Ability to pass manual MFA token to login() so OTP can be generated automatically

iSarabjitDhiman / TweeterPy

TweeterPy is a python library to extract data from Twitter. TweeterPy API lets you scrape data from a user's profile like username, userid, bio, followers/followings list, profile media, tweets, etc.

MIT License

169 stars 30 forks source link

Ability to pass manual MFA token to login() so OTP can be generated automatically #77

Closed burruplambert closed 2 weeks ago

burruplambert commented 2 months ago

The 6 digit OTP can be generated easily enough from the manual MFA token.

    import time
    import base64
    import struct
    import hmac
    import hashlib

    def get_hotp_token(secret, intervals_no):
        key = base64.b32decode(secret.upper())
        msg = struct.pack(">Q", intervals_no)
        h = hmac.new(key, msg, hashlib.sha1).digest()
        o = h[19] & 15
        h = (struct.unpack(">I", h[o:o+4])[0] & 0x7fffffff) % 1000000
        return h

    def get_totp_token(secret):
        return get_hotp_token(secret, intervals_no=int(time.time())//30)

    totp = get_totp_token(manual_mfa_token)

This way no manual input is required.

iSarabjitDhiman commented 2 months ago

Hmmm interesting. Does it really work? I mean the submitted OTP is going to be verified on their (twitter's) end.

Edit: Oh wait, I think I know what it is. I have seen some websites generating these 2fa tokens. But aren't there 2 types of two factor auth?

Services like Microsoft authenticator, google authenticator etc.
Then there are OTP codes which are emailed by the platform itself, in this case twitter.

Let me know your thoughts.

burruplambert commented 2 months ago

Yes Sorry, yes, I am referring to #1, Google Authenticator 6 digit TOTPs. The QR Code can be represented as a string which is often supplied when setting up the 2FA method.

As an example.

manual_mfa_token = "PMUAYFPVZP6PPIZP"
totp = get_totp_token(manual_mfa_token )

# e.g. 123456

The ability to either pass the 6 digit OTP or the secret itself would be great. Ideally I think the secret is better because then the OTP can be generated right before submitting, otherwise the chances of it being incorrect are increased because it rotates every 30 seconds.

codilau commented 2 months ago

Yep, exactly what I requested last week. The library that generates the OTP is this one https://github.com/pyauth/pyotp. Some accounts come with the MFA code and they can't login otherwise.

EDIT: the 6digit code is generated by crossing the unique MFA code with the current time, hence the 30s valability

burruplambert commented 2 months ago

Additionally, it should support when the entered OTP is incorrect (probably expired).

Enter your verification code
Use your code generator app to generate a code and enter it below.
Choose a different verification method

Contact X Support
Use a code generator app
Use a backup code
Choose a different verification method
Why can’t you log in using a security key?
You can log in to twitter.com with a security key only when using a compatible web browser. Currently, the X mobile app doesn't support the use of security keys.

Incorrect. Please try again. - Type again ==>

Again, this should be generated (a second time) from the token/secret if supplied.

iSarabjitDhiman commented 2 weeks ago

Implemented in ba0f49850fef0dab1ddaeddb0e1da9c0fb5c3fb7

Edit: @burruplambert please test it if its working as expected. I don't have an account with MFA enabled so I was unable to test it.