Error: Login credentials rejected in production

[supermasil]

Hi Mark,

First of all, thank you for this awesome library. Recently, suddenly in production I have started getting this error while logging in using loginAsync and this doesn't happen in dev at all. This also didn't happen in production before. Can you please help me look into this?

My service is at teslame.net

Thanks a lot!

2021-07-21T01:43:43.353-07:00 | Jul 21 08:43:43 ip-172-31-24-216 web: Error: Login credentials rejected
-- | --
  | 2021-07-21T01:43:43.353-07:00 | Jul 21 08:43:43 ip-172-31-24-216 web: at /var/app/current/node_modules/teslajs/src/auth.js:95:19
  | 2021-07-21T01:43:43.353-07:00 | Jul 21 08:43:43 ip-172-31-24-216 web: at tryCallOne (/var/app/current/node_modules/promise/lib/core.js:37:12)
  | 2021-07-21T01:43:43.353-07:00 | Jul 21 08:43:43 ip-172-31-24-216 web: at /var/app/current/node_modules/promise/lib/core.js:123:15
  | 2021-07-21T01:43:43.353-07:00 | Jul 21 08:43:43 ip-172-31-24-216 web: at flush (/var/app/current/node_modules/asap/raw.js:50:29)
  | 2021-07-21T01:43:43.353-07:00CopyJul 21 08:43:43 ip-172-31-24-216 web: at processTicksAndRejections (internal/process/task_queues.js:77:11) | Jul 21 08:43:43 ip-172-31-24-216 web: at processTicksAndRejections (internal/process/task_queues.js:77:11)

[mseminatore]

@supermasil Are you running this service from a cloud provider? This message typically means that Tesla's firewall is blocking the request and/or requesting a Captcha, which this library does not currently support.

[supermasil]

@mseminatore Yes I have it on elastic beanstalk. The interesting part is I didn't have this error when I first launched it. Let me do a bit more searching to see what's blocking it. Thanks Mark

[mseminatore]

@supermasil For years now Tesla has been throttling and sometimes blocking some cloud providers. They do this when they feel that they are seeing unreasonable loads from those services. It could be that someone else on beanstalk caused all traffic to Tesla to be throttled or Captcha'd. Have you tried the library on you local PC to confirm that it works there?

[bendinwire]

I too am getting Error: Login credentials rejected now. I'm running from my Mac here in my house. Going to try to VPN out of country to see if it matters.

[GaPhi]

Same here : using same email/password/home network with android tesla app or tesla website succeed...
Something needs to be tuned in teslajs IMHO.

How can we investigate Android app request exchanges to reproduce it? (website is probably a bit different)

[mseminatore]

I am seeing the same here. Though the Tesla Control app was working yesterday. I will try again today to see if something has changed.

@GaPhi @bendinwire Are you both using MFA with your accounts? When you login through website are you seeing a Captcha request?

[bendinwire]

I do not have MFA on my accounts (I also manage my siblings/parents accounts). I did not get a Captcha when I just logged into Tesla.com. Thanks Mark!

[GaPhi]

No MFA for me and no captcha

[markjanuex]

The same issue occurred 2 days ago. Login works on tesla.com.

[mseminatore]

It looks like Tesla broken login again. I'm searching for whether any solutions have been devised.

[fuekiin]

Looking forward to have a fix for this issue. Would love to start working with this package 👍

[mseminatore]

Me too! This is also affecting the Tesla Control application. I may be able to add Captcha support to the app. But that won't really help this library which is often used by server processes.

[joepalexander]

Just thought that I would bump this issue and see if anything has been discovered ;/

[tonybroadbent]

Hi all, same issue here.
Foolishly, I deleted the .token file, which contains the serialised credentials. I can probably get my tokens elsewhere (eg. AuthAppForTesla) but I don't know the precise format of the .token file.
Please could someone cat .token and share (obv. hide any actual secrets).
Many thanks

[tonybroadbent]

Hi all, same issue here.
Foolishly, I deleted the .token file, which contains the serialised credentials. I can probably get my tokens elsewhere (eg. AuthAppForTesla) but I don't know the precise format of the .token file.
Please could someone cat .token and share (obv. hide any actual secrets).
Many thanks

Hah! Answered my own question. I just created a .token file looking something like:
{"access_token":"qts-c1dea99lotsofotherstuff99123"}
Now I can monitor and control it again. Not a permanent fix, but an adequate workaround for now.

[GijsvanDulmen]

Is there any more information about this? @tonybroadbent Is your fix a workaround or something? Could you explain more? Thanks!

[tonybroadbent]

Is there any more information about this? @tonybroadbent Is your fix a workaround or something? Could you explain more? Thanks!

There is a free IOS app called 'AuthAppForTesla'. I have this setup on my phone, and it allows me to copy to the clipboard an Access Token. I copied this to my pi, and created a .token file containing the long string, as shown above. Then, the sample code started working again for me. I think there are other ways to get an access token, this is just what I used. The app states they are only valid for 22 days, so it's really just a workaround rather than any sort of fix. Hope this helps; shout if it makes no sense. Obviously the access token would potentially allow someone to steal your car, so don't go pasting it on here!!!

[GijsvanDulmen]

Nice workaround! :-) In my case I'm using TeslaJS "offline". So that wouldn't really work unfortunately. :-(

[LudwigWen]

Hello, sorry for my question.

When using i always get error : "Error: Login credentials rejected"

trying: nodejs ./NodeRed/node_modules/teslajs/samples/login.js [email protected]
and capture response and opening in browser a login-page is shown.

Mobile App : "tesla token" is not compatible with my mobile phone.

So i tested: python3 ./teslapy , which also opens a browser (after entering login-data) the browser show a new URL, which needs to be entered afterwards to the script.
the cached output is stored in "cache.json" an looks like following.
My question:
how to enter this information/ whicht part in "NodeRed/node_modules/teslajs/src/auth.js" ?
Version 4.9.11

{
"[email protected]": {
"url": "https://auth.tesla.com/",
"sso": {
"access_token": "",
"refresh_token": "",
"id_token": "",
"expires_in": 28800,
"state": "7cdYahXiCo5NRqXrnFSYRSYwDf0CIc",
"token_type": "Bearer",
"expires_at": 1631889047.3078654
},
"ownerapi": {
"access_token": "eu-",
"token_type": "bearer",
"expires_in": 3888000,
"refresh_token": "",
"created_at": 1631860248
}
}
}

{
"[email protected]": {
"url": "https://auth.tesla.com/",
"sso": {
"access_token": "",
"refresh_token": "",
"id_token": "",
"expires_in": 28800,
"state": "7cdYahXiCo5NRqXrnFSYRSYwDf0CIc",
"token_type": "Bearer",
"expires_at": 1631889047.3078654
},
"ownerapi": {
"access_token": "eu-",
"token_type": "bearer",
"expires_in": 3888000,
"refresh_token": "",
"created_at": 1631860248
}
}
}

[rbubke]

I got a recaptcha request while login which results in "Login credentials rejected" error message.

Response-Header for https://auth.tesla.com/oauth2/v3/authorize:
{
'content-type': 'text/html; charset=utf-8',
'x-dns-prefetch-control': 'off',
'x-frame-options': 'DENY',
'strict-transport-security': 'max-age=15552000; includeSubDomains',
'x-download-options': 'noopen',
'x-content-type-options': 'nosniff',
'x-xss-protection': '1; mode=block',
'x-request-id': 'dbf7a989-b371-4459-ba1e-f1b9772f3330',
'x-correlation-id': 'dbf7a989-b371-4459-ba1e-f1b9772f3330',
'cache-control': 'no-store',
'content-security-policy': "connect-src 'self'; default-src 'none'; font-src 'self' data: fonts.gstatic.com; frame-src 'self' www.google.com www.recaptcha.net; img-src 'self' data:; script-src www.recaptcha.net 'self' 'nonce-7981d30fcfe05571d2f8'; style-src 'unsafe-inline' 'self'",
'x-content-security-policy': "connect-src 'self'; default-src 'none'; font-src 'self' data: fonts.gstatic.com; frame-src 'self' www.google.com www.recaptcha.net; img-src 'self' data:; script-src www.recaptcha.net 'self' 'nonce-7981d30fcfe05571d2f8'; style-src 'unsafe-inline' 'self'",
'x-webkit-csp': "connect-src 'self'; default-src 'none'; font-src 'self' data: fonts.gstatic.com; frame-src 'self' www.google.com www.recaptcha.net; img-src 'self' data:; script-src www.recaptcha.net 'self' 'nonce-7981d30fcfe05571d2f8'; style-src 'unsafe-inline' 'self'",
etag: 'W/"70cd-6kHgdOKNGr/95lX24lSHgBCMc8I"',
'x-response-time': '27.357ms',
'content-encoding': 'gzip',
'x-edgeconnect-midmile-rtt': '80',
'x-edgeconnect-origin-mex-latency': '98',
'x-akamai-transformed': '9 6293 0 pmb=mTOE,1',
date: 'Fri, 01 Oct 2021 07:46:43 GMT',
'content-length': '6127',
connection: 'close',
vary: 'Accept-Encoding',
'set-cookie': [
'tesla-auth.sid=s%3AgsDb9b_xf24SQiqGLGxiKYbgbpozP3Lc.7E5WePDzWfw0z0vTMSbfy7LzfBmITHoYG0U2nevN3hc; Path=/; Expires=Mon, 04 Oct 2021 07:46:43 GMT; HttpOnly; Secure; SameSite=Lax',
'bm_sv=FF5D7360A9A1AC9E451B000BFF94DB22iMmiCJF7agLSTCN4HoJ+bx0kOfBkzofwvn1f7Ar7h+JY3UNMDvso4HTXI/LWSwp0VJhVfBKt9xE26xCYzvJwxM0cRm9NI0GK0+MJUmBuXYVAbP5DR4inkc3bVGMcFRLCssZK/kHZxELMDaPrHmIUC7ym22zs+yBJV9wjqWRyQxA=; Domain=.tesla.com; Path=/; Max-Age=7199; HttpOnly',
'_abck=0A8E04C0E42C237E1331CCDFB22A7A02-1YAAQFLUQAmTRNDd8AQAAZNfROgZ4pfYu+nuUM+/2tWGKT7vXOosWihYK7TAuaFRGK8tdbFToFjViR2I1XIiUT0tqkL2wV5F4Hs4lYGVlQe+D/WxasMZ7VtGxnnE1J4CWsm1d/t/85QJH22PgFMpzfnHpPT+CXN15BBDKW1WyUH4dAlSNOlGU9pHTM3kFyNALG5dvGvVHXm2jsnn9mMomqaNsLWXWLPb7MCxlh+zqfpoXMF/wCfv4t/oeVJVxz6tGXQzCOYtiaEK93KJ8bYW+X0cg3PVVi0ViXrBqZt+UAsmud2qj221GciG79dV8mo1LiuysRaXpoMvGx3wAXtzJgOldIsP1z2Hcs0VcHmqq+tx3pv50VVOgMz84YpcfcMsjBQZieocz-1~-1~-1; Domain=.tesla.com; Path=/; Expires=Sat, 01 Oct 2022 07:46:43 GMT; Max-Age=31536000; Secure'
],
'permissions-policy': 'interest-cohort=()'
}

[mseminatore]

@rbubke Yes, this is expected. Tesla added recaptcha as a required step in the auth flow. I don't have a solution for TeslaJS at this point. Open to suggestions and PR's.

[mike-lischke]

@mseminatore How comes that neither the Tesla website nor the Tesla iOS app show a captcha? Is this perhaps switchable?

[mseminatore]

@mike-lischke Because they own the auth service and can choose how it behaves. In theory it should be possible to determine how they identify their own apps and an app that behaves identically could masquerade as their website or app. However, that is a lot of work and can easily become a game of cat and mouse with Tesla as they make new changes.

[mike-lischke]

@mseminatore Yes, that's what I thought too. And that's probably the reason why many Tesla Services/Apps use a token instead of credentials for access.

[Sector95]

Is the captcha also required for exchanging the refresh token?

[IMgoRt]

Is the captcha also required for exchanging the refresh token?

No, but I have to have a VPN into the USA (from the UK)

[mseminatore]

@mike-lischke

@mseminatore Yes, that's what I thought too. And that's probably the reason why many Tesla Services/Apps use a token instead of credentials for access.

All 3rd party apps use tokens as well. You can only acquire a token by providing credentials.

[mseminatore]

Is the captcha also required for exchanging the refresh token?

No, once you have a (refresh) token you can exchange it for a new token.

[stephenlindauer]

What's the current status here? Is there a workaround to get a token right now with the recaptcha or are we completely stuck?

[Sector95]

I bet ya Tesla likely doesn't want third party frameworks handling user credentials directly, understandably. I have a feeling this is fighting a losing battle, even if we find a workaround.

I think this framework should probably get out of the game of authenticating users itself, and instead pivot to managing and tokens acquired by other means.

Would be sweet if on initial seed of an auth token and refresh token by the framework user, the framework stored encrypted values to disk, and then returned the encryption key to the user to store however they wish. From there, subsequent calls to the framework would require that the user provide that key, and the framework would handle the token logic, including refreshing when need be.

If this is agreeable, I can do some work around enabling this kind of pattern.

[rdkgit]

There is a free IOS app called 'AuthAppForTesla'. I have this setup on my phone, and it allows me to copy to the clipboard an >Access Token. I copied this to my pi, and created a .token file containing the long string, as shown above. Then, the sample ?>code started working again for me. I think there are other ways to get an access token, this is just what I used. The app states >they are only valid for 22 days, so it's really just a workaround rather than any sort of fix. Hope this helps; shout if it makes no >sense. Obviously the access token would potentially allow someone to steal your car, so don't go pasting it on here!!!

Hi!

Tried that but did not work. Which of the two tokens did you use? Bummer. Loved being able to access my car from my own software.

Bobby

[DevinTyler26]

There is a free IOS app called 'AuthAppForTesla'. I have this setup on my phone, and it allows me to copy to the clipboard an >Access Token. I copied this to my pi, and created a .token file containing the long string, as shown above. Then, the sample ?>code started working again for me. I think there are other ways to get an access token, this is just what I used. The app states >they are only valid for 22 days, so it's really just a workaround rather than any sort of fix. Hope this helps; shout if it makes no >sense. Obviously the access token would potentially allow someone to steal your car, so don't go pasting it on here!!!

Hi!

Tried that but did not work. Which of the two tokens did you use? Bummer. Loved being able to access my car from my own software.

Bobby

From my experience, the tokens you get from AuthAppForTesla are not the correct tokens for the tesla owner-api. The tesla owner-api access token should start with qts- but the tokens you get from the app above start with eyJ.

I did find this site that gives you the correct access and refresh tokens for the tesla owner-api: https://tesla-info.com/tesla-token.php

[stephenlindauer]

From my experience, the tokens you get from AuthAppForTesla are not the correct tokens for the tesla owner-api. The tesla owner-api access token should start with qts- but the tokens you get from the app above start with eyJ.

Yup, and those tokens have an 8hr expiration rather than the typical 45days. Makes it not work for a lot of applications.

[rdkgit]

Thanks! The tesla-info.com/teslatoken.php worked like a charm. I used a small nodejs program to write the token to my store file and now my apps are working. Thank you! Hope the teslajs api can be fixed soon.