Error: mfa_input_not_found / Recaptcha is required

[DavidBrightSparc]

After setting up teslamate v1.24.0 as per the documentation, attempting to sign in with either my main Tesla account (which has MFA) or a secondary I set up with access to the vehicle (with no MFA) results in the message: Error: :mfa_input_not_found

Both accounts log into Tesla.com with no issue. Signing into teslamate with Auth Token works.

This is a new install, not an upgrade from a previous version.

How to reproduce it (as minimally and precisely as possible):

Log into the teslamate UI with either my primary (with MFA) Tesla account, or secondary (no MFA) account.

Relevant entries from the logs

2021-09-05 17:35:03.828 [info] GET https://auth.tesla.com/oauth2/v3/authorize -> 200 (290.579 ms)

2021-09-05 17:35:04.937 [info] POST https://auth.tesla.com/oauth2/v3/authorize -> 200 (1104.744 ms)

Screenshots

Environment

• TeslaMate version: 1.24.0
• Type of installation: Docker & Traefik
• OS TeslaMate is installed on: Ubuntu 20.04.2 LTS
• User OS & Browser: Windows 10 - Chrome v92 and Firefox v91.0.2

Edit: Unsure if it is related, but after signing in with auth token, this error appears in the teslamate logs:

2021-09-06 07:13:54.271 [info] GET /

2021-09-06 07:13:54.273 [info] Sent 302 in 1ms

2021-09-06 07:13:54.294 [info] GET /sign_in

2021-09-06 07:13:54.296 [info] Sent 200 in 1ms

2021-09-06 07:14:15.251 [info] POST https://auth.tesla.com/oauth2/v3/token -> 200 (296.419 ms)

2021-09-06 07:14:16.191 [info] POST https://owner-api.teslamotors.com/oauth/token -> 200 (940.062 ms)

2021-09-06 07:14:16.200 [info] Scheduling token refresh in 5 wk 5 d

2021-09-06 07:14:16.489 [info] GET /

2021-09-06 07:14:16.619 [error] GenServer #PID<0.3081.0> terminating

** (FunctionClauseError) no function clause matching in TeslaMateWeb.SignInLive.Index.handle_event/3

    (teslamate 1.24.0) lib/teslamate_web/live/signin_live/index.ex:131: TeslaMateWeb.SignInLive.Index.handle_event("validate", %{"_csrf_token" => "[token]", "_target" => ["_csrf_token"]}, #Phoenix.LiveView.Socket<assigns: %{api: TeslaMate.Api, callback: #Function<6.32743947/3 in TeslaMateWeb.SignInLive.Index.mount/3>, error: nil, flash: %{}, live_action: nil, page_title: "Sign in", state: %TeslaMateWeb.SignInLive.Index.State.Tokens{changeset: #Ecto.Changeset<action: nil, changes: %{}, errors: [access: {"can't be blank", [validation: :required]}, refresh: {"can't be blank", [validation: :required]}], data: #TeslaMate.Auth.Tokens<>, valid?: false>}, task: nil}, changed: %{}, endpoint: TeslaMateWeb.Endpoint, id: "[endpoint]", parent_pid: nil, root_pid: #PID<0.3081.0>, router: TeslaMateWeb.Router, transport_pid: #PID<0.3079.0>, view: TeslaMateWeb.SignInLive.Index, ...>)

    (phoenix_live_view 0.15.7) lib/phoenix_live_view/channel.ex:342: anonymous fn/3 in Phoenix.LiveView.Channel.view_handle_event/3

    (telemetry 0.4.3) /opt/app/deps/telemetry/src/telemetry.erl:272: :telemetry.span/3

    (phoenix_live_view 0.15.7) lib/phoenix_live_view/channel.ex:204: Phoenix.LiveView.Channel.handle_info/2

    (stdlib 3.15.2) gen_server.erl:695: :gen_server.try_dispatch/4

    (stdlib 3.15.2) gen_server.erl:771: :gen_server.handle_msg/6

    (stdlib 3.15.2) proc_lib.erl:226: :proc_lib.init_p_do_apply/3

Last message: %Phoenix.Socket.Message{event: "event", join_ref: "9", payload: %{"event" => "validate", "type" => "form", "uploads" => %{}, "value" => "_csrf_token=[token]&_target=_csrf_token"}, ref: "10", topic: "lv:[endpoint]"}

2021-09-06 07:14:17.496 [info] Starting logger for '[id]'

Worth mentioning the car is currently offline due to being in an underground carpark with no access to WiFi or 4G.

[qohjjang]

I have the same issue - Docker all up to date, deleted old image (never actually ran due to new token thing), start from scratch. Got the same error (Error: :mfa_input_not_found). No issue with signing into Tesla account, car is charging..

[ghost]

Same issue here since this weekend. Other app (Pump on iOS) and login at Tesla works fine.

[psy-mann]

I can also confirm the error on a 1.23.7 Docker environment. With Fresh Install without a login on Tesla.

[adriankumpf]

Tesla have tightened the captcha security once again and now require Google reCAPTCHA to generate API tokens. reCAPTCHA loads the challenge via JavaScript so there does not seem to be a way to bypass this. This could be the end of this cat-and-mouse game since Tesla clearly does not want third-parties to access their API.

Related issues:

• https://github.com/timdorr/tesla-api/issues/431
• https://github.com/alandtse/tesla/issues/20
• https://github.com/timdorr/tesla-api/discussions/390

The only remaining workaround is to sign in using existing API tokens (there's a button on the TeslaMate sign-in form). There are multiple apps available to generate them yourself, for example:

• Auth app for Tesla (iOS, macOS)
• Tesla Tokens (Android)
• Tesla Auth (macOS, Linux, Windows)

[DavidBrightSparc]

Tesla have tightened the captcha security once again and now require Google reCAPTCHA to generate API tokens. reCAPTCHA loads the challenge via JavaScript so there does not seem to be a way to bypass this.

I generated tokens via the Tesla Tokens app on Android and it didn't require any reCAPTCHA, so there must be a way around it.

[johannlejeune]

I generated tokens via the Tesla Tokens app on Android and it didn't require any reCAPTCHA, so there must be a way around it.

AFAIK, the captcha doesn't appear every time. It depends on many factors. If it's not sure you're a human, it will show the captcha. If it's pretty sure you're a human, it won't even show it. It can also depend on the device/browser/ISP/behavior/etc. Since Teslamate sends requests directly without going through a browser, the chances of hitting the captcha are pretty high, and unfortunately, there's not much that can be done here from my experience, even when going through a browser. Bot-detection on Google's end is pretty accurate. There are third-party services that exist to fill these captchas, but they're slow and can be pricey if you're making a large a mount of requests.

[JonG67x]

I've been playing with this today to get it working. I've previously always used email and password but that doesn't seem to work. Teslamate seems to want the API token and the refresh token, but there are 2 different refresh tokens, one generated alongside the bearer token, and a second refresh token that is created alongside the api token. Teslamate only accepts the first of these tokens (much longer token), but I can't find any documentation on its use as evberywhere else including Timdor suggests its the second token thats needed. Anyway - if you can get access to both then one of them works.

All the fixes I've seen on the recaptcha seem pay the tiny amount to the third party services that solve them except one thats a messy switching between 2 browsers.

[adrianmace]

This is related but not directly - didn't think of a better place to ask. When using alternative methods to generate an auth token and refresh token pair.. is there an expiry on the refresh token validity or will that refresh token work indefinitely and continue to re-generate new auth tokens as required?

[cwanja]

This is related but not directly - didn't think of a better place to ask. When using alternative methods to generate an auth token and refresh token pair.. is there an expiry on the refresh token validity or will that refresh token work indefinitely and continue to re-generate new auth tokens as required?

Thought about this issue as well. Curious if when the token expires, will the streaming API stop working? E.g. if I am in the middle of a drive and it expires, does my data logger stop polling the car?

[adriankumpf]

The refresh token is used to retrieve a new pair of tokens. In fact, when you sign up with tokens, TeslaMate refreshes those tokens immediately. This can be repeated infinitely. That means there is no expiration date.

[JonG67x]

There are 2 different refresh tokens

A long one issues along side the bearer token which doesn’t change (presumably it does with a password reset and can otherwise be used indefinitely) and a short one issued alongside the api token which when used creates a new api token and new short token , and expires itself and the old api token.

Anyone asking for the long refresh token doesn’t need to ask for an API token as they can just create one anyway.

Sent from my iPhone

On 27 Sep 2021, at 17:04, Adrian Kumpf @.***> wrote:

 The refresh token is used to retrieve a new pair of tokens. In fact, when you sign up with a pair of tokens, TeslaMate refreshes those tokens immediately. This can be repeated infinitely. That means there is no expiration date.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.

[cwanja]

The refresh token is used to retrieve a new pair of tokens. In fact, when you sign up with tokens, TeslaMate refreshes those tokens immediately. This can be repeated infinitely. That means there is no expiration date.

Thanks @adriankumpf

[Rathna-K]

I've been playing with this today to get it working. I've previously always used email and password but that doesn't seem to work. Teslamate seems to want the API token and the refresh token, but there are 2 different refresh tokens, one generated alongside the bearer token, and a second refresh token that is created alongside the api token. Teslamate only accepts the first of these tokens (much longer token), but I can't find any documentation on its use as evberywhere else including Timdor suggests its the second token thats needed. Anyway - if you can get access to both then one of them works.

All the fixes I've seen on the recaptcha seem pay the tiny amount to the third party services that solve them except one thats a messy switching between 2 browsers.

Couldnt we find what the Tesla App uses for headers and UA and replicate it? Wondering if that would help...

[ngardiner]

Couldnt we find what the Tesla App uses for headers and UA and replicate it? Wondering if that would help...

An app and a web interface are two very different things in terms of Tesla Auth flow. An app can intercept and catch redirects to tesla auth URLs to get the key, whereas a web interface can't. This is why you might note all of the workarounds at the moment are apps, as they can do things that a web interface cannot (ie influence the browser to not redirect to a tesla URL and directly access the tokens in the DOM object).

Browsers will never allow this via JavaScript due to the security implications.

[Glicker]

Hi there, brand new here, but your tips helped me make it work. I'm coming from Teslafi and there I could show all three tokens, the API token, the Refresh Token and the excruciatingly long SSO refresh token. Using the first and third together, I got the green light from Teslamate. Edit: one can do a trial of Teslafi to get these if required. I would guess it would work.

[aramatev]

Tesla have tightened the captcha security once again and now require Google reCAPTCHA to generate API tokens. reCAPTCHA loads the challenge via JavaScript so there does not seem to be a way to bypass this. This could be the end of this cat-and-mouse game since Tesla clearly does not want third-parties to access their API.

Related issues:

• authorize endpoints now require reCAPTCHA for generating new access/refresh tokens timdorr/tesla-api#431
• ERROR for site owner: Invalid domain for site key alandtse/tesla#20
• Tesla Added a Captcha Verification on the Login Page timdorr/tesla-api#390

The only remaining workaround is to sign in using existing API tokens (there's a button on the TeslaMate sign-in form). There are multiple apps available to generate them yourself, for example:

• Auth app for Tesla (iOS, macOS)
• Tesla Tokens (Android)
• Tesla Auth (macOS, Linux, Windows)

is this even safe? IOS app has 2 ratings?

[JonG67x]

There's another way which is to do a combo. Use Tesla to generate the code which many are struggling to do, me included, by emulating the steps using CURL etc and run into the various Captcha and server issues, take the code from that and pick up on the steps in the code else where around here from the point where you use the code. One of the 3rd party sites have already implemented it and are turning the fact they use Tesla to generate the code into a virtue as you don't need to provide the 3rd party your username and password. On the plus side its free and web based and no need to download an app. https://tesla-info.com/tesla-token.php

[a-bianucci]

I'm trying to use one of the two apps above, specifically the TeslaFi App.

It gives 3 tokens

1. New Toke
2. Refresh Token
3. SSO Token which is extremely long.

Which of the 2 tokens do I use, I can't get back into my teslamate, and username\password isn't work. I'm hoping one of you all know which token to use.

I completely rebuilt my teslmate on my pi and still same issue.

I was able to run the same docker-compose on desktop and use the tokens from above and all worked just fine. Is there something I may be missing, a stuck container\config or something?

[JonG67x]

Probably the first and last without seeing them, from memory the short starts qts- or eu- depending where you are, and the really long one doesn’t expire unlike the short refresh token which is a use once token. The Tesla-info link gives them which is what I used on teslamate albeit a few months back.

[Glicker]

I'm trying to use one of the two apps above, specifically the TeslaFi App.

It gives 3 tokens

1. New Toke
2. Refresh Token
3. SSO Token which is extremely long.

Which of the 2 tokens do I use, I can't get back into my teslamate, and username\password isn't work. I'm hoping one of you all know which token to use.

I completely rebuilt my teslmate on my pi and still same issue.

I was able to run the same docker-compose on desktop and use the tokens from above and all worked just fine. Is there something I may be missing, a stuck container\config or something?

First and Third (long one) worked for me in November.

[JonG67x]

Just tried it again (and maybe something is going on as Tesla made me change my password as it said I'd had too many invalid password attempts which meant I needed to provide a set of details for Teslamate). Teslamate ask for the "refresh" token and the "refresh" token displayed by tesla-info worked first time, but from memory there is more than one refresh token returned from the API.

[FlorentMasson]

It looks like tesla expired lots of token. I had to refresh and https://tesla-info.com/tesla-token.php worked fine for me

[SteveDonie]

I was able to log back into my Teslamate install (v 1.24.2) using the access token and refresh token generated using https://github.com/adriankumpf/tesla_auth

Both of those tokens are VERY LONG strings of text - about 1200 characters each.

[a-bianucci]

I wasn't able to get the tesla_auth to work via the website. However did use one of the other apps and was eventually able to get in.

The downside is my original install could never get in no matter what. Any new docker containers, methods of install I tried worked just fine, just not the original :(. Lost that data but thankfully I have a copy in TeslaFi.