🐛 BUG: `wrangler login` behind a VPN

[rigor789]

Which Cloudflare product(s) does this pertain to?

Wrangler core

What version(s) of the tool(s) are you using?

3.3.0 [wrangler]

What version of Node are you using?

20.4.0

What operating system are you using?

Mac

Describe the Bug

$ wrangler login
 ⛅️ wrangler 3.3.0
------------------
Attempting to login via OAuth...
Opening a link in your default browser: https://dash.cloudflare.com/oauth2/auth.....

-> Browser opens, I press Allow -> Browser redirects to localhost:8976/... but shows "Unable to connect"

There's an exception in the terminal:

/Users/rigor789/.nvm/versions/node/v20.4.0/lib/node_modules/wrangler/wrangler-dist/cli.js:30633
            throw a;
            ^

SyntaxError: Unexpected token '<', "<!DOCTYPE "... is not valid JSON
    at JSON.parse (<anonymous>)
    at parseJSONFromBytes (/Users/rigor789/.nvm/versions/node/v20.4.0/lib/node_modules/wrangler/wrangler-dist/cli.js:6565:19)
    at successSteps (/Users/rigor789/.nvm/versions/node/v20.4.0/lib/node_modules/wrangler/wrangler-dist/cli.js:6536:27)
    at /Users/rigor789/.nvm/versions/node/v20.4.0/lib/node_modules/wrangler/wrangler-dist/cli.js:5099:83
    at node:internal/process/task_queues:140:7
    at AsyncResource.runInAsyncScope (node:async_hooks:206:9)
    at AsyncResource.runMicrotask (node:internal/process/task_queues:137:8)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

Node.js v20.4.0

Turns out this is caused by certain network conditions such as using a VPN that seemingly triggers a bot verification, that's not accounted for in the wrangler login flow.

Inspecting the response that's being parsed shows a html page titled "Just a moment..." with some javascript presumably for verifying the user. Seems like this contains sensitive info, hence I'm not sharing it here.

Disabling the VPN fixes the issue.

Additional notes

Sounds like others have ran into this issue recently based on a Discord conversation: https://discord.com/channels/595317990191398933/799437470004412476/1133135405928173638

Please provide a link to a minimal reproduction

No response

Please provide any relevant error logs

No response

[Cherry]

For some additional context, it seems it's the POST https://dash.cloudflare.com/oauth2/token call that 403s due to BM. Disabling BM on this endpoint would probably be a good idea if it's going to be used by wrangler.

[maddsua]

I've been experiencing this issue while using a self-hosted Outline VPN instance on DigitalOcean. Temporary switching to an instance on Oracle Cloud allowed me to authorize Wrangler

[maddsua]

Hey, still no updates? The issue seem to persist

[veber88]

Encountered issue with vpn wireguard on digitalocean.

[Unintendedz]

same here

[dutsik-p]

same issue. more context:

• vpn wireguard on hetzner
• node is running in WSL

[thrhgh]

Same issue with wireguard vpn on hetzner. Any solutions for this?

[sosioo]

Same issue here but not using any VPN. No change in my system. It just stopped working and I get that error at the login redirection step:

/home/user/.nvm/versions/node/v20.11.1/lib/node_modules/wrangler/wrangler-dist/cli.js:29747 throw a; ^

SyntaxError: Unexpected token '<', "<!DOCTYPE "... is not valid JSON

[JuanJTorres11]

I have the same error as @sosioo. I have no VPN or any proxy in use.

[kol3x]

Same as @sosioo It worked fine 2 weeks ago

[outerkatza]

Same issue here.

OS: Windows 11 23H2 wrangler: 3.61.0 node: v22.2.0

C:\Users\<User>\Documents\Code\<project_name>\node_modules\.pnpm\wrangler@3.61.0_@cloudflare+workers-types@4.20240620.0\node_modules\wrangler\wrangler-dist\cli.js:29747
            throw a;
            ^

SyntaxError: Unexpected token '<', "<!DOCTYPE "... is not valid JSON
    at JSON.parse (<anonymous>)
    at parseJSONFromBytes (C:\Users\<User>\Documents\Code\<project_name>\node_modules\.pnpm\wrangler@3.61.0_@cloudflare+workers-types@4.20240620.0\node_modules\wrangler\wrangler-dist\cli.js:5287:19)
    at successSteps (C:\Users\<User>\Documents\Code\<project_name>\node_modules\.pnpm\wrangler@3.61.0_@cloudflare+workers-types@4.20240620.0\node_modules\wrangler\wrangler-dist\cli.js:5258:27)
    at fullyReadBody (C:\Users\<User>\Documents\Code\<project_name>\node_modules\.pnpm\wrangler@3.61.0_@cloudflare+workers-types@4.20240620.0\node_modules\wrangler\wrangler-dist\cli.js:3755:9)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async specConsumeBody (C:\Users\<User>\Documents\Code\<project_name>\node_modules\.pnpm\wrangler@3.61.0_@cloudflare+workers-types@4.20240620.0\node_modules\wrangler\wrangler-dist\cli.js:5267:7)
    at async exchangeAuthCodeForAccessToken (C:\Users\<User>\Documents\Code\<project_name>\node_modules\.pnpm\wrangler@3.61.0_@cloudflare+workers-types@4.20240620.0\node_modules\wrangler\wrangler-dist\cli.js:154542:31)
    at async Server.<anonymous> (C:\Users\<User>\Documents\Code\<project_name>\node_modules\.pnpm\wrangler@3.61.0_@cloudflare+workers-types@4.20240620.0\node_modules\wrangler\wrangler-dist\cli.js:154703:30)

Node.js v22.2.0
 ELIFECYCLE  Command failed with exit code 7.

[petebacondarwin]

Please can you all try using wrangler@beta since this contains additional logging. We believe that the cause is a bot-challenge on one of the REST API endpoints that our login flow uses.

[weizhenye]

✘ [ERROR] The body of the response was HTML rather than JSON. Check the debug logs to see the full body of the response.

✘ [ERROR] It looks like you might have hit a bot challenge page. This may be transient but if not, please contact Cloudflare to find out what can be done.

/foo/node_modules/wrangler/wrangler-dist/cli.js:29747
            throw a;
            ^

Error: Invalid JSON in response: status: 403 Forbidden
    at getJSONFromResponse (/foo/node_modules/wrangler/wrangler-dist/cli.js:155262:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async exchangeAuthCodeForAccessToken (/foo/node_modules/wrangler/wrangler-dist/cli.js:154894:31)
    at async Server.<anonymous> (/foo/node_modules/wrangler/wrangler-dist/cli.js:155055:30) {
  [cause]: SyntaxError: Unexpected token '<', "<!DOCTYPE "... is not valid JSON
      at JSON.parse (<anonymous>)
      at getJSONFromResponse (/foo/node_modules/wrangler/wrangler-dist/cli.js:155249:17)
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
      at async exchangeAuthCodeForAccessToken (/foo/node_modules/wrangler/wrangler-dist/cli.js:154894:31)
      at async Server.<anonymous> (/foo/node_modules/wrangler/wrangler-dist/cli.js:155055:30)
}

[weizhenye]

The result of utf8DecodeBytes(bytes) in parseJSONFromBytes when using wrangler@latest

<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
<!--[if IE 7]>    <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->
<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->
<head>
<title>Attention Required! | Cloudflare</title>
<meta charset="UTF-8" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width,initial-scale=1" />
<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" />
<!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" /><![endif]-->
<style>body{margin:0;padding:0}</style>

<!--[if gte IE 10]><!-->
<script>
  if (!navigator.cookieEnabled) {
    window.addEventListener('DOMContentLoaded', function () {
      var cookieEl = document.getElementById('cookie-alert');
      cookieEl.style.display = 'block';
    })
  }
</script>
<!--<![endif]-->

</head>
<body>
  <div id="cf-wrapper">
    <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div>
    <div id="cf-error-details" class="cf-error-details-wrapper">
      <div class="cf-wrapper cf-header cf-error-overview">
        <h1 data-translate="block_headline">Sorry, you have been blocked</h1>
        <h2 class="cf-subheadline"><span data-translate="unable_to_access">You are unable to access</span> dash.cloudflare.com</h2>
      </div><!-- /.header -->

      <div class="cf-section cf-highlight">
        <div class="cf-wrapper">
          <div class="cf-screenshot-container cf-screenshot-full">

              <span class="cf-no-screenshot error"></span>

          </div>
        </div>
      </div><!-- /.captcha-container -->

      <div class="cf-section cf-wrapper">
        <div class="cf-columns two">
          <div class="cf-column">
            <h2 data-translate="blocked_why_headline">Why have I been blocked?</h2>

            <p data-translate="blocked_why_detail">This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.</p>
          </div>

          <div class="cf-column">
            <h2 data-translate="blocked_resolve_headline">What can I do to resolve this?</h2>

            <p data-translate="blocked_resolve_detail">You can email the site owner to let them know you were blocked. Please include what you were doing when this page came up and the Cloudflare Ray ID found at the bottom of this page.</p>
          </div>
        </div>
      </div><!-- /.section -->

      <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300">
  <p class="text-13">
    <span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">89c7a1adcee1642e</strong></span>
    <span class="cf-footer-separator sm:hidden">&bull;</span>
    <span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1">
      Your IP:
      <button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button>
      <span class="hidden" id="cf-footer-ip">240e:390:c57:13f0:1436:a80b:3985:7d84</span>
      <span class="cf-footer-separator sm:hidden">&bull;</span>
    </span>
    <span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span>

  </p>
  <script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script>
</div><!-- /.error-footer -->

    </div><!-- /#cf-error-details -->
  </div><!-- /#cf-wrapper -->

  <script>
  window._cf_translation = {};

</script>

<script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'89c7a1adcee1642e',t:'MTcxOTg0OTg2My4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)document.addEventListener('DOMContentLoaded',c);else{var e=document.onreadystatechange||function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();</script></body>
</html>

[anurag-roy]

Can confirm, hit the same error as @weizhenye

[pigri]

It's the same error, but I don't have a VPN.

[twodft]

I got the same issue multiple times a day, no VPNs, but still the same issue.

SyntaxError: Unexpected token '<', "<!DOCTYPE "... is not valid JSON
    at JSON.parse (<anonymous>)
    at parseJSONFromBytes (C:\Users\Administrator\AppData\Roaming\npm\node_modules\wrangler\wrangler-dist\cli.js:5287:19)
    at successSteps (C:\Users\Administrator\AppData\Roaming\npm\node_modules\wrangler\wrangler-dist\cli.js:5258:27)
    at fullyReadBody (C:\Users\Administrator\AppData\Roaming\npm\node_modules\wrangler\wrangler-dist\cli.js:3755:9)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async specConsumeBody (C:\Users\Administrator\AppData\Roaming\npm\node_modules\wrangler\wrangler-dist\cli.js:5267:7)
    at async exchangeAuthCodeForAccessToken (C:\Users\Administrator\AppData\Roaming\npm\node_modules\wrangler\wrangler-dist\cli.js:154542:31)
    at async Server.<anonymous> (C:\Users\Administrator\AppData\Roaming\npm\node_modules\wrangler\wrangler-dist\cli.js:154703:30)

Node.js v20.13.1

And it's also sad to find that the wrangler login with auth token won't work anymore, each time I need to login and do a deployment. So annoy

[petebacondarwin]

We are currently working on an internal fix to resolve this. Sorry for the problems with logging in.

[penalosa]

We've released a fix for this—please let us know if you're still running into issues!

[anurag-roy]

@penalosa Its working now without any issues, many thanks! Tested it a few times on my machine.

[qutek]

thankyou @penalosa

confirmed, it now working well with 3.63.0

[dutsik-p]

I am still expierence the issue with running wrangler behind the vpn:

wrangler 3.64.0 vpn - self-hosted on hezner

the console log: ✘ [ERROR] The body of the response was HTML rather than JSON. Check the debug logs to see the full body of the response.

✘ [ERROR] It looks like you might have hit a bot challenge page. This may be transient but if not, please contact Cloudflare to find out what can be done.

[maddsua]

yo it's still broken in 3.65.1 really appreciate the effort but I still cannot use wrangler when behind a proxy

X [ERROR] The body of the response was HTML rather than JSON. Check the debug logs to see the full body of the response.

X [ERROR] It looks like you might have hit a bot challenge page. This may be transient but if not, please contact Cloudflare to find out what can be done.

what do I do with it now ?

also, why the heck is there even a captcha on that endpoint? is it one of those great engineering practices where you put it everywhere just in case that's not even reachable?

[thrhgh]

I am still expierence the issue with running wrangler behind the vpn:

wrangler 3.64.0 vpn - self-hosted on hezner

the console log: ✘ [ERROR] The body of the response was HTML rather than JSON. Check the debug logs to see the full body of the response.

✘ [ERROR] It looks like you might have hit a bot challenge page. This may be transient but if not, please contact Cloudflare to find out what can be done.

I have exactly the same issue running a vpn (wireguard) on a hetzner server. Issue is not resolved in the latest version.

[penalosa]

If anyone is still running into this, could you try the prerelease from #6315? npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/10046908126/npm-package-wrangler-6315 login. That should print out some more debugging information which we can use to diagnose this further.

[penalosa]

A workaround here is using CLOUDFLARE_ACCOUNT_ID and CLOUDFLARE_API_TOKEN, as documented here: https://developers.cloudflare.com/workers/wrangler/ci-cd/#1-authentication

[dutsik-p]

If anyone is still running into this, could you try the prerelease from #6315? npx https://prerelease-registry.devprod.cloudflare.dev/workers-sdk/runs/10046908126/npm-package-wrangler-6315 login. That should print out some more debugging information which we can use to diagnose this further.

[maddsua]

Interesting how apparently it is fixed by explicitly using an API token but doesn't work with wrangler's own auth flow. Maybe the problem is not in wrangler itself but in API endpoint? You guys have too much captchas over there, especially for endpoints that aren't even accessible for a random bot from the outside. I mean, before redirecting there a user is literally taken to page and only after interacting with the page a token is generated. I don't know, makes no sense to me.

[petebacondarwin]

@maddsua - indeed you are mostly correct.

The problem you are seeing is that occasionally the API endpoint that Wrangler uses to do the OAuth flow hits our bot challenge. The normal endpoints that Wrangler uses to do its day to day work are different and very rarely (if ever) hit bot challenges.

The work we have done recently (3 weeks ago) was to give the OAuth endpoint an exception from bot-challenge so it should not be triggering.

But there may still be some cases where the request is still deemed to be a potential bot (e.g. a shared VPN IP address, for example) and that is probably what you are seeing here. If there are many bots using the VPN service you are also using then it likely that it will trigger a bot challenge.

[dutsik-p]

I use private vpn on a tiny helmet vm that does not has any other functionality except serving as a vpn server for my iPhone and windows pc…

On Tue, 23 Jul 2024 at 16:45, Pete Bacon Darwin @.***> wrote:

@maddsua https://github.com/maddsua - indeed you are mostly correct.

The problem you are seeing is that occasionally the API endpoint that Wrangler uses to do the OAuth flow hits our bot challenge. The normal endpoints that Wrangler uses to do its day to day work are different and very rarely (if ever) hit bot challenges.

The work we have done recently (3 weeks ago) was to give the OAuth endpoint an exception fro bot-challenge so it should not be triggering.

But there may still be some cases where the request is still deemed to be a potential bot (e.g. a shared VPN IP address, for example) and that is probably what you are seeing here. If there are many bots using the VPN service you are also using then it likely that it will trigger a bot challenge.

— Reply to this email directly, view it on GitHub https://github.com/cloudflare/workers-sdk/issues/3672#issuecomment-2245302787, or unsubscribe https://github.com/notifications/unsubscribe-auth/AZRGCTUEX56VIVCYZ4CS3XDZNZM6FAVCNFSM6AAAAAA2WDR6KKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBVGMYDENZYG4 . You are receiving this because you commented.Message ID: @.***>

[maddsua]

But there may still be some cases where the request is still deemed to be a potential bot (e.g. a shared VPN IP address, for example) and that is probably what you are seeing here. If there are many bots using the VPN service you are also using then it likely that it will trigger a bot challenge.

For the reference, I'm hosting an instance on DigitalOcean, is it still considered shared in this case? And technically it's not a VPN but a proxy but that's not relevant.

[di-sukharev]

outline vpn on DO

[petebacondarwin]

This is currently blocked on getting more information about the bot-challenge rule that is being triggered. If you are experiencing this, please can you provide the CF Ray ID that should be printed in the latest version of Wrangler when this problem occurs.

[nzoghbi]

I'm experiencing the same problem. Ray ID: 8ac74213eb3417e9-EWR

✘ [ERROR] The body of the response was HTML rather than JSON. Check the debug logs to see the full body of the response ✘ [ERROR] It looks like you might have hit a bot challenge page. This may be transient but if not, please contact Cloudflare to find out what can be done. When you contact Cloudflare, please provide your Ray ID: 8ac74213eb3417e9-EWR