Reputation: 176
Invalid credentials when logging in with Python requests module
I'm trying to log in to Spotify through the Python requests module. It seems that no matter whether the credentials I provide are right or wrong I always get an invalid credentials JSON error. Here's the code I have so far:
import requests
import time
s = requests.Session()
print(s.cookies.get_dict())
s.get("https://accounts.spotify.com/en/login/?_locale=en-US&continue=https:%2F%2Fwww.spotify.com%2Fus%2Faccount%2Foverview%2F")
print(s.cookies.get_dict())
print('\n')
csrftoken = s.cookies['csrf_token']
print('\n')
print(csrftoken)
req = s.post('https://accounts.spotify.com/api/login', data={'remember':'true', 'username':'VALIDUSERNAME', 'password':'VALIDPASSWORD', 'captcha_token': '', 'csrf_token':csrftoken}, headers={'Referer': 'https://accounts.spotify.com/en/login/?_locale=en-US&continue=https:%2F%2Fwww.spotify.com%2Fus%2Faccount%2Foverview%2F', 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:64.0) Gecko/20100101 Firefox/64.0'})
print(req.status_code)
print(req.text)
I always get a JSON response like this:
{"error":"errorInvalidCredentials"}
I observed that when changing the CSRF token to an invalid value, I still get the {"error":"errorInvalidCredentials"} response. I then used Burp Suite's Proxy to change the token and I got a different response telling me the CSRF token was invalid.
I also observed that the captcha parameter's value is nothing. When intercepting the request in Burp, the parameter's value was not set to anything, which is why I left it blank.
What am I doing wrong? I know I'm giving valid credentials and supplying the correct CSRF token.
Upvotes: 0
Views: 2349
Answers (1)
Reputation: 176
After looking at my code I realized that I wasn't even sending a single cookie along with the post request, I was only sending the CSRF token as a POST request parameter. When I looked at the intercepted POST login request in Burp Suite, I finally understood what I was doing wrong.
The cookie header from the actual Spotify login page was something like this:
Cookie: sp_ab=%7B%222018_12_homepage_variants%22%3A%22v4%22%2C%222018_11_invisible_captcha%22%3A%22control%22%2C%222018_09_acq_signup_confirm_email%22%3A%22control%22%2C%222018_08_acq_signup_components_update%22%3A%22control%22%7D; sp_t=767144f8aa8b61378ccf958c670a6383; _ga=GA1.2.1942983958.1544578963; _gid=GA1.2.1472574661.1544578963; spot=%7B%22t%22%3A1544579600%2C%22m%22%3A%22us%22%2C%22p%22%3A%22open%22%7D; _gcl_au=1.1.1737135149.1544579416; __gads=ID=da7551ef6408e0e1:T=1544579604:S=ALNI_Mac1_7j2-834CH4t2FY65VEg9Pfcg; csrf_token=AQDFzF3zWOZKdg3w_agEStexYetTUTDpgFhvKXLmIaqTTP9ZDn84FctVC_ZER2m_O-4Obzt3w7fL-XKDBp_CdtNzIlUwD6iEffkWOK8ojTxHwTqzlWCoRcY2tYYO4wBSPJKKug; __bon=MHwwfDE4MDkxMzU2MjV8NzU5ODM2OTYyNTB8MXwxfDF8MQ==; fb_continue=https%3A%2F%2Fwww.spotify.com%2Fus%2Faccount%2Foverview%2F; remember=test; _gat=1
So using that all I had to do was add a cookie header, copy and paste all the static cookies (the ones that will always be the same value for every session) and concenate a couple of the dynamic (the ones that are different for each session) cookies with variables, like the csrf token.
Upvotes: 1
Related Questions
- Can't get authorisation to work with python requests
- Why is my login not working with Python Requests?
- Python: unable to authenticate using requests module
- Logging in using Python's Requests
- Python requests ConnectionError
- Python requests call not handling authentication as expected
- Python/Requests: Correct login returns 401 unauthorized
- Python requests login
- python requests login authentication
- Unable to log in using requests with Python 3