-
-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2FA support #146
Comments
I don't really think there's going to be a solution to this. |
I just enrolled in 2FA and the only possible solution I see is to configured 2FA to use email, then write some code that gets the 2FA code from your email and sends it to the Arlo API. Of course, this library does not support that currently. |
This is really a very bad decision by Arlo as it will break all kind of external automation together with the Arlo cams. We really should send them many mails and comment in the forums so that they at least will either make it not mandatory or provide a kind of application passwords as it is done with other providers. |
Yep, unfortunately, that's our only recourse. |
Jeffrey, I tried to play with the 2FA and Python as I do have the possibility to receive SMS with my Raspberry where my Home Automation system is running and thought, maybe I would be able to read that SMS and use it for login via Python. The 401 error which is currently thrown is because the Login call tells us: {'error': '1900', 'message': 'To access your account, please download our new Arlo app or disable two-step verification.', 'reason': 'Please update to the latest version of this app, or deactivate Two-Step Authentication on your account, to login on this device.'} So for me it seems that the API calls have changed to a somehow newer version which supports both 2FA and non-2FA. How did you get all the the information about which GET/POST requests are used by Arlo? The calls made by the web browser seems to be totally different from the requests made by the Python script. So I am bit lost now. Maybe you can help me a bit so that I can continue playing. Thanks! |
@m0urs I use the Network tab in Chrome's developer tools. They have new auth endpoints, which this library isn't updated to use yet:
Request Headers:
Request Body:
Response Headers:
Response Body:
|
Thanks, so I was on the right way ... Guess I need to some try and error now ;-) |
After that there is a "GET https://ocapi-app.arlo.com/api/validateAccessToken?data = XXXXX' where "XXXXX' is the value from the field 'authenticated' from the request above. This requests fails : Request (GET https://ocapi-app.arlo.com/api/validateAccessToken?data%20=%20XXXXX) failed: {'meta': {'message': 'Access token is invalid', 'code': 400, 'error': 9022}} I guess because I am missing the correct value for the "Authorization" header variable. It seems that this is NOT the value from 'token' (starting with "2_") which we get from the first request but something which looks totally different and starting with "Ml9": Authorization: Ml9vaG13NnJ6SDZBOTBTbW9V......lFdzllZWdS I have currently no idea where this value comes from or how to calculate it from other fields. Maybe it is some kind of hash of the token. Maybe someone from the community can do also some tests here and give me a hint from where this "Authorization" header is coming. The password for the new API is also somehow hashed (but this would not be such a big problem). |
@jeffreydwalter Are there any plans to update the library with the new endpoints? This hasn't worked for me for a while, and I'm honestly not sure where to begin with doing it myself and doing a pull request. |
I am currently playing around with it a bit. However, I cannot promise that this will lead to a positive result ;-) - and I cannot tell you about a time frame. |
Maybe Arlo will not set 2FA mandatory as they had communicated up to now. If I understand that support chat correctly we still would be able to choose: However: Since 2 days I am unable to use the old authentication mechanism even without 2FA enabled with my accounts :-( I tried to re-write the code so that it is using the new API but I am not yet successful. Seems that we now also need to consider the cookies in all requests. Still trying to get it working, however it is try & error as I am not really a Python programmer ;-) |
Is there OAuth implementation support without 2FA? Looks like they've removed the v2 API ahead of requiring 2FA support. |
It seems they are now only using the new API which can be used with and without 2FA. I am currently trying to implement the new API without 2FA so that I can use my scripts again. However, as I said before, I am not a programmer and I cannot promise if I am successful ;-) |
Bad news :-(
|
Well this really sucks, but I predicted it. I registered my displeasure on the Arlo forum. It would have been nice to get some notice. Now I am scrambling to find an alternative hardware/software solution. Thanks, everyone, for your efforts to try and work around this. |
well seems there are some fixes out. Hope we can use it for this lib. |
@nst2020 they are just logging into your mailbox and polling for the 2FA email to get the token. That is the approach I am also planning on. Have been busy, was hoping someone in the community would take some initiative and make a PR. If not, I'll probably have time in the next week or two. |
As I said, I am currently working on changing the script to use the new API as even without 2FA it is no longer working for me for some days ... I also do have some code for 2FA in it, but currently only for playing (I need to put in the second factor manually, just to see how it works). I was planning to get the second factor via SMS as I do have another machine which can receive SMS. Nevertheless, if you would be able to make "real" code even better ;-) Let me know before you start so maybe I can give you at least what I already have. Maybe you can re-use something ... |
I adapted the code so that it now uses the new Authentication API and added also some proof of concept code for using 2FA. However, currently you need to put in the second factor sent by SMS manually. It needs more work now to automate that. At least I can now use my script again 8without 2FA) as Arlo seems to have stopped authentication with the older API a few days ago. You find my code here. Maybe you can use parts for your own. |
Thank you for this. I'm trying to implement the changes you made so I can run my download script again, and it seems to authenticate, but every time it runs it just passes 'success' and doesn't do anything else. Any chance you can help with that?
|
@death2all110 I can have a look if you provide me with your full script which you are using. If you like you can mail me directly as this does not really fit to the 2FA issue here ... Mail address see my Github profile. |
@m0urs Thanks a lot for your pre-work implementing the new api-endpoints! I was wondering why my scripts weren´t working with my home automation as i noticed that arlo now enters the passwods base64 and also new endpoints are targeted. I just implemented your changes and it works like a charm!!! @death2all110 Please notice that @m0urs changed also requests.py and eventstream.py! If you are running your own scripts with Arlo.py, dont forget to encode the password.
|
@m0urs are you planning on making a PR for your changes? It would be greatly appreciated by everyone that uses the library. |
@jeffreydwalter As I did only adapt some of the functions in Arlo.py yet, I would not yet like to create a PR. I am currently working with @death2all110 who is using some more functions and will adapt my version of Arlo.py accordingly. But that will not include all functions. Do you think it make sense to merge my changes even if they are not yet complete? Maybe, because currently the whole script seems no longer work at all. What do you think? |
Thanks for updating this! Is there a lag in the package deployment becuase I don't seem to be updating?
|
Try upgrading:
|
Yeah. An OTP would be ideal. Then |
Just checking, wouldn't using a Tasker plugin and an Android phone also help with two factor authentication? By using Auto notification, I can quite easily click the approve button, every time a login takes place. Or am I overlooking something? Edit: Modified the code a bit to use Push authentication instead of SMS, created a tasker profile to select approve automatically and it works within 5 seconds |
I have a working implementation of MFA using SMS. After reviewing the API I see now how the email option is implemented so I am going to adapt my code to use email (which is always going to be an option for everyone I would imagine) instead of SMS. This would eliminate the need for Google Voice or equivalent. My solution is an AWS serverless solution and is a 2 stage process (a pre-stage process which gives you a URL to query every second until the code shows up, and an out-of-band process that accepts and parses the MFA email and saves the OTP code). |
Ok. I switched over to using email for MFA instead of SMS. The code and process to implement is here: https://github.com/twratl/arlo-mfa-aws. I welcome feedback. I have this working successfully in my application (although I turned off MFA for now since it isn't yet a requirement). You will need a couple things like a domain and an AWS account. |
Dear @twratl, i am currently worried about 2FA, because this will kill my current setup enabling alro-modes with my home automation. I had a look at your solution and really like this approach, big thanks for that! I try to keep all my data (except arlo videos) @home, thats why i am thinking about a different approach: Best regards, |
@huberda, thanks for reaching out. I will say that the solution I built for AWS stores VERY little info and it is wiped within a day IIRC. My Arlo automation runs from AWS Lambda, hence my AWS solution. However if you want to pursue a fully "on prem" solution, I don't see why the same high level process could not be adapted. You would still source the second factor via email likely and then using imap you can check for the arrival of the message in the inbox and parse out the MFA code which you then provide to the Arlo API. You would need to roll your own logic for the IMAP piece but it seems rather straightforward (check inbox for messages in the last 1 minute from the Arlo address as an example). Not sure imapbox is needed although it could work I guess. I was thinking just a direct imap call to your inbox. |
@twratl: Thanks for your reply! I fully agree, i just tought about a user-friendly way to implement 2FA without additional components. Regarding IMAP i will check for a good solution (direct IMAPClient or existging module) - regarding logic i am thinking about a timeout loop that could be configured (e.g. check inbox x times for mails in last y minutes) for MFA code. I will have a look on this within the next weeks... |
Hi Guys, I have been able to obtain the MFA code from SMS or email and save it into a txt file. This was done using software called integromat, which you should be able to access on the free tier. I'm happy to help anyone that wants to go that way. Unfortunately, I'm lacking in the skill set to adapt the code the Jeffrey has written to import this in. At this stage I'm trying to find a way to ideally force the email option of MFA (as this isn't relying on a sim service to be active), then read the contents of a file saved in dropbox called MFA.TXT which would contain the code. I would assume that there would need to be a pause between the request stage and accessing with the MFA code. |
Hi guys, not sure if anybody still uses this library but I opened a PR #160 for automatic request and retrieval of 2FA tokens from a gmail account and restores the ability to use this library. After reading this thread it seems like there also needs to be a corresponding update to read from the new API but perhaps this gets us half-way? It sounds like there has been some progress on using the new API. This technique requires users to set up an OAuth client for accessing gmail via google's api. At the very least it does not require a twilio/google voice or AWS integration and accessing google's api is free for any gmail account. |
If there is interest, I would also be open to running a service on heroku or something that can do this automagically. There is a good amount of security required in this scenario though since it requires read access to the gmail account. We could open source it |
In the meantime I have moved to another Python library as base for my house automation control for Arlo: https://github.com/m0urs/arlo-fhem |
Hi. May I ask if there is a solution to log-in with 2FA, which I can integrate in my previous .py code? download_Arlo.py.PASSWORD_CANCELED.txt The .py is called by this simple bash script: Many thanks in advance if anybody can help on this. |
Dear @ll, i am still struggeling with all arlo-libraries (also pyarlo and arlo-fhem). It seems that cloudflare broke all implementations. I already investigated a lot of time to get a stable and working script, but without success. I am currently thinking about to sell my whole arlo setup, because this really su..... Best regards! |
I took a small peek at the work required to get this integration working again and I don't think Arlo is the way forward for me personally. It would be easier (and cheaper!) to replace this setup than to try to shoehorn a new integration. @jeffreydwalter I don't know if you're still around but what did you end up doing? |
I tested with 2FA enabled which has been working as well. However, currently I am running without 2FA and it is very stable for me using my https://github.com/m0urs/arlo-fhem. |
Seems that they just changed something, at least if you are using 2FA with non-english langauge: twrecked/pyaarlo#63 (comment) |
Thanks @jeffreydwalter; using python2.7 without tfa works fine for me again. I already moved all scripts to python3 in the past, so i never tried to downgrade it again. |
I've got an issue open with the requests project. They have acknowledged the regression, but it's not clear if they consider it a bug. |
@jeffreydwalter Thank you so much for the quick and precious feedback.
Reverting to Python 2.7 is the solution for my case. The script run by
Pythin 2.7 works fine again as it was used to do before beginning of May,
when the problem began.
Many thanks again!
…_________________________________________________
On Mon, 24 May 2021, Jeffrey Walter wrote:
Date: Mon, 24 May 2021 14:23:54 -0700
From: Jeffrey Walter ***@***.***>
Reply-To: jeffreydwalter/arlo
***@***.***>
To: jeffreydwalter/arlo ***@***.***>
Cc: ptkmora ***@***.***>, Comment ***@***.***>
Subject: Re: [jeffreydwalter/arlo] 2FA support (#146)
@huberda @booi the issue you guys are having is related to the requests library in Python 3.x. It's broken.
This library works fine if you disable Arlo 2FA and use Python 2.7.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or
unsubscribe.[AUGJ3WZDXFQP46E2ZAYZP3DTPK7WVA5CNFSM4LE6NC42YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOGKAXRZA.gif]
|
It looks like @jeffreydwalter has fixed the Python 3.x issue with a new version so I decided to give it a spin. I can confirm that the previous issue related to CloudFlare blocking Python ( I've run into another issue, however. Is anyone else able to use the API at the moment with NO MFA on their account? I'm getting this, I'll need to debug it further.
EDIT: May be a dupe of #168 |
Hi all, I'm having a similar issue with 2FA, the error Before 2FA was activated on my account, I could use this code without any issues, but now that 2FA is on (and I cannot deactivate it on my account), it no longer functions (to get regular snapshots, for an eventual time-lapse). I can provide more details if necessary, but it seems some are able to use this repository with 2FA - what is the best method? |
For anyone looking to use mfa, this branch is working https://github.com/jeffreydwalter/arlo/tree/mfa-pr It uses the Google Gmail API, so you'll have to set that up (see the docs folder): https://github.com/jeffreydwalter/arlo/blob/mfa-pr/docs/ARLO_MFA.md |
@jeffreydwalter: Thanks for your update, i just implemented your new branch and its working fine! For the mail-inbox did not matched your query-string, because alro-mails are sent in german language - therefore i adjusted:
I also opened a tickets @Netgear and asked for 2FA deactivation - but i dont think they will go for it. Best regards |
@jeffreydwalter thank you for your hard work on this! One note on documentation - the documentation says to use And, unrelated, a silly thing that bit me that I wanted to document in case anyone is googling for it - if you see errors like 'ascii' codec can't decode byte 0xe5 in position 1: ordinal not in range(128) that most likely means that you may have ran the (not quite sure if there's some way to gracefully handle that with a better error message in LoginMFA function?) To fix that, all you need to do is delete |
@jeffreydwalter @Aeon Thanks for the feedback, I made the doc changes in #178. |
Wiki is still missing the slash after http://localhost:7788 |
Got Arlo's that said "Two-step verification is an added layer of account security to verify that it's really you, even if someone knows your password. By the end of the year, Arlo will require all users to enable two-step verification. We strongly encourage you to enable this feature now for added security"
At the moment 2FA is not working for these Arlo python scripts.
What version of Python are you using (
python -V
)?Python 3.7.6
What operating system and processor architecture are you using (
python -c 'import platform; print(platform.uname());'
)?Which Python packages do you have installed (run the
pip freeze
orpip3 freeze
command and paste output)?Which version of ffmpeg are you using (
ffmpeg -version
)?Which Arlo hardware do you have (camera types - [Arlo, Pro, Q, etc.], basestation model, etc.)?
Arlo Camera, Arlo Base Station
What did you do?
Enabled 2FA support on Arlo app (Settings - Profile - Login Settings - Two-Step Verification - Enable=true).
What did you expect to see?
What did you see instead?
Does this issue reproduce with the latest release?
Yes
The text was updated successfully, but these errors were encountered: