Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Looks like I requested too many OTPs #2605

Open
jeffgoldszer opened this issue Oct 8, 2024 · 22 comments
Open

Looks like I requested too many OTPs #2605

jeffgoldszer opened this issue Oct 8, 2024 · 22 comments

Comments

@jeffgoldszer
Copy link

IMPORTANT: Please search the issues, including closed issues, and the FAQ before opening a new issue. The template is mandatory; failure to use it will result in issue closure.

I was logging in successfully but not seeing any devices. I have tried several time each time requiring a login. Currently, after I submit my login credentials, I get options on how I want to get my otp. When I pick one, I am immediately ask for my email address. Consequently, amazon will not text an opt to my cell phone number. When I login into amazon I need to use the authentication app.

To Reproduce

I really don't know how to reproduce this. I am guessing login some amount of times. I can show you the behavior.

Expected behavior

Screenshots

Recording.2024-10-08.133443.mp4

System details

  • Home Assistant version:
  • alexa_media version (from const.py or HA startup log):
  • alexapy version (from `pip sh
    image
    image

ow alexapy` in homeasssistant container or HA startup log):

  • Is Amazon 2FA/2SV enabled <!---We will not debug login issues if unanswered---> (y/n):
  • Amazon Domain:

Debug Logs (alexa_media & alexapy)
Please provide logs.

Additional context

@kizzera
Copy link

kizzera commented Oct 8, 2024

+1

@danielbrunt57
Copy link
Collaborator

AMP cannot use that sequencing of windows to log into your account. It can only handle a first window with email+password on same screen followed by the OTP window with its app generated OTP prefilled. Your sequence has an additional options window to select the type of OTP and that will never work with the AMP proxy login as it will return to AMP after that window with a login failed result code and AMP then sends you back to the beginning page again.
You need to change your Amazon account to only use OTP via app

@jeffgoldszer
Copy link
Author

jeffgoldszer commented Oct 8, 2024

AMP cannot use that sequencing of windows to log into your account. It can only handle a first window with email+password on same screen followed by the OTP window with its app generated OTP prefilled. Your sequence has an additional options window to select the type of OTP and that will never work with the AMP proxy login as it will return to AMP after that window with a login failed result code and AMP then sends you back to the beginning page again. You need to change your Amazon account to only use OTP via app

Hey Daniel. I hope this response finds you and your family well. Thank your for your response. I am not sure what you mean by the sequencing of windows? I realize that AMP only accepts credentials from the form that prompts both email and password. However, The initial login form only contains a prompt for the email followed by an additional prompt for the password. In order to get the form containing both, the user has to create and existing account and then select the button to login.

After that AMP prompts for the OTP. Because I reconfigured a certain amount of times, Amazon is not sending me a text containing the OTP. After the login screen it is giving me 3 choices to get the OTP and AMP does not know how to handle it.

I am not sure what you mean by "You need to change your Amazon account to only use OTP via app"? My Amazon security is set up for 2FA where the Authenticator can be used. If that were not the case I could not have got this far.

@danielbrunt57
Copy link
Collaborator

danielbrunt57 commented Oct 8, 2024

Why is Amazon giving you 3 choices to get the OTP? It's not AMP doing that as all of those login screens are provided from Amazon. Your Amazon security should be set up for 2SV only via Authenticator App and other options should never be an option! AMP was never written to handle anything else when OTP/2SV is configured.

@jeffgoldszer
Copy link
Author

I am not sure why. I can tell you that my alexa devices were not being discovered. So i would uninstall AMP and install it again. I am guessing that Amazon has a maximum otp per day that it will text to a cell phone. When I login into my Amazon account, Amazon will not text me a otp. So, I have to ask for another way to get the OTP. It gives me the options, Text me, Call me or use the Authenticator App. Text me does not work, I have not tried option 2 and so I use the Authenticator App. You can see the same options are offered in the video, It just with Amp, it does not prompt for the OTP code.

@danielbrunt57
Copy link
Collaborator

danielbrunt57 commented Oct 8, 2024

I am not sure why. I can tell you that my alexa devices were not being discovered. So i would uninstall AMP and install it again. I am guessing that Amazon has a maximum otp per day that it will text to a cell phone. When I login into my Amazon account, Amazon will not text me a otp. So, I have to ask for another way to get the OTP. It gives me the options, Text me, Call me or use the Authenticator App. Text me does not work, I have not tried option 2 and so I use the Authenticator App. You can see the same options are offered in the video, It just with Amp, it does not prompt for the OTP code.

AMP CAN NOT USE A TEXTED OTP CODE! YOU NEED TO PROVIDE THE OTP SECRET IN THE AMP CONFIG SETUP!

@jeffgoldszer
Copy link
Author

I think that is partially right. The Amp installation form only accepts a Authentication App Secret key. But when AMP ask me to login, the OTP was texted to me.

@danielbrunt57
Copy link
Collaborator

danielbrunt57 commented Oct 9, 2024

I think that is partially right. The Amp installation form only accepts a Authentication App Secret key. But when AMP ask me to login, the OTP was texted to me.

AMP did not ask you to login, Amazon did. The issue is that AMP expects the first Amazon window to be email+password and an optional second window to enter the OTP code. If the login completes and returns to AMP after the first window, AMP proceeds to process whether the login was successful or not. If not, it opens the 2nd window as instructed by Amazon which should be the entry of the OTP code. If the login is successful, AMP processes the cookie and continues. If however after the second window AMP has not seen a "successful login", it returns you to the beginning of the sequence to start over, hence the loop you see. So, you need to disable the option in your Amazon account to "text me a code" with the only method being the "enter OTP code from authenticator app" and then your login sequence will be either one or two pages. A three page login sequence will always fail and loop you back to start over after the 2nd window.

@danielbrunt57 danielbrunt57 changed the title Looks like I requested too many otps Looks like I requested too many OTPs Oct 9, 2024
@bamzero
Copy link

bamzero commented Oct 27, 2024

This seems reminiscent of an earlier problem I had though I don't remember if it would get to the OTP stage but from memory the workaround was instead of choosing Sign in, choose Create new account but use the same email and when it says account already exists continue and it would work ok.

@danielbrunt57
Copy link
Collaborator

This seems reminiscent of an earlier problem I had though I don't remember if it would get to the OTP stage but from memory the workaround was instead of choosing Sign in, choose Create new account but use the same email and when it says account already exists continue and it would work ok.

That was before the initial link in alexapy/alexalogin.py was changed from "https://www.amazon.com/ap/signin" to "https://www.amazon.com/ap/register" as Amazon changed how the signin page is structured.
The new link opens a slightly different amazon sign in window where you only have to change the selection from Sign in - New customer to Already a customer.

@danielbrunt57
Copy link
Collaborator

@jeffgoldszer The issue is that AMP expects the first Amazon window to be email+password and an optional second window to enter the OTP code. If the login completes and returns to AMP after the first window, AMP proceeds to process the cookie from the "successful login". If unsuccessful, it opens the 2nd window as instructed by Amazon which should be the entry of the OTP code. If the login is successful upon returning to AMP, AMP processes the cookie and continues. If however after the second window AMP has not seen a "successful login", it returns you to the beginning of the sequence to start over, hence the loop you see. So, you need to disable the option in your Amazon account to "text me a code" with the only method being the "enter OTP code from authenticator app" and then your login sequence will be either one or two pages. A three page login sequence will always fail and loop you back to start over after the 2nd window.

@bniedermayr
Copy link

bniedermayr commented Dec 6, 2024

ah interresting. That would mean in my case where the login is split into two pages beeing displayed (one for entering the username and another to enter the password), would never work, doesn't it?

Selection_125
Selection_127

@bniedermayr
Copy link

The issue is that AMP expects the first Amazon window to be email+password and an optional second window to enter the OTP code

Is this AMP related or alexapy related? Where can I find the implementation for that part (if it is AMP related)?

@danielbrunt57
Copy link
Collaborator

danielbrunt57 commented Dec 6, 2024

@bniedermayr
It's a combination of alexapy/alexalogin.py and alexa_media/config_flow.py via async_step_user linking to async_step_proxy which ends with return self.async_external_step(step_id="check_proxy", url=str(proxy_url)). The step_id="check_proxy" links then to async_step_check_proxy.
If that's all Greek to you then no worries!
If not, perfect! And thanks in advance for the help you are about to offer!!!

If you select Konto erstellen Neu bei Amazon? and pretend to be a new user, it will fail detecting already existing account. At that point, can you select "Anmelden Sie sind bereits Kunde?" and get a page with email+password on the same page?

@danielbrunt57
Copy link
Collaborator

danielbrunt57 commented Dec 6, 2024

Is this AMP related or alexapy related? Where can I find the implementation for that part (if it is AMP related)?

I believe the issue is in alexapy:
https://gitlab.com/keatontaylor/alexapy/-/blob/dev/alexapy/alexalogin.py?ref_type=heads#L630-719

@bniedermayr
Copy link

bniedermayr commented Dec 8, 2024

If you select Konto erstellen Neu bei Amazon? and pretend to be a new user, it will fail detecting already existing account. At that point, can you select "Anmelden Sie sind bereits Kunde?" and get a page with email+password on the same page?

Ah perfect! You made my day! That tricked the login pages to get to the username+passwd window in the expected range.
I'll take a look at alexapy as well.

The issue is that AMP expects the first Amazon window to be email+password and an optional second window to enter the OTP code. If unsuccessful, it opens the 2nd window as instructed by Amazon which should be the entry of the OTP code. If the login is successful upon returning to AMP, AMP processes the cookie and continues. If however after the second window AMP has not seen a "successful login", it returns you to the beginning of the sequence to start over, hence the loop you see

Is this documented somewhere?

Would make much sense to document this valuable information.
I could create a PR for the doc.

@danielbrunt57
Copy link
Collaborator

The workaround is not yet in the wiki ( which anyone can edit). I've been posting my workaround everywhere I've seen it asked and this has been an issue for months now albeit more convoluted before twe changed to a different Amazon url. It all started months ago when Amazon restructured Alexa app sign in windows.

@danielbrunt57
Copy link
Collaborator

Anyone can edit the Wiki. No PR required for that.

@bniedermayr
Copy link

bniedermayr commented Dec 9, 2024

Ah ok. Good to know :-)

Just added a short "Note" section here https://github.com/alandtse/alexa_media_player/wiki/Configuration#integrations-page

I hope that fits.

@bniedermayr
Copy link

bniedermayr commented Dec 9, 2024

Ah, I was too hasty.....

Although now the login loop is gone an Home Assistant returns from the Alexa login UI the login itself fails.

I missed the "Alexa Media Player could not be logged in" message completely, because I was so happy that the login loop was gone...
The difference now is that I always needed to enter a captcha first (it appeared only occasionally).

So what I see now is:

Captcha -> Enter Username (UI page) -> select signup -> get error message "account already exists" -> Enter Username+Password (UI page) -> Enter OTP (UI Page).

The Enter OTP page has an already prefilled OTP password, and I just hit the ok button.

During setup the only Home assistant logs I get so far is:

12:02:28.585 WARNING (MainThread) [homeassistant.util.loop] Detected blocking call to load_verify_locations with args (<ssl.SSLContext object at 0x7ffa75a4ccd0>,) inside the event loop by custom integration 'alexa_media' at custom_components/alexa_media/config_flow.py, line 374: self.proxy = AlexaProxy( (offender: /config/deps/httpx/_config.py, line 149: context.load_verify_locations(cafile=cafile)), please create a bug report at https://github.com/alandtse/alexa_media_player/issues
For developers, please see https://developers.home-assistant.io/docs/asyncio_blocking_operations/#load_verify_locations
Traceback (most recent call last):
  File "<frozen runpy>", line 198, in _run_module_as_main
  File "<frozen runpy>", line 88, in _run_code
  File "/usr/src/homeassistant/homeassistant/__main__.py", line 223, in <module>
    sys.exit(main())
  File "/usr/src/homeassistant/homeassistant/__main__.py", line 209, in main
    exit_code = runner.run(runtime_conf)
  File "/usr/src/homeassistant/homeassistant/runner.py", line 189, in run
    return loop.run_until_complete(setup_and_run_hass(runtime_config))
  File "/usr/local/lib/python3.12/asyncio/base_events.py", line 674, in run_until_complete
    self.run_forever()
  File "/usr/local/lib/python3.12/asyncio/base_events.py", line 641, in run_forever
    self._run_once()
  File "/usr/local/lib/python3.12/asyncio/base_events.py", line 1990, in _run_once
    handle._run()
  File "/usr/local/lib/python3.12/asyncio/events.py", line 88, in _run
    self._context.run(self._callback, *self._args)
  File "/config/deps/aiohttp/web_protocol.py", line 477, in _handle_request
    resp = await request_handler(request)
  File "/config/deps/aiohttp/web_app.py", line 567, in _handle
    return await handler(request)
  File "/config/deps/aiohttp/web_middlewares.py", line 117, in impl
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/security_filter.py", line 92, in security_filter_middleware
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/forwarded.py", line 210, in forwarded_middleware
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/request_context.py", line 26, in request_context_middleware
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/ban.py", line 86, in ban_middleware
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/auth.py", line 242, in auth_middleware
    return await handler(request)
  File "/usr/src/homeassistant/homeassistant/components/http/headers.py", line 32, in headers_middleware
    response = await handler(request)
  File "/usr/src/homeassistant/homeassistant/helpers/http.py", line 73, in handle
    result = await handler(request, **request.match_info)
  File "/usr/src/homeassistant/homeassistant/components/http/decorators.py", line 81, in with_admin
    return await func(self, request, *args, **kwargs)
  File "/usr/src/homeassistant/homeassistant/components/config/config_entries.py", line 222, in post
    return await super().post(request, flow_id)
  File "/usr/src/homeassistant/homeassistant/components/http/data_validator.py", line 74, in wrapper
    return await method(view, request, data, *args, **kwargs)
  File "/usr/src/homeassistant/homeassistant/helpers/data_entry_flow.py", line 122, in post
    result = await self._flow_mgr.async_configure(flow_id, data)
  File "/usr/src/homeassistant/homeassistant/data_entry_flow.py", line 367, in async_configure
    result = await self._async_configure(flow_id, user_input)
  File "/usr/src/homeassistant/homeassistant/data_entry_flow.py", line 414, in _async_configure
    result = await self._async_handle_step(
  File "/usr/src/homeassistant/homeassistant/data_entry_flow.py", line 517, in _async_handle_step
    result: _FlowResultT = await getattr(flow, method)(user_input)
  File "/config/custom_components/alexa_media/config_flow.py", line 569, in async_step_totp_register
    return await self.async_step_start_proxy(user_input)
  File "/config/custom_components/alexa_media/config_flow.py", line 374, in async_step_start_proxy
    self.proxy = AlexaProxy(

I followed the documentation and all my dependencies should be ok:
HA-core: 2024.11.3
aiofiles: 24.1.0
alexapy: 1.29.5
alexa_media_player: v5.0.1

@danielbrunt57
Copy link
Collaborator

I fixed that WARNING but from memory can't recall if it''s reflected in alexapy 1.29.5 or not. I thought it was. What version is pip show authcaptureproxy?

@bniedermayr
Copy link

bniedermayr commented Dec 9, 2024

I'm running homeassistant with docker (homeassistant/home-assistant:2024.11.3)

kubectl exec -ti hass-66d45d7b74-cnrv5 -- bash
hass-66d45d7b74-cnrv5:/config# pip show authcaptureproxy
Name: authcaptureproxy
Version: 1.3.3
Summary: A Python project to create a proxy to capture authentication information from a webpage. This is useful to capture oauth login details without access to a third-party oauth.
Home-page: https://github.com/alandtse/auth_capture_proxy
Author: Alan D. Tse
Author-email: 
License: Apache-2.0
Location: /config/deps
Requires: aiohttp, beautifulsoup4, httpx, multidict, typer, yarl
Required-by: AlexaPy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants