: [Object],
  _secureEstablished: true,
  _securePending: false,
  _newSessionPending: false,
  _controlReleased: true,
  secureConnecting: false,
  _SNICallback: null,
  servername: 'www.vivintsky.com',
  alpnProtocol: false,
  authorized: true,
  authorizationError: null,
  encrypted: true,
  _events: [Object: null prototype],
  _eventsCount: 10,
  connecting: false,
  _hadError: false,
  _parent: null,
  _host: 'www.vivintsky.com',
  _closeAfterHandlingError: false,
  _readableState: [ReadableState],
  _maxListeners: undefined,
  _writableState: [WritableState],
  allowHalfOpen: false,
  _sockname: null,
  _pendingData: null,
  _pendingEncoding: '',
  server: undefined,
  _server: null,
  ssl: [TLSWrap],
  _requestCert: true,
  _rejectUnauthorized: true,
  parser: null,
  _httpMessage: [ClientRequest],
  [Symbol(res)]: [TLSWrap],
  [Symbol(verified)]: true,
  [Symbol(pendingSession)]: null,
  [Symbol(async_id_symbol)]: 34,
  [Symbol(kHandle)]: [TLSWrap],
  [Symbol(lastWriteQueueSize)]: 0,
  [Symbol(timeout)]: null,
  [Symbol(kBuffer)]: null,
  [Symbol(kBufferCb)]: null,
  [Symbol(kBufferGen)]: null,
  [Symbol(kCapture)]: false,
  [Symbol(kSetNoDelay)]: false,
  [Symbol(kSetKeepAlive)]: false,
  [Symbol(kSetKeepAliveInitialDelay)]: 0,
  [Symbol(kBytesRead)]: 0,
  [Symbol(kBytesWritten)]: 0,
  [Symbol(connect-options)]: [Object]
},
_consuming: false,
_dumped: false,
req: ClientRequest {
  _events: [Object: null prototype],
  _eventsCount: 5,
  _maxListeners: undefined,
  outputData: [],
  outputSize: 0,
  writable: true,
  destroyed: false,
  _last: true,
  chunkedEncoding: false,
  shouldKeepAlive: false,
  maxRequestsOnConnectionReached: false,
  _defaultKeepAlive: true,
  useChunkedEncodingByDefault: false,
  sendDate: false,
  _removedConnection: false,
  _removedContLen: false,
  _removedTE: false,
  strictContentLength: false,
  _contentLength: 0,
  _hasBody: true,
  _trailer: '',
  finished: true,
  _headerSent: true,
  _closed: false,
  socket: [TLSSocket],
  _header: 'GET /api/authuser HTTP/1.1\r\n' +
    'Cookie: __cf_bm=<redacted>\r\n' +
    'host: www.vivintsky.com\r\n' +
    'Connection: close\r\n' +
    '\r\n',
  _keepAliveTimeout: 0,
  _onPendingData: [Function: nop],
  agent: [Agent],
  socketPath: undefined,
  method: 'GET',
  maxHeaderSize: undefined,
  insecureHTTPParser: undefined,
  joinDuplicateHeaders: undefined,
  path: '/api/authuser',
  _ended: true,
  res: [Circular *1],
  aborted: false,
  timeoutCb: null,
  upgradeOrConnect: false,
  parser: null,
  maxHeadersCount: null,
  reusedSocket: false,
  host: 'www.vivintsky.com',
  protocol: 'https:',
  [Symbol(kCapture)]: false,
  [Symbol(kBytesWritten)]: 0,
  [Symbol(kNeedDrain)]: false,
  [Symbol(corked)]: 0,
  [Symbol(kOutHeaders)]: [Object: null prototype],
  [Symbol(errored)]: null,
  [Symbol(kUniqueHeaders)]: null
},
request: Request {
  _events: [Object: null prototype],
  _eventsCount: 5,
  _maxListeners: undefined,
  headers: [Object],
  resolveWithFullResponse: true,
  readable: true,
  writable: true,
  _qs: [Querystring],
  _auth: [Auth],
  _oauth: [OAuth],
  _multipart: [Multipart],
  _redirect: [Redirect],
  _tunnel: [Tunnel],
  _rp_resolve: [Function (anonymous)],
  _rp_reject: [Function (anonymous)],
  _rp_promise: [Promise],
  _rp_callbackOrig: undefined,
  callback: [Function (anonymous)],
  _rp_options: [Object],
  setHeader: [Function (anonymous)],
  hasHeader: [Function (anonymous)],
  getHeader: [Function (anonymous)],
  removeHeader: [Function (anonymous)],
  method: 'GET',
  localAddress: undefined,
  pool: {},
  dests: [],
  __isRequestRequest: true,
  _callback: [Function: RP$callback],
  uri: [Url],
  proxy: null,
  tunnel: true,
  setHost: true,
  originalCookieHeader: '__cf_bm=<redacted>',
  _disableCookies: true,
  _jar: undefined,
  port: 443,
  host: 'www.vivintsky.com',
  path: '/api/authuser',
  httpModule: [Object],
  agentClass: [Function: Agent],
  agent: [Agent],
  _started: true,
  href: 'https://www.vivintsky.com/api/authuser',
  req: [ClientRequest],
  ntick: true,
  response: [Circular *1],
  originalHost: 'www.vivintsky.com',
  originalHostHeaderName: 'host',
  responseContent: [Circular *1],
  _destdata: true,
  _ended: true,
  _callbackCalled: true,
  [Symbol(kCapture)]: false
},
toJSON: [Function: responseToJSON],
caseless: Caseless { dict: [Object] },
body: '<html>\r\n' +
  '<head><title>401 Authorization Required</title></head>\r\n' +
  '<body>\r\n' +
  '<center><h1>401 Authorization Required</h1></center>\r\n' +
  '<hr><center>nginx</center>\r\n' +
  '</body>\r\n' +
  '</html>\r\n',
[Symbol(kCapture)]: false,
[Symbol(kHeaders)]: {
  date: 'Fri, 20 Oct 2023 18:50:08 GMT',
  'content-type': 'text/html',
  'content-length': '172',
  connection: 'close',
  'www-authenticate': 'Bearer scope="openid email",redirect_uri="https://www.vivintsky.com/api/oauth-redirect/<redacted>",realm="vivintsky",response_type="code",state="<redacted>",client_id="<redacted>"',
  'cf-cache-status': 'DYNAMIC',
  server: 'cloudflare',
  'cf-ray': '819371db6de1c374-SEA'
},
[Symbol(kHeadersCount)]: 16,
[Symbol(kTrailers)]: null,
[Symbol(kTrailersCount)]: 0

} }

[DevMan01]

I'm getting this exact error as well.

[txhunter]

I am as well.

[DevMan01]

I thought maybe it was something to do with an MFA code. Tried the following:

... /usr/local/lib/node_modules/@balansse/homebridge-vivint$ npm run mfa

@balansse/homebridge-vivint@1.8.3 mfa node scripts/vivint_mfa_cli

Please enter your Vivint login email: Please enter your Vivint login password: Status code was 200. MFA is not needed. Please use refreshToken: __cf_bm=HMp ... =

I don't think its that. I wonder perhaps if something changed on their API? Or, I'm seeing references to CloudFlare, perhaps they've raised some kind of captcha system?

[asander85]

I just began getting this error about 10 minutes ago. I'm completely down.

[DevMan01]

I tried to use another library, just to test login functionality via Python from this repo: https://github.com/ovirs/pyvivint I got a similar login error. This could be clouding the field, but I wonder if the source of error is upstream at Vivint.

[DevMan01]

Seeing similar chatter about this on Reddit: https://www.reddit.com/r/homebridge/comments/17cirri/vivint_failure/

[jrschat]

Watching. I am having this issue as well.

[srmora]

Well, I’m dead in the water. I ended up trying to uninstall and reinstall the app but I get no MFA key when I try logging in. I’ll continue to watch this thread but currently my HomeKit set up is hosed as I had a lot of dependencies on the Vivint various sensors, thermostats, doorbell, camera, you name it :(

[jgrimard]

It looks like Vivint stopped sending the SET-COOKIE header from https://www.vivintsky.com/api/authuser If nothing else changed, then we should be able to comment out the highlighted lines and it should work again. I don't have time to work on it right now, heading out the door. Maybe later tonight or this weekend.

[ripple7511]

I commented out lines 165 and and 168-- no dice, unfortunately. I'll dig into this later tonight to see what I can find as well.

[aacentric]

I'm no coder, but The Home Assistant integration still works. Not sure if the authentication methods are similar but hopefully that helps some of you who are much better at this troubleshoot!

[srmora]

I don’t believe Home Assistant has Vivint plug-in. That’s why I’m using Homebridge.

[aacentric]

I don’t believe Home Assistant has Vivint plug-in. That’s why I’m using Homebridge.

https://github.com/natekspencer/hacs-vivint

It's a HACS repository, can add that way. Works perfectly with Home Assistant.

[srmora]

Interesting and awesome at the same time I had no idea I'll look into that because I need my Vivint. Thank you.

[jgrimard]

I created pull request #127 to fix this issue. This fix is working on my system.

[arjunmehta]

Could be worthwhile examining this file, especially the first 100 lines, to see if there’s anything obvious:

https://github.com/natekspencer/vivintpy/blob/main/vivintpy/vivintskyapi.py#L18-L100

EDIT: I love open source software. By the time I posted, someone had already fixed the issue. Hah. Awesome @jgrimard !

[aacentric]

Please please forgive my ignorance, buuuutttt.....the pull request mentioned above lists some changes which apparently work, how do I translate that into my plugin working? Do I just need to wait for an update or can I integrate these changes easily with a few clicks??

[jgrimard]

Please please forgive my ignorance, buuuutttt.....the pull request mentioned above lists some changes which apparently work, how do I translate that into my plugin working? Do I just need to wait for an update or can I integrate these changes easily with a few clicks??

It would be easiest to wait for @balansse to merge the pull request and publish to NPM. Then you can update the plugin.

[srmora]

OK I guess I'll wait for the update. But in the meantime, I went ahead and installed. HACS oh my existing Home Assistant, but I was not really using. And then I managed to get the Vivint integration installed and configured. I can't see everything on HomeKit but at least I have my access to my alarm and re-added them to my automations.

But I'll be glad when the Vivint plug-in for HomeKit/Homebridge is working again because I need access to everything via HomeKit 🤞🏽

[mbentley]

I know absolutely nothing about node and using npm but it seems that I can manually install the patch from the PR's branch for now until a fix is merged and published using npm install git+https://github.com/jgrimard/homebridge-vivint.git\#patch-2

[krayzie32]

I know absolutely nothing about node and using npm but it seems that I can manually install the patch from the PR's branch for now until a fix is merged and published using npm install git+https://github.com/jgrimard/homebridge-vivint.git\#patch-2

This isn't working for me... the process just hangs at the below step, unless I need to be more patient (waited for around 7-10 minutes): $ npm install git+https://github.com/jgrimard/homebridge-vivint.git\#patch-2 [#########.........] / reify:@balansse/homebridge-vivint: timing reify:loadBundles Completed in 0ms

I'm executing the above within the homebridge container.

[mbentley]

Yeah, it took a while for me. And yes, I did an exec into my container and ran it and then restarted the container

[zackman0010]

Unfortunately @jgrimard's solution is a very simplistic fix that only works if you already have a valid session token. If you've regenerated your token and it's now invalid, or if your session expires, his change would not fix the authentication issue. The issue is that Vivint apparently enabled Cloudflare Bot Management, which adds a new cookie into every request. The Vivint script is only set up to handle a single cookie, so when this new cookie appeared the script started grabbing the wrong cookie value. I'm currently working on my own PR to make sure it grabs the correct cookie.

[balansse]

Huge thanks to @jgrimard for the fix! I just published the new version to NPM - go ahead and update the plugin and it should work again!

[jgrimard]

Thank you @balansse. I just updated from the plugin from within Homebridge and all is working again. I also tested generating a new refresh token and it worked fine.

[zackman0010]

@balansse Please see my PR #128 @jgrimard Generating the token will sometimes work, as it depends on what order the cookie headers are in, which is not deterministic. If you're lucky enough that the s session cookie is first, then it'll work. But if CloudFlare's __cf_bm cookie is first, then that's the one you'll grab, which won't work for authentication.

[olivierlacan]

@balansse @jgrimard Thank you both so much.

I can confirm however that what @zackman0010 describes did happen when I recently refreshed my credentials.

[srmora]

Beautiful, got it working again thank you. Since I had hosed it trying to get it to work I ended up uninstalling reinstalling and then generating a new token. All works beautiful. Thank you so much.

[DevMan01]

Confirmed @zackman0010 's issue. Basically, I just sat at the settings page and generated a new refresh token until I got one that started with s= instead of __cf_bm and that did the trick. It works now, very grateful. But, perhaps we need to do something to make sure the token comes up correctly.

[zackman0010]

It works now, very grateful. But, perhaps we need to do something to make sure the token comes up correctly.

@DevMan01 I've got an open PR to do exactly that, so this issue will be fixed as soon as it gets merged in.

[krayzie32]

Thank you to everyone who helped fix this!

[jgrimard]

Version 1.8.5 fixes these issues and is available as an update. Please set this issue as resolved with #128

[balansse]

Resolved with #128