Login temporaroly not permitted

[simonhughxyz]

I keep getting a request failed: POST https://mail.protonmail.com/api/auth: [9001] Login temporarily not permitted from your connection for security reasons, please try again later. Using a VPN may cause this error error when trying to log in through hydroxide.

I tried following the advice of the message, waited a few days and tried again, and still no luck. I can log in through the browser and even the official protonmail-bridge but hydroxide will not work.

[LordRishav]

I am getting the same error, what is the fix for this?

[emersion]

Compare the requests with the webapp's or the official bridge's, figure out what's different. -debug can help with printing hydroxide's requests.

[dvalter]

They switched to a kind of SSO that looks exactly like previous auth but uses account.protonmail.com rather than mail.protonmail.com. My workaround from #179 works, but this cookie should be fresh for auth to work, so there should be a new login in Private/Incognito tab without any previous PM sessions

[LordRishav]

@dvalter Didn't work on my end. I logged into an Incognito tab to ProtonMail and copied the Cookie Session ID and tried to pass that as an argument, it still says the same.

[ValHeimer]

The @dvalter workaround is working on my end (maybe you have to do it under the same IP address)

[jacktheripper19]

I have the same problem @dvalter workaround did not work on my end, even when having the same ip address

[LordRishav]

On a fresh build of hydroxide, I no longer have this issue. I recommend rebuilding hydroxide after removing all the config and cache files

[KyleGospo]

Broken for me on the latest build, also tried dvalter's workaround with the same results.

[Noodlez1232]

I am also having this same exact problem.

[mczap]

Same here one a fresh install of the latest build

[Noodlez1232]

So I've been digging around and I think I might have a few theories on why this is happening:

1. The new web client came out, and with that, a new modulus pubkey for SRP. That being said, it seems that WebClient uses the same exact key
2. The API has changed and this one is depreciated now. Although I looked at the python one and it used the same exact API it seemed
3. ProtonMail has a way of detecting if the client sending is actually the bridge or not.

Things I've tried are:

• Using old.protonmail.com as the API URL instead of protonmail.ch (To see if it's an API issue, as maybe the old WebUI has a different auth API than the new one)
• Changing the client version to the same as the new web client

Things I've noticed are:

• It seems the server doesn't even get to the point of checking the password, since you can put in an incorrect password and still get the same error (9001)
• I don't get this same error from the same exact connection when logging into the WebUI (Same exact computer)
• I seem to get this same error on all my machines, regardless of connection and location

Lemme know if there's any more info that would help. I have been looking through the WebClient source code and honestly this whole thing feels like a mess of spaghetti, but I'm trying to figure out how exactly they are doing their API.

Man times like this just make me with ProtonMail would just release a documented API already. Even a poorly documented one would be better than this.

EDIT: I did a bit more digging and it seems the WebClient requires a human verification when 9001 occurs, so maybe something for this needs to be implemented?

EDIT 2: I went and cleared my cookies for ProtonMail as well and was not shown a captcha or anything of the sort, so that's odd as well.

[tomoqv]

The workaround didn't work for me on ManjaroARM on Pinephone. Compiled hydroxide today and have tried everything above. Still getting the 9001 error every single time no matter what I do.

[proletarius101]

One possibility is https://github.com/emersion/hydroxide/blob/c5c673afc07d2e66762c16ae13a182c114d0b09f/cmd/hydroxide/main.go#L39

[tomoqv]

One possibility is

https://github.com/emersion/hydroxide/blob/c5c673afc07d2e66762c16ae13a182c114d0b09f/cmd/hydroxide/main.go#L39

Could you please elaborate? Do you mean that the AppVersion should be changed, and if so, to what version? Thanks

[proletarius101]

One possibility is https://github.com/emersion/hydroxide/blob/c5c673afc07d2e66762c16ae13a182c114d0b09f/cmd/hydroxide/main.go#L39

Could you please elaborate? Do you mean that the AppVersion should be changed, and if so, to what version? Thanks

I realized that it's not that simple. The new authorization endpoints and AppVersion are completely different. The easiest workaround is to change the API host to old.protonmail.com and keep everything else the same. Later we should change the whole set of endpoints.

[emersion]

Note, the official bridge code is here: https://github.com/ProtonMail/proton-bridge/blob/master/pkg/pmapi/manager_auth.go

[tomoqv]

I changed line 36 in main.go to RootURL: "https://old.protonmail.com/api", and recompiled. Then I logged into a web session in chromium at old.protonmail.com and picked the cookie sessionID from there and tried hydroxide auth my.name [sessionID] which returned the same error as above.

I am at a loss here, but I am willing to try anything you want me to.

[proletarius101]

I changed line 36 in main.go to RootURL: "https://old.protonmail.com/api", and recompiled. Then I logged into a web session in chromium at old.protonmail.com and picked the cookie sessionID from there and tried hydroxide auth my.name [sessionID] which returned the same error as above.

I am at a loss here, but I am willing to try anything you want me to.

Maybe just use your password? The session id is more of the recent version.

You may also want to just use my modified version of the official gui bridge, which has the changes i described: https://gitlab.com/secure-system/proton/proton-bridge-flatpak

Changes at https://gitlab.com/secure-system/proton/proton-bridge/-/compare/master...master-ci?from_project_id=19655918

[proletarius101]

Note, the official bridge code is here: https://github.com/ProtonMail/proton-bridge/blob/master/pkg/pmapi/manager_auth.go

Yet that requires the same format of app version as the official bridge, and has some limits such as the number of accounts

[tomoqv]

I am running ProtonMail Bridge v1.8.7 on my Manjaro laptop, but that doesn't seem to be the one referred to in hydroxide. Where does the AppVersion: "Web_3.16.6" in main.go come from?

[emersion]

Where does the AppVersion: "Web_3.16.6" in main.go come from?

It comes from the official web client, as do the other details, but may be outdated.

[tomoqv]

Yes, it finally worked. The AppVersion should be "Web_3.16.65" when using old.protonmail.com.

Thanks!

[emersion]

Can you submit a pull request with your changes?

[tomoqv]

Oh, I would like to, but I am still too much of a novice on Github, but this is what I did: Open the file hydroxide/cmd/hydroxide/main.go Change lines 38 & 39 from

        RootURL:    "https://mail.protonmail.com/api",
        AppVersion: "Web_3.16.6",

to

        RootURL:    "https://old.protonmail.com/api",
        AppVersion: "Web_3.16.65",

Recompile hydroxide with the command: GO111MODULE=on go build ./cmd/hydroxide Authorixe hydroxide with the command: hydroxide auth [user.name]

And you should be good to go!

[harleylang]

Thanks @tomoqv for sharing your research! I tested your fix and it works. I got you covered and have submitted #183

[arunsathiya]

Unfortunately, even with the old endpoint and Web_3.16.65, I am seeing the error:

2021/07/27 13:10:53 request failed: POST https://old.protonmail.com/api/auth: [9001] Login temporarily not permitted from your connection for security reasons, please try again later. Using a VPN may cause this error
2021/07/27 13:10:53 [9001] Login temporarily not permitted from your connection for security reasons, please try again later. Using a VPN may cause this error

If it's worth noting, I cloned hydroxide only after https://github.com/emersion/hydroxide/pull/183 was merged. So, that means I didn't have to make any changes to this line myself:

https://github.com/emersion/hydroxide/blob/master/cmd/hydroxide/main.go#L39

[rnek0]

Oh, I would like to, but I am still too much of a novice on Github, but this is what I did: Open the file hydroxide/cmd/hydroxide/main.go Change lines 38 & 39 from

      RootURL:    "https://mail.protonmail.com/api",
      AppVersion: "Web_3.16.6",

to

      RootURL:    "https://old.protonmail.com/api",
      AppVersion: "Web_3.16.65",

Recompile hydroxide with the command: GO111MODULE=on go build ./cmd/hydroxide Authorixe hydroxide with the command: hydroxide auth [user.name]

And you should be good to go!

Everything works fine for me. Thank you for your great work.

[arunsathiya]

I ended up using @dvalter's SessionID based workaround: https://github.com/emersion/hydroxide/issues/179#issuecomment-855228269

[ghost]

I have tested on newest master (so it uses the old. subdomain) and also have tried the cookie workaround on it. Neither seems to work now.

Protonmail seems to refresh the cookie as soon as I attempt to log in with hydroxide.

I think this issue should be reopened.

Looks like the only hope now is #184, I really hope Proton does not do this intentionally.

[metronidazole]

@Dormouse759 Can confirm this issue.