Bot crashes whenever an user tries to /login

[mistralwz]

Assertion failed: Auth Request Cookies status code is 403! {
  statusCode: 403,
  headers: {
    date: 'Wed, 26 Jan 2022 01:34:30 GMT',
    'content-type': 'text/plain; charset=UTF-8',
    'content-length': '16',
    connection: 'close',
    'x-frame-options': 'SAMEORIGIN',
    'referrer-policy': 'same-origin',
    'cache-control': 'private, max-age=0, no-store, no-cache, must-revalidate, p
ost-check=0, pre-check=0',
    expires: 'Thu, 01 Jan 1970 00:00:01 GMT',
    'expect-ct': 'max-age=604800, report-uri="https://report-uri.cloudflare.com/
cdn-cgi/beacon/expect-ct"',
    'x-riotgames-cdn': 'Cloudflare',
    'set-cookie': [
      '[redacted]
; path=/; expires=Wed, 26-Jan-22 02:04:30 GMT; domain=.riotgames.com; HttpOnly;
Secure'
    ],
    server: 'cloudflare',
    'cf-ray': '6d35ffce0bd14cad-SIN'
  },
  body: 'error code: 1020'
}
Assertion failed: Auth status code is 403! {
  statusCode: 403,
  headers: {
    date: 'Wed, 26 Jan 2022 01:34:30 GMT',
    'content-type': 'text/plain; charset=UTF-8',
    'content-length': '16',
    connection: 'close',
    'x-frame-options': 'SAMEORIGIN',
    'referrer-policy': 'same-origin',
    'cache-control': 'private, max-age=0, no-store, no-cache, must-revalidate, p
ost-check=0, pre-check=0',
    expires: 'Thu, 01 Jan 1970 00:00:01 GMT',
    'expect-ct': 'max-age=604800, report-uri="https://report-uri.cloudflare.com/
cdn-cgi/beacon/expect-ct"',
    'x-riotgames-cdn': 'Cloudflare',
    server: 'cloudflare',
    'cf-ray': '6d35ffceea306c3f-SIN'
  },
  body: 'error code: 1020'
}
file:///C:/aaaa/SkinPeek-master/util.js:46
    for(const cookie of setCookie) {
                        ^

TypeError: setCookie is not iterable
    at parseSetCookie (file:///C:/aaaa/SkinPeek-master/util.js:46:25)
    at redeemUsernamePassword (file:///C:/aaaa/SkinPeek-master/Valorant/auth.js:
79:12)
    at processTicksAndRejections (node:internal/process/task_queues:96:5)
    at async refreshToken (file:///C:/aaaa/SkinPeek-master/Valorant/auth.js:261:
47)
    at async authUser (file:///C:/aaaa/SkinPeek-master/Valorant/auth.js:39:12)
    at async getPrices (file:///C:/aaaa/SkinPeek-master/Valorant/skins.js:109:25
)
    at async getPrices (file:///C:/aaaa/SkinPeek-master/Valorant/skins.js:100:29
)
    at async refreshSkinList (file:///C:/aaaa/SkinPeek-master/Valorant/skins.js:
58:93)

Started happening this morning, I think Rito updated something on their end. This crash gets triggered whenever someone /login or when there's an existing users.json DB on startup,

[giorgi-o]

Yeah, rito have seen a lot of malicious traffic from people trying to crack Valorant accounts, so as a part of the 2FA update they're tightening security on the auth via a very strict Cloudflare firewall.

Here are a few screenshots from the conversation with a riot dev:

So yeah, Riot are not too keen on apps that use usernames/passwords to log in.

What solutions are there?

• Wait for Riot to loosen the security, unlikely to happen
• Wait for someone to find a bypass, this is short-term since any bypass used for account cracking will get patched
• Use scrapeninja, this requires everyone to sign up to that website to get an API key
• Wait for Riot to implement a third-party OAuth. We were told that suggestion would be forwarded within Riot, but even if that happens it will take a few months at least

Personally using /cookies still works, but I think cookies have gotten longer as well, so much so that they're over the 4000 char limit for nitro users lol. Cutting out the __Secure-id_hint and __cf_bm cookies is just enough to get under it, but that doesn't help non-nitro users.
A fix for that would be to let users upload their cookie in a txt file.

Overall, this is a change on Riot's end, most if not all third-party unofficial projects are affected, and no clear solution is available at the moment.

[mistralwz]

Your reply is really detailed yet easy to understand for someone as inexperienced as I am, thank you!!

And regarding the cookies command, a friend of mine (w/o Nitro) could send the command with the cookies being 3.5k characters so I think for now everyone can login like that. Perhaps changing the /login output linking this wiki would be nice for the time being...

[giorgi-o]

Yeah, changing the /login command to accept cookies by default is the last resort.

Until then, I think I might have fixed it with https://github.com/giorgi-o/SkinPeek/commit/abcc431ba777d5b2c5971652b157c0114f75ccee, could you give it a go?

[mistralwz]

Tried abcc431ba777d5b2c5971652b157c0114f75ccee, everything seems to be working fine!!

[giorgi-o]

Ok so it's been a week and it seems to work fine, I think I can consider this resolved :)