Trouble Logging In To Google with Headless Chrome / Puppeteer

Question

I'm trying to automate certain tasks for work. We have a portal that requires you to sign in through Google. I've created a Puppeteer instance that navigates to the Google auth page, types in my email and password, then stores the cookies so I can navigate through and manipulate the portal.

This works perfectly on my local environment, but I've deployed it to Heroku and Google adds a sign in challenge. After entering the password, I'm given the 'Verify it's you' page that says 'This device isn't recognized' and asks me to complete 2-FA auth.

I know I can't turn off 2-FA, so what would be the best way to bypass this?

Alternatively, is there an easier way to log in to a website guarded by Google auth and store the session cookies?

Here's my puppeteer code, any help would be much appreciated:

async function getCookies() {
    const browser = await puppeteer.launch({ 
      args: [
        '--no-sandbox', 
        '--disable-setuid-sandbox', 
        '--disable-gpu'
      ] 
    })
    const page = await browser.newPage()
    await page.setUserAgent('Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36')
    await page.goto(process.env.URL)
    await page.waitForSelector('#identifierId')
    await page.type('#identifierId', process.env.EMAIL, { delay: 5 })
    await page.click('#identifierNext')
    await page.waitForSelector('#password input[type="password"]', { visible: true });
    await page.type('#password input[type="password"]', process.env.PASS, { delay: 5 })
    await page.click('#passwordNext')
    await page.waitFor(3000)
    const cookies = await page.cookies()
    await browser.close()
    return cookies
  }

Answer 1

My working solution (needs some refactoring)

const puppeteer = require('puppeteer');
(async () => {
  const browser = await puppeteer.launch({
    headless: false,        // for debugging only
    ignoreHTTPSErrors: true // This happens when you use a self signed certificate locally
  })
  const page = await browser.newPage()

  await page.setViewport({ width: 1280, height: 800 })
  await page.goto('https://myawesomesystem/loginFrm01')
  const navigationPromise = page.waitForNavigation()

  // Clicks on the login button    
  const googleLoginButtonSelector = 'body > section > ... > div'
  await page.waitForSelector( googleLoginButtonSelector )
  await page.click( googleLoginButtonSelector )

  // wait for the google oauth page to open
  const googleOAuthTarget = await browser.waitForTarget( target => {
    // console.log( target.url() ); // debugging
    return target.url().indexOf('https://accounts.google.com/signin/oauth/identifier') !== -1
  })

  const googleOAuthPage = await googleOAuthTarget.page()

  await googleOAuthPage.waitForSelector('#identifierId')
  await googleOAuthPage.type('#identifierId', CRED.user, { delay: 5 } )
  await googleOAuthPage.click('#identifierNext')

  await googleOAuthPage.waitForSelector('input[type="password"]', { visible: true })
  await googleOAuthPage.type('input[type="password"]', CRED.pass )

  await googleOAuthPage.waitForSelector('#passwordNext', { visible: true })
  await googleOAuthPage.click('#passwordNext')

  await navigationPromise

  // HERE:
  // the user has been authenticated
  // or login window was closed
  // or whatever else, please check

  await browser.close()
})()

Answer 2

I is actually possible using Twilio API within Puppeteer to programatically receive the SMS code. You will have to setup a special Google account for this to work with the Twilio number as mobile phone OR change your current Google account primary mobile number for the Twilio number, and use your regular number as a secondary contact in your Google account info.

Answer 3

I would have added an Android app in the mix too. You can set up the 2FA with SMS codes and an Android app with SMS read permission can read the SMS and connect with a backend.

The backend can send push message, probably using Firebase Cloud Messaging to the local Node.js instance where the headless Chrome is running to input it in the 2FA screen.

I don't think there's any other way to do it. Although I would recommend not doing it, since it may open some backdoor for security issues.

Answer 4

Not possible I am afraid and not the answer you want.

I know I can't turn off 2-FA, so what would be the best way to bypass this?`

If it was possible to bypass then it kinda opens the door for hackers as Two-factor authentication works as an extra step in the process, a second security layer, that will reconfirm your identity. Its purpose is to make attackers' life harder and reduce fraud risks!