Human Verification (broken captcha workflow on non https://mail.protonmail.com/ API entry point)

[sjordahl]

When I attempt to login to any of my ProtonMail accounts through ElectronMail I now get a popup window asking for Human Verification, but the verification doesn't appear within the window. I can log into my accounts in a normal browser without issue.

Through further investigation, it only is an issue when app.protonmail.ch is the entry point. mail.protonmail.com works fine.

[vladimiry]

Update (Jul 22):

• The workaround is to use https://mail.protonmail.com/ API entry point since it appears that @protonmail has not implemented the human verification endpoints for other API entry points. See how to change the API entry point in https://github.com/vladimiry/ElectronMail/issues/419#issuecomment-883579807. If you get logged in into the account consider enabling the "persistent session" toggle for the account (on the same account edit form, below the "API entry point" dropdown) so human verification doesn't annoy you anymore.

• The upstream issue has been placed here.

  I don't think this has something to do with the app. Although make sure you didn't enable the Block non "API entry point"-based network requests toggle on the email account settings form (see details in #312, sort of firewall feature).

The web clients packaged into the app get assembled from the code source published in @ProtonMail. Apparently, @ProtonMail has setup some sort of connection of human verification thing with the protonmail.com domain. The official/in-browser SSO signing flow is happening via that domain. The app doesn't use SSO signin scenario but the standalone/old one.

I'm labeling the issue as upstream and not going to debug it in the near future.

[Aikatsui]

Through further investigation, it only is an issue when app.protonmail.ch is the entry point. mail.protonmail.com works fine.

That happen to me on both and can't make it go away but no such problem (any verification) when login to accounts through web browser. I thought to start use persistent session feature that forgot to enable yet since it introduced.

[ask2018]

I have same issues with the "Human verification" today. It was working fine 15.7.2021. Then I was 3 days away from PC and now Ive turned it on and cannot login at all via ElectronMail application. Getting just empty white table and this error:

Access to the "subFrame" resource with "https://app-api.protonmail.ch/core/v4/captcha?Token=***" URL has been forbidden. No matched value found in ["https://app.protonmail.ch","webclient0://app.protonmail.ch","chrome-extension://mhjfbmdgcfjbbpaeojofohoefgiehjai"] URL origins list for "https://app-api.protonmail.ch" value.

[vladimiry]

@ask2018 apparently you have enabled the Block non "API entry point"-based network requests toggle for the email account, so the firewall-like logic takes place by design (in your case the non https://app.protonmail.ch/ based requests get blocked). See my previous message and #312 for details.

Then I was 3 days away from PC and now

I'd recommend to explore the persistent session feature which allows skipping the login into the email account step on app/computer restart.

[ask2018]

Yes correct I've got that block feature enabled. I've tried to disable it. Error is gone, but still getting just empty white screen with the human verification msg. So cannot login at all via application, because I see no option to verify there. My firewall is also not blocking it. Looks like something is still blocking it, but not really sure what exactly.

[vladimiry]

Still not going to debug the case in the near future.

A wild guess is that enabling the warning log level in the app might print addition info to the log file (the web/@chromium related error/warn console messages get translated to the log file). Additionally, I'd recommend to start the app with the --enable-logging argument.

[vladimiry]

Another guess is that the issue might be CORS-related as I was not aware that @protonmail uses the https://app-api.protonmail.ch/ based endpoints and so it's currently not whitelisted for explicit CORS processing. So the possible workaround is starting the app with --disable-web-security argument (although I'm not sure if it will override the value explicitly set in the code).

[vladimiry]

Btw, there is no functional https://app-api.protonmail.ch/ domain at all so it's understandable that you don't see the captcha iframe for https://app-api.protonmail.ch/core/v4/captcha URL (and no https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd-api.onion/ domain too). So it appears that the @protonmail designed the web clients code in the way that the human verification thing is only functional if you use the https://mail.protonmail.com API entry point as the captcha iframe url in this case gets resolved as https://mail-api.protonmail.com/core/v4/captcha (this URL is functional, you can click the link just in browser). So originally added "upstream" label looks valid.

[ask2018]

Unfortunately still no luck with the argument you suggested. And if I try to login in normal browser, I don't see this "human verification msg" at all a login works normally.

[ask2018]

Ah yes with .com domain I can now see the verification table. But I can only click on verifiy and then there is again nothing and still cannot login.

[ask2018]

That's weird. After few tries it finally logged me in. But nothing i've changed, just few restarts of the application.

[vladimiry]

As I pointed above the human verification is technically possible for https://mail.protonmail.com domain only. This is how it's designed by @protonmail.

And if I try to login in normal browser, I don't see this "human verification msg" at all a login works normally.

I don't know on which criteria @protonmail puts the human verification curse on you. I believe that it's technically possible for them to use the "using the ElectronMail app" / "not using the regular browser" / "not using the https://mail.protonmail.com API entry point domain" checks as criteria.

If someone faces the issue here is the possible workaround steps and things that might help with debugging the issue:

• Use different IP address (other network connection, other location). If you get lucky on another network/IP and you have enabled the persistent session feature you won't need to log in again regardless of the network.
• Set the https://mail.protonmail.com API entry point for the email account.
• Start the app from the console with the --disable-web-security argument.
• Start the app from the console with the --enable-logging argument.
• Enable the "Warning" log level mode on the "General" app settings form.

[superfreeman1989]

I got the same problem. Can't login to any accounts.

Set the https://mail.protonmail.com API entry point for the email account.

How do I do this when I can't login via the app?

[vladimiry]

How do I do this when I can't login via the app?

You can change the "API entry point" dropdown value on the account edit form in the app. It doesn't require to be logged into the email account but into the app (the app should be unlocked with a master password). If you get logged in into the account consider enabling the "persistent session" toggle for the account (on the same account edit form, below the "API entry point" dropdown) so human verification doesn't annoy you anymore.

[KaKi87]

Hello, I am experiencing this issue although I've always been using the mail.protonmail.com entry point in settings, thanks.

[vladimiry]

Still not going to debug the case in the near future.

I never said that setting https://mail.protonmail.com/ is a solution but that https://mail-api.protonmail.com/core/v4/captcha derived from https://mail.protonmail.com/ at least exists.

[superfreeman1989]

How do I do this when I can't login via the app?

You can change the "API entry point" dropdown value on the account edit form in the app. It doesn't require to be logged into the email account but into the app (the app should be unlocked with a master password). If you get logged in into the account consider enabling the "persistent session" toggle for the account (on the same account edit form, below the "API entry point" dropdown) so human verification doesn't annoy you anymore.

Thanks. After switching to .com verification box appears.

[vladimiry]

The upstream issue has been placed here.

[Nothing4You]

couldn't a workaround be allowing mail-api.protonmail.com on the permitted origins on the mail endpoint at least to avoid having to disable url security? might need extra domains such as hcaptcha.com though :/

[vladimiry]

It's not that simple since all involved human verification domains need to be know which is currently not the case (I've not explored the human verification workflow). Besides I'd in general prefer the whitelist for main/mail service remains strict. The "Block non "API entry point"-based network requests" feature is hided under the collapsed by default "Advanced settings" block for a reason so I assume the option gets normally enabled by advanced users.

[Nothing4You]

i suppose a workaround at this time may be to unblock, auth with password, then set to block again while on 2FA prompt.

it seems that whenever the api endpoint is cleared the cookies are cleared, is it possible to authenticate on one endpoint and carry the session over?

[vladimiry]

is it possible to authenticate on one endpoint and carry the session over?

Currently the session gets saved in the app per API entry point. Changing this logic is not planned. Yes when you change the API entry point via the dorpdown list the session gets explicitly reset before the client with new API URL value gets loaded.

[vladimiry]

This is an upstream issue that's supposed to be handled by @protonmail. So closing it here since no actions are planned for performing in the project's scope. See https://github.com/vladimiry/ElectronMail/issues/419#issuecomment-880891162 for details and workaround.

[vdbhb59]

Issue at hand:

Till 4.13.5 I was not getting any error. I updated today to 4.13.6, and the following error comes up when I try to add a new account and try to login.

Access to the "subFrame" resource with "https://app-api.protonmail.ch/core/v4/captcha?Token=xxxxxxxxxxxx-xxxxxxxxxx&ForceWebMessaging=1" URL has been forbidden. No matched value found in ["https://app.protonmail.ch","webclient0://app.protonmail.ch","chrome-extension://xxxxxxxxxxxx"] URL origins list for "https://app-api.protonmail.ch" value.

This happens to both app & mail API entry points. TOR does not even connect for me, so that is not applicable here.

Background: I already have 2 accounts added since 3 months in the app. Today I tried to add another account and upon trying to login is when I am facing the said error. Snapshot provided below. I have Windows 11 22000.588 installed and I use FF 100.X builds otherwise. Not sure if you need these info, but providing in case you need.

Finally, my other 2 accounts are working perfectly fine without any errors even when I switch the API points between mail & app (I just tried before raising this issue). It is only upon new account addition, is when this error occurs

[vladimiry]

Till 4.13.5 I was not getting any error. I updated today to 4.13.6, and the following error comes up when I try to add a new account and try to login.

The error message you posted says to me that you have explicitly enabled the Block non "API entry point"-based network requests toggle in the "Advanced Options" settings block located on the account edit form. This feature is a sort of firewall thing and those URLs are not whitelisted in the app. It should get back to work if you disable/untoggle the option. So it's not about the version change.

[vdbhb59]

The error message you posted says to me that you have explicitly enabled the Block non "API entry point"-based network requests toggle in the "Advanced Options" settings block located on the account edit form. This feature is a sort of firewall thing and those URLs are not whitelisted in the app. It should get back to work if you disable/untoggle the option. So it's not about the version change.

Thanks mate, but when the human verification popup comes, how do I go about it, as it does not load anything at all mate? The API error has vanished on uncheck, but I still cannot login due to blank human verification.

[vladimiry]

Thanks mate, but when the human verification popup comes, how do I go about it, as it does not load anything at all mate? The API error has vanished on uncheck, but I still cannot login due to blank human verification.

The captcha popup works for https://mail.protonmail.com/ API entry point (with disabled "Block non "API entry point"-based network requests" option which is a default behavior). If you want it to work for other API entry points you might want to complain in https://github.com/ProtonMail/WebClients/issues/248, mate.

Known workarounds:

• Use https://mail.protonmail.com/ API entry point.
• Sign-in into the account in a browser first and then maybe you won't face the captcha wall in the app anymore for a while. There were messages that this workaround was helpful to some users.
• Use different IP address (other network connection, other location). If you get lucky on another network/IP and you have enabled the "persistent session" feature for the account you won't need to log in again regardless of the network.

I'm locking the issue since there won't be updates about it until @protonmail resolves https://github.com/ProtonMail/WebClients/issues/248.