allow log in with 2fa - Githubissues

lolokraus / DegiroAPI

An unofficial API for the trading platform Degiro, with the ability to get real time data and historical data

MIT License

215 stars 84 forks source link

allow log in with 2fa #12

Open pforero opened 4 years ago

pforero commented 4 years ago

Issue: Currently degrioapi does not permit log in with accounts that use Two Factor Authentication (2FA).

Solution: If in the DeGiro.login method the user provides a TOTP code, the login is done through the TOTP Log in URL, and provides the oneTimePassword as part of the login_payload.

SonGokussj4 commented 2 years ago

Hello. Are you planning to merge this to the master? Will this resolve the 2FA login?

Jakub-CZ commented 2 years ago

It would resolve it but the owner of this repo has been inactive for a few years now.

If you want you can install this package with this change like this:

pip install -U git+https://github.com/pforero/DegiroAPI.git@totp

SonGokussj4 commented 2 years ago

Oh wow, thanks. It worked. As a totp variable I entered the 6-digit code as string from GoogleAuth.

res = degiro.login(
    os.environ.get("DEGIRO_USERNAME"), 
    os.environ.get("DEGIRO_PASSWORD"), 
    os.environ.get("DEGIRO_TOTP")  # '123456'
)

So am I correct, I have to always type the current code for this to work? Can't this be more automated so it can work in the background?

Jakub-CZ commented 2 years ago

You can use a package that can generate the TOTP automatically, e.g. https://pypi.org/project/pyotp/

totp = pyotp.TOTP(DEGIRO_TOTP_SEED).now()

Getting your old DEGIRO_TOTP_SEED may be pretty hard; Degiro won't give it to you for obvious safety reasons. You may need to turn off 2FA, then enable it again so that Degiro generates a new seed for you. You'll import the seed into your GoogleAuth again, plus you'll save it securely in a way so that your script can use it.

If Degiro doesn't show the seed as string (32 alphanumeric characters) you'll have to extract it from the QR code.

I hope I don't need to explain the security implication of doing all this.

EDIT: But I guess doing this is still better than not using 2FA at all...

SonGokussj4 commented 2 years ago

I just figured it out too. Yeah, security implications are... "Don't get hacked" :-) And use it only on a secured machine. Yeah, but better than without 2FA.

For future reference, these were my steps:

1) Login into Degiro, disable 2FA. Then Enable 2FA (re-add to the google auth app) and scan the QR code with Google Lenses or another QR reader This shows an address in format:

otpauth://totp/DEGIRO:MYUSERNAME?algorithm=SHA1&issuer=DEGIRO&secret=MYSECRET&digits=6&period=30

2) Add MYSECRET to my local .env file, then use pyotp library to convert it to the 6-digit verification code.

# file: .env
DEGIRO_USERNAME="MYUSERNAME"
DEGIRO_PASSWORD="MYPASSWORD"
DEGIRO_TOTP="MYSECRET"

# file: main.py
import pyotp
import degiroapi
from dotenv import load_dotenv

def main():
    load_dotenv()
    totp = pyotp.TOTP(os.environ.get("DEGIRO_TOTP"), digits=6, interval=30)
    res = degiro.login(
        os.environ.get("DEGIRO_USERNAME"), 
        os.environ.get("DEGIRO_PASSWORD"), 
        totp.now())