Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2FA support #146

Open
alexeyvasilyev opened this issue Mar 10, 2020 · 58 comments
Open

2FA support #146

alexeyvasilyev opened this issue Mar 10, 2020 · 58 comments

Comments

@alexeyvasilyev
Copy link

Got Arlo's that said "Two-step verification is an added layer of account security to verify that it's really you, even if someone knows your password. By the end of the year, Arlo will require all users to enable two-step verification. We strongly encourage you to enable this feature now for added security"

At the moment 2FA is not working for these Arlo python scripts.

What version of Python are you using (python -V)?

Python 3.7.6

What operating system and processor architecture are you using (python -c 'import platform; print(platform.uname());')?

uname_result(system='Darwin', node='PC', release='19.3.0', version='Darwin Kernel Version 19.3.0: Thu Jan  9 20:58:23 PST 2020; root:xnu-6153.81.5~1/RELEASE_X86_64', machine='x86_64', processor='i386')

Which Python packages do you have installed (run the pip freeze or pip3 freeze command and paste output)?

arlo==1.2.33
certifi==2019.9.11
chardet==3.0.4
idna==2.8
monotonic==1.5
PySocks==1.7.1
requests==2.23.0
six==1.12.0
sseclient==0.0.22
urllib3==1.25.6
virtualenv==16.7.8

Which version of ffmpeg are you using (ffmpeg -version)?

ffmpeg version 4.2.2 Copyright (c) 2000-2019 the FFmpeg developers
built with Apple clang version 11.0.0 (clang-1100.0.33.16)
configuration: --extra-cflags=-fno-stack-check
libavutil      56. 31.100 / 56. 31.100
libavcodec     58. 54.100 / 58. 54.100
libavformat    58. 29.100 / 58. 29.100
libavdevice    58.  8.100 / 58.  8.100
libavfilter     7. 57.100 /  7. 57.100
libswscale      5.  5.100 /  5.  5.100
libswresample   3.  5.100 /  3.  5.100

Which Arlo hardware do you have (camera types - [Arlo, Pro, Q, etc.], basestation model, etc.)?

Arlo Camera, Arlo Base Station

What did you do?

Enabled 2FA support on Arlo app (Settings - Profile - Login Settings - Two-Step Verification - Enable=true).

What did you expect to see?

python arlo-streamingvideo.py
ffmpeg version 4.2.2 Copyright (c) 2000-2019 the FFmpeg developers
  built with Apple clang version 11.0.0 (clang-1100.0.33.16)
  configuration: --extra-cflags=-fno-stack-check
  libavutil      56. 31.100 / 56. 31.100
  libavcodec     58. 54.100 / 58. 54.100
  libavformat    58. 29.100 / 58. 29.100
  libavdevice    58.  8.100 / 58.  8.100
  libavfilter     7. 57.100 /  7. 57.100
  libswscale      5.  5.100 /  5.  5.100
  libswresample   3.  5.100 /  3.  5.100
Input #0, rtsp, from 'rtsps://vzwow42-z1-prod.ar.arlo.com:443/vzmodulelive/5EM28975A2C12_1583845297713?egressToken=d0ca19d6_ade1_4852_aaf3_5235fe5c9266&userAgent=iOS&cameraId=5EM28975A2C12_1583845297713':
  Metadata:
    title           : 5EM28975A2C12_1583845297713
  Duration: N/A, start: 0.000000, bitrate: N/A
    Stream #0:0: Audio: aac (LC), 16000 Hz, mono, fltp
    Stream #0:1: Video: h264 (High), yuv420p(progressive), 1264x704, 24 fps, 100 tbr, 90k tbn, 48 tbc

What did you see instead?

$python arlo-streamingvideo.py
401 Client Error: Unauthorized for url: https://my.arlo.com/hmsweb/login/v2

Does this issue reproduce with the latest release?

Yes

@jeffreydwalter
Copy link
Owner

I don't really think there's going to be a solution to this.

@jeffreydwalter
Copy link
Owner

I just enrolled in 2FA and the only possible solution I see is to configured 2FA to use email, then write some code that gets the 2FA code from your email and sends it to the Arlo API. Of course, this library does not support that currently.

@m0urs
Copy link
Contributor

m0urs commented Mar 10, 2020

This is really a very bad decision by Arlo as it will break all kind of external automation together with the Arlo cams. We really should send them many mails and comment in the forums so that they at least will either make it not mandatory or provide a kind of application passwords as it is done with other providers.

@jeffreydwalter
Copy link
Owner

Yep, unfortunately, that's our only recourse.

@m0urs
Copy link
Contributor

m0urs commented Mar 10, 2020

So, let's tell them ... https://community.arlo.com/t5/Arlo/Mandatory-Two-Step-Authentication-Verification-a-Bad-Idea/m-p/1760890#M4454

@m0urs
Copy link
Contributor

m0urs commented Mar 12, 2020

Jeffrey, I tried to play with the 2FA and Python as I do have the possibility to receive SMS with my Raspberry where my Home Automation system is running and thought, maybe I would be able to read that SMS and use it for login via Python.

The 401 error which is currently thrown is because the Login call tells us:

{'error': '1900', 'message': 'To access your account, please download our new Arlo app or disable two-step verification.', 'reason': 'Please update to the latest version of this app, or deactivate Two-Step Authentication on your account, to login on this device.'}

So for me it seems that the API calls have changed to a somehow newer version which supports both 2FA and non-2FA.

How did you get all the the information about which GET/POST requests are used by Arlo? The calls made by the web browser seems to be totally different from the requests made by the Python script.

So I am bit lost now. Maybe you can help me a bit so that I can continue playing. Thanks!

@jeffreydwalter
Copy link
Owner

@m0urs I use the Network tab in Chrome's developer tools.
image

They have new auth endpoints, which this library isn't updated to use yet:
General:

Request URL: https://ocapi-app.arlo.com/api/auth
Request Method: POST
Status Code: 200 
Remote Address: 104.18.30.98:443
Referrer Policy: no-referrer-when-downgrade

Request Headers:

:authority: ocapi-app.arlo.com
:method: POST
:path: /api/auth
:scheme: https
accept: application/json, text/plain, */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
auth-version: 2
content-length: 125
content-type: application/json; charset=UTF-8
cookie: __cfduid=XXXXXXX; __cfruid=XXXXXXX-XXX; 
dnt: 1
origin: https://my.arlo.com
referer: https://my.arlo.com/
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-site
source: arloCamWeb
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36

Request Body:

{email: "[email protected]", password: "XXXXXXXXXXXX",…}
email: "[email protected]"
password: "XXXXXXXXXXXX"
language: "en"
EnvSource: "prod"

Response Headers:

access-control-allow-credentials: true
access-control-allow-origin: https://my.arlo.com
cf-cache-status: DYNAMIC
cf-ray: 572f685e38e37ada-MCI
content-encoding: gzip
content-type: application/json; charset=utf-8
date: Thu, 12 Mar 2020 17:59:12 GMT
etag: W/"25a-ic0uE7Ob0UwLOmICOdCpZMQlp4Y"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
status: 200
strict-transport-security: max-age=15552000; includeSubDomains
vary: Origin, Accept-Encoding
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-download-options: noopen
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

Response Body:

{"meta":{"code":200},"data":{"_type":"AccessTokenV2","token":"XXXXXXX-XXXXXXX-XXXXXX-XXXXXXX-XXXXXX-XXXXXXX","userId":"XXX-XXXXXXX","authenticated":1584035951,"issued":1584035951,"expiresIn":1585331951,"mfa":false,"authCompleted":true,"type":"USER","MFA_State":"ENABLED"},"domain":"ocapi-app.arlo.com"}

@m0urs
Copy link
Contributor

m0urs commented Mar 12, 2020

Thanks, so I was on the right way ... Guess I need to some try and error now ;-)

@m0urs
Copy link
Contributor

m0urs commented Mar 13, 2020

After that there is a "GET https://ocapi-app.arlo.com/api/validateAccessToken?data = XXXXX' where "XXXXX' is the value from the field 'authenticated' from the request above.

This requests fails :

Request (GET https://ocapi-app.arlo.com/api/validateAccessToken?data%20=%20XXXXX) failed: {'meta': {'message': 'Access token is invalid', 'code': 400, 'error': 9022}}

I guess because I am missing the correct value for the "Authorization" header variable. It seems that this is NOT the value from 'token' (starting with "2_") which we get from the first request but something which looks totally different and starting with "Ml9":

Authorization: Ml9vaG13NnJ6SDZBOTBTbW9V......lFdzllZWdS

I have currently no idea where this value comes from or how to calculate it from other fields. Maybe it is some kind of hash of the token.

Maybe someone from the community can do also some tests here and give me a hint from where this "Authorization" header is coming.

The password for the new API is also somehow hashed (but this would not be such a big problem).

@death2all110
Copy link

@jeffreydwalter Are there any plans to update the library with the new endpoints? This hasn't worked for me for a while, and I'm honestly not sure where to begin with doing it myself and doing a pull request.

@m0urs
Copy link
Contributor

m0urs commented Mar 16, 2020

I am currently playing around with it a bit. However, I cannot promise that this will lead to a positive result ;-) - and I cannot tell you about a time frame.

@m0urs
Copy link
Contributor

m0urs commented Mar 22, 2020

Maybe Arlo will not set 2FA mandatory as they had communicated up to now. If I understand that support chat correctly we still would be able to choose:

https://community.arlo.com/t5/Arlo/Mandatory-Two-Step-Authentication-Verification-a-Bad-Idea/m-p/1762753#M74989

However: Since 2 days I am unable to use the old authentication mechanism even without 2FA enabled with my accounts :-( I tried to re-write the code so that it is using the new API but I am not yet successful. Seems that we now also need to consider the cookies in all requests. Still trying to get it working, however it is try & error as I am not really a Python programmer ;-)

@katzenbaer
Copy link

Is there OAuth implementation support without 2FA? Looks like they've removed the v2 API ahead of requiring 2FA support.

@m0urs
Copy link
Contributor

m0urs commented Mar 23, 2020

Is there OAuth implementation support without 2FA? Looks like they've removed the v2 API ahead of requiring 2FA support.

It seems they are now only using the new API which can be used with and without 2FA. I am currently trying to implement the new API without 2FA so that I can use my scripts again. However, as I said before, I am not a programmer and I cannot promise if I am successful ;-)

@m0urs
Copy link
Contributor

m0urs commented Mar 23, 2020

Bad news :-(

As part of our efforts to continually evolve and further strengthen our privacy and security practices, Arlo announced it will now require all users to use two-factor authentication when logging into their Arlo account. The new security mandate will go into effect for new users in Q2 of 2020, and will require existing Arlo users to enable the feature on their current Arlo accounts by end of year. While Arlo has strongly encouraged its users to enable two-factor authentication since its introduction, Arlo believes requiring this added layer of security is yet another measure we can take to help our users safeguard their accounts and their data.

Arlo Team

@apsteinmetz
Copy link

Well this really sucks, but I predicted it. I registered my displeasure on the Arlo forum. It would have been nice to get some notice. Now I am scrambling to find an alternative hardware/software solution. Thanks, everyone, for your efforts to try and work around this.

@nst2020
Copy link

nst2020 commented Mar 24, 2020

well seems there are some fixes out. Hope we can use it for this lib.

https://github.com/twrecked/pyaarlo

@jeffreydwalter
Copy link
Owner

jeffreydwalter commented Mar 24, 2020

@nst2020 they are just logging into your mailbox and polling for the 2FA email to get the token. That is the approach I am also planning on. Have been busy, was hoping someone in the community would take some initiative and make a PR. If not, I'll probably have time in the next week or two.

@m0urs
Copy link
Contributor

m0urs commented Mar 24, 2020

As I said, I am currently working on changing the script to use the new API as even without 2FA it is no longer working for me for some days ... I also do have some code for 2FA in it, but currently only for playing (I need to put in the second factor manually, just to see how it works). I was planning to get the second factor via SMS as I do have another machine which can receive SMS.

Nevertheless, if you would be able to make "real" code even better ;-) Let me know before you start so maybe I can give you at least what I already have. Maybe you can re-use something ...

@m0urs
Copy link
Contributor

m0urs commented Mar 26, 2020

I adapted the code so that it now uses the new Authentication API and added also some proof of concept code for using 2FA.

However, currently you need to put in the second factor sent by SMS manually. It needs more work now to automate that.

At least I can now use my script again 8without 2FA) as Arlo seems to have stopped authentication with the older API a few days ago.

You find my code here. Maybe you can use parts for your own.

https://github.com/m0urs/arlo-cl

@death2all110
Copy link

@m0urs

Thank you for this. I'm trying to implement the changes you made so I can run my download script again, and it seems to authenticate, but every time it runs it just passes 'success' and doesn't do anything else. Any chance you can help with that?


PS E:\Arlo> python .\arlo-download.py
[DEBUG] (MainThread) Starting new HTTPS connection (1): ocapi-app.arlo.com:443
[DEBUG] (MainThread) https://ocapi-app.arlo.com:443 "POST /api/auth HTTP/1.1" 200 None
'success'
PS E:\Arlo>

@m0urs
Copy link
Contributor

m0urs commented Mar 26, 2020

@death2all110 I can have a look if you provide me with your full script which you are using. If you like you can mail me directly as this does not really fit to the 2FA issue here ... Mail address see my Github profile.

@huberda
Copy link

huberda commented Mar 26, 2020

@m0urs Thanks a lot for your pre-work implementing the new api-endpoints! I was wondering why my scripts weren´t working with my home automation as i noticed that arlo now enters the passwods base64 and also new endpoints are targeted. I just implemented your changes and it works like a charm!!!

@death2all110 Please notice that @m0urs changed also requests.py and eventstream.py! If you are running your own scripts with Arlo.py, dont forget to encode the password.

from Arlo import Arlo

from datetime import timedelta, date
import datetime
import sys
import base64

pw = 'plainPW'
USERNAME = 'you@mail'
PASSWORD = str(base64.b64encode(pw.encode("utf-8")), "utf-8")

try:
    arlo = Arlo(USERNAME, PASSWORD)
    basestations = arlo.GetDevices('basestation')   
    modes = arlo.GetModes(basestations[0])
   

@jeffreydwalter
Copy link
Owner

@m0urs are you planning on making a PR for your changes? It would be greatly appreciated by everyone that uses the library.

@m0urs
Copy link
Contributor

m0urs commented Mar 27, 2020

@jeffreydwalter As I did only adapt some of the functions in Arlo.py yet, I would not yet like to create a PR. I am currently working with @death2all110 who is using some more functions and will adapt my version of Arlo.py accordingly. But that will not include all functions. Do you think it make sense to merge my changes even if they are not yet complete? Maybe, because currently the whole script seems no longer work at all. What do you think?

@apsteinmetz
Copy link

Thanks for updating this! Is there a lag in the package deployment becuase I don't seem to be updating?

>pip install arlo
 Requirement already satisfied: arlo in c:\users\arthur\appdata\local\programs\python\python38\lib\site-packages (1.2.33)

@jeffreydwalter
Copy link
Owner

Try upgrading: pip install arlo --upgrade

$ pip install arlo --upgrade
DEPRECATION: Python 2.7 will reach the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 won't be maintained after that date. A future version of pip will drop support for Python 2.7.
Collecting arlo
  Downloading https://files.pythonhosted.org/packages/81/43/694016dcd05a02762bf05b19ed09bd22780b9f8d578cf82cd0e2c82e87ec/arlo-1.2.35-py2.py3-none-any.whl
Requirement already satisfied, skipping upgrade: requests in /usr/local/lib/python2.7/site-packages (from arlo) (2.22.0)
Requirement already satisfied, skipping upgrade: PySocks in /usr/local/lib/python2.7/site-packages (from arlo) (1.7.1)
Requirement already satisfied, skipping upgrade: monotonic in /usr/local/lib/python2.7/site-packages (from arlo) (1.5)
Requirement already satisfied, skipping upgrade: sseclient==0.0.22 in /usr/local/lib/python2.7/site-packages (from arlo) (0.0.22)
Requirement already satisfied, skipping upgrade: urllib3!=1.25.0,!=1.25.1,<1.26,>=1.21.1 in /usr/local/lib/python2.7/site-packages (from requests->arlo) (1.25.6)
Requirement already satisfied, skipping upgrade: certifi>=2017.4.17 in /usr/local/lib/python2.7/site-packages (from requests->arlo) (2019.9.11)
Requirement already satisfied, skipping upgrade: chardet<3.1.0,>=3.0.2 in /usr/local/lib/python2.7/site-packages (from requests->arlo) (3.0.4)
Requirement already satisfied, skipping upgrade: idna<2.9,>=2.5 in /usr/local/lib/python2.7/site-packages (from requests->arlo) (2.8)
Requirement already satisfied, skipping upgrade: six in /usr/local/lib/python2.7/site-packages (from sseclient==0.0.22->arlo) (1.12.0)
Installing collected packages: arlo
  Found existing installation: arlo 1.2.30
    Uninstalling arlo-1.2.30:
      Successfully uninstalled arlo-1.2.30
Successfully installed arlo-1.2.35

@twratl
Copy link

twratl commented Apr 4, 2020

Yeah. An OTP would be ideal. Then pyotp could easily be used to solve the MFA issue. Maybe that is a worthwhile petition to Arlo to offer OTP as an option. It is arguably more secure than SMS.

@giejay
Copy link

giejay commented Jun 2, 2020

Just checking, wouldn't using a Tasker plugin and an Android phone also help with two factor authentication? By using Auto notification, I can quite easily click the approve button, every time a login takes place. Or am I overlooking something?

Edit: Modified the code a bit to use Push authentication instead of SMS, created a tasker profile to select approve automatically and it works within 5 seconds

@twratl
Copy link

twratl commented Jun 20, 2020

I have a working implementation of MFA using SMS. After reviewing the API I see now how the email option is implemented so I am going to adapt my code to use email (which is always going to be an option for everyone I would imagine) instead of SMS. This would eliminate the need for Google Voice or equivalent.

My solution is an AWS serverless solution and is a 2 stage process (a pre-stage process which gives you a URL to query every second until the code shows up, and an out-of-band process that accepts and parses the MFA email and saves the OTP code).

@twratl
Copy link

twratl commented Jun 21, 2020

Ok. I switched over to using email for MFA instead of SMS. The code and process to implement is here: https://github.com/twratl/arlo-mfa-aws. I welcome feedback. I have this working successfully in my application (although I turned off MFA for now since it isn't yet a requirement).

You will need a couple things like a domain and an AWS account.

@huberda
Copy link

huberda commented Aug 23, 2020

Dear @twratl, i am currently worried about 2FA, because this will kill my current setup enabling alro-modes with my home automation. I had a look at your solution and really like this approach, big thanks for that!

I try to keep all my data (except arlo videos) @home, thats why i am thinking about a different approach:
Running arlo.py already requires a local machine (in my case raspbian box). It should be possible to clone the linked email-inbox e.g. via imapbox to the local disk as json and then directly fullfil the 2FA request for arlo.py. Do you see any issues following this approach?
I think then we can skip using a aws-account + dns and....maybe?

Best regards,
Daniel

@twratl
Copy link

twratl commented Aug 23, 2020

@huberda, thanks for reaching out. I will say that the solution I built for AWS stores VERY little info and it is wiped within a day IIRC. My Arlo automation runs from AWS Lambda, hence my AWS solution.

However if you want to pursue a fully "on prem" solution, I don't see why the same high level process could not be adapted. You would still source the second factor via email likely and then using imap you can check for the arrival of the message in the inbox and parse out the MFA code which you then provide to the Arlo API.

You would need to roll your own logic for the IMAP piece but it seems rather straightforward (check inbox for messages in the last 1 minute from the Arlo address as an example). Not sure imapbox is needed although it could work I guess. I was thinking just a direct imap call to your inbox.

@huberda
Copy link

huberda commented Aug 23, 2020

@twratl: Thanks for your reply! I fully agree, i just tought about a user-friendly way to implement 2FA without additional components.
I guess that many users of arlo.py are maybe not informed about 2FA impact on the API and this issue will pop-up during the planned enforcement.

Regarding IMAP i will check for a good solution (direct IMAPClient or existging module) - regarding logic i am thinking about a timeout loop that could be configured (e.g. check inbox x times for mails in last y minutes) for MFA code.

I will have a look on this within the next weeks...

@phoenixaus
Copy link

Hi Guys,

I have been able to obtain the MFA code from SMS or email and save it into a txt file. This was done using software called integromat, which you should be able to access on the free tier. I'm happy to help anyone that wants to go that way.

Unfortunately, I'm lacking in the skill set to adapt the code the Jeffrey has written to import this in. At this stage I'm trying to find a way to ideally force the email option of MFA (as this isn't relying on a sim service to be active), then read the contents of a file saved in dropbox called MFA.TXT which would contain the code. I would assume that there would need to be a pause between the request stage and accessing with the MFA code.

@booi
Copy link
Contributor

booi commented Dec 2, 2020

Hi guys, not sure if anybody still uses this library but I opened a PR #160 for automatic request and retrieval of 2FA tokens from a gmail account and restores the ability to use this library.

After reading this thread it seems like there also needs to be a corresponding update to read from the new API but perhaps this gets us half-way? It sounds like there has been some progress on using the new API.

This technique requires users to set up an OAuth client for accessing gmail via google's api. At the very least it does not require a twilio/google voice or AWS integration and accessing google's api is free for any gmail account.

@booi
Copy link
Contributor

booi commented Dec 2, 2020

If there is interest, I would also be open to running a service on heroku or something that can do this automagically. There is a good amount of security required in this scenario though since it requires read access to the gmail account. We could open source it

@m0urs
Copy link
Contributor

m0urs commented Dec 4, 2020

In the meantime I have moved to another Python library as base for my house automation control for Arlo: https://github.com/m0urs/arlo-fhem

@ptkmora
Copy link

ptkmora commented May 24, 2021

Hi.
I would like to log-in in Arlo library and download the videos locally. I had a script for that, but stopped working at beginning of May with the error:
"403 Client Error: Forbidden for url: https://ocapi-app.arlo.com/api/auth".
This must be related with the 2FA issue of this post, I presume.

May I ask if there is a solution to log-in with 2FA, which I can integrate in my previous .py code?
(I studied this post, but I could not find a solution easy enough for my limited knowledge of python)

download_Arlo.py.PASSWORD_CANCELED.txt

The .py is called by this simple bash script:
archive_Arlo_2.sh.txt

Many thanks in advance if anybody can help on this.

@huberda
Copy link

huberda commented May 24, 2021

Dear @ll,

i am still struggeling with all arlo-libraries (also pyarlo and arlo-fhem). It seems that cloudflare broke all implementations.
I disabled 2FA in my arlo account, but after multiple logons via script i receive e.g. CloudflareChallengeErrors.
=> After reconnecting my router to ISP its working fine again for 4-5 script-runs.

I already investigated a lot of time to get a stable and working script, but without success.
Is there anyone with a stable and working setup using Arlo-automation? (e.g. for integration for home automation)

I am currently thinking about to sell my whole arlo setup, because this really su.....
=> and also netgear is not customer oriented!

Best regards!

@booi
Copy link
Contributor

booi commented May 24, 2021

I took a small peek at the work required to get this integration working again and I don't think Arlo is the way forward for me personally. It would be easier (and cheaper!) to replace this setup than to try to shoehorn a new integration. @jeffreydwalter I don't know if you're still around but what did you end up doing?

@jeffreydwalter
Copy link
Owner

@huberda @booi the issue you guys are having is related to the requests library in Python 3.x. It's broken.

This library works fine if you disable Arlo 2FA and use Python 2.7.

@m0urs
Copy link
Contributor

m0urs commented May 25, 2021

Is there anyone with a stable and working setup using Arlo-automation? (e.g. for integration for home automation)

I tested with 2FA enabled which has been working as well. However, currently I am running without 2FA and it is very stable for me using my https://github.com/m0urs/arlo-fhem.

@m0urs
Copy link
Contributor

m0urs commented May 25, 2021

Seems that they just changed something, at least if you are using 2FA with non-english langauge: twrecked/pyaarlo#63 (comment)

@huberda
Copy link

huberda commented May 25, 2021

Thanks @jeffreydwalter; using python2.7 without tfa works fine for me again. I already moved all scripts to python3 in the past, so i never tried to downgrade it again.

@jeffreydwalter
Copy link
Owner

I've got an issue open with the requests project. They have acknowledged the regression, but it's not clear if they consider it a bug.
Basically, Arlo's Cloudflare proxy is blockin flagging all requests from the python 3 requests library as a bot... I'll put together a fix for this soon.

@ptkmora
Copy link

ptkmora commented May 26, 2021 via email

@neilferreira
Copy link

neilferreira commented Jun 4, 2021

It looks like @jeffreydwalter has fixed the Python 3.x issue with a new version so I decided to give it a spin. I can confirm that the previous issue related to CloudFlare blocking Python ( 401 Client Error: Unauthorized for url: https://my.arlo.com/hmsweb/login/v2) has disappeared!

I've run into another issue, however.

Is anyone else able to use the API at the moment with NO MFA on their account? I'm getting this, I'll need to debug it further.

  File "/opt/application/controller.py", line 36, in disarm
    arlo.CustomMode(basestation, mode=None, schedules=['schedule.1'])
  File "/usr/local/lib/python3.8/site-packages/arlo.py", line 435, in CustomMode
    return self.request.post('https://my.arlo.com/hmsweb/users/devices/automation/active', {'activeAutomations':[{'deviceId':device.get('deviceId'),'timestamp':self.to_timestamp(datetime.now()),'activeModes':[mode],'activeSchedules':schedules}]})
  File "/usr/local/lib/python3.8/site-packages/request.py", line 66, in post
    return self._request(url, 'POST', params=params, headers=headers, raw=raw)
  File "/usr/local/lib/python3.8/site-packages/request.py", line 57, in _request
    raise HTTPError('Request ({0} {1}) failed: {2}'.format(method, url, r.json()), response=r)
requests.exceptions.HTTPError: Request (POST https://my.arlo.com/hmsweb/users/devices/automation/active) failed: {'data': {'error': 'AUTO-5050', 'message': 'Failed to update Automation Definitions', 'reason': 'Unable to upload active automation. Please try again'}, 'success': False}

EDIT: May be a dupe of #168

@sfederman
Copy link

Hi all,

I'm having a similar issue with 2FA, the error 401 Client Error: Unauthorized for url: https://my.arlo.com/hmsweb/users/devices.

Before 2FA was activated on my account, I could use this code without any issues, but now that 2FA is on (and I cannot deactivate it on my account), it no longer functions (to get regular snapshots, for an eventual time-lapse).

I can provide more details if necessary, but it seems some are able to use this repository with 2FA - what is the best method?

@jeffreydwalter
Copy link
Owner

jeffreydwalter commented Jul 27, 2021

For anyone looking to use mfa, this branch is working https://github.com/jeffreydwalter/arlo/tree/mfa-pr

It uses the Google Gmail API, so you'll have to set that up (see the docs folder): https://github.com/jeffreydwalter/arlo/blob/mfa-pr/docs/ARLO_MFA.md

@huberda
Copy link

huberda commented Jul 27, 2021

@jeffreydwalter: Thanks for your update, i just implemented your new branch and its working fine!

For the mail-inbox did not matched your query-string, because alro-mails are sent in german language - therefore i adjusted:

line238: q=f'Arlo one-time authentication code after:{request_start_time}'
=> not matched in DE

I also opened a tickets @Netgear and asked for 2FA deactivation - but i dont think they will go for it.

Best regards

@Aeon
Copy link
Contributor

Aeon commented Sep 27, 2021

@jeffreydwalter thank you for your hard work on this! One note on documentation - the documentation says to use http://localhost:7788 as redirect URL, with no trailing slash, but the gmail_oauth.py specifies it with a trailing slash, which causes google API to return an redirect_uri_mismatch error.


And, unrelated, a silly thing that bit me that I wanted to document in case anyone is googling for it - if you see errors like

'ascii' codec can't decode byte 0xe5 in position 1: ordinal not in range(128)

that most likely means that you may have ran the gmail_oauth.py script with python2, but are trying to run your script with python3... and the pickle formats are very different between python versions, so that will cause things to blow up with very little in a way of error context 💣

(not quite sure if there's some way to gracefully handle that with a better error message in LoginMFA function?)

To fix that, all you need to do is delete gmail.credentials, re-run the gmail_oauth.py with python3, and you should be off to the races!

@booi
Copy link
Contributor

booi commented Sep 30, 2021

@jeffreydwalter @Aeon Thanks for the feedback, I made the doc changes in #178.

@kskenyon
Copy link

Wiki is still missing the slash after http://localhost:7788

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests