Cleanup Base64 weirdness in User about cohost.py HOT 8 CLOSED

i think you may have already seen this, but iliana had a good writeup on What Specific Base64 Bullshit is going on (spoiler: it's a join inaccuracy between sodium and the client-side arraybuffer library we use, that we never noticed because they're both broken in the same way) but the good news is the workaround isn't that bad, just dumb, and already mostly described in this thread https://cohost.org/iliana/post/180187-eggbug-rs-v0-1-3-d

EDIT LIKE A MINUTE LATER: wait i'm a dumbass and just saw that y'all already solved this. ignore everything i said and keep up the good work

from cohost.py.

thats strange, could you try with this login function?

def login(email, password):
    # base64 terribleness
    salt = fetch("GET", "/login/salt", {"email": email})['salt']
    if len(salt)%4: salt = salt + "=" * (4 - len(salt) % 4)
    saltDecoded = base64.b64decode(salt.encode("ascii"))

    # generating the hash
    hash = pbkdf2_hmac("sha384", password.encode("utf-8"), saltDecoded, 200000, 128)
    clientHash = base64.b64encode(hash).decode("ascii")

    # getting cookie
    res = fetch("POST", "/login", {"email": email, "clientHash": clientHash}, complex=True) 
    sessionCookie = res['headers']['set-cookie'].split(";")[0].split("=")[1]
    
    u = User(sessionCookie)
    # if no error we're good
    u.userInfo
    return u

from cohost.py.

Yup! Same thing. Stacktrace below:

(Cohost.py) ➜  Cohost.py git:(main) ✗ python loginWithPass.py
Traceback (most recent call last):
  File "/Users/val.knight/Documents/src/git/Cohost.py/loginWithPass.py", line 4, in <module>
    User.login(userName, userPass)
  File "/Users/val.knight/Documents/src/git/Cohost.py/cohost/models/user.py", line 98, in login
    res = fetch("POST", "/login", {"email": email, "clientHash": clientHash}, complex=True) 
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/val.knight/Documents/src/git/Cohost.py/cohost/network.py", line 53, in fetch
    raise Exception(res)
Exception: {'status': 422, 'message': 'Login Failed'}

Interestingly, if I add a character to my username (taking it from 21 characters to 22 characters) I just get an (expected)

(Cohost.py) ➜  Cohost.py git:(main) ✗ python loginWithPass.py
Traceback (most recent call last):
  File "/Users/val.knight/Documents/src/git/Cohost.py/loginWithPass.py", line 4, in <module>
    User.login(userName, userPass)
  File "/Users/val.knight/Documents/src/git/Cohost.py/cohost/models/user.py", line 98, in login
    res = fetch("POST", "/login", {"email": email, "clientHash": clientHash}, complex=True) 
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/val.knight/Documents/src/git/Cohost.py/cohost/network.py", line 53, in fetch
    raise Exception(res)
Exception: {'status': 422, 'message': 'Login Failed'}

I'll try changing my Cohost account to use an email with an extra character in - if that works, it's just wrangling the base64 function into working.

There's also a great writeup by @iliana who's implemented this in eggbug.rs - I'm going to try to find time and port this b64 function into Python (I tried it with JS but my brain and JavaScript just Do Not Collaborate)

from cohost.py.

got it!

we have to replace "_" and "-" with just "A" or it breaks - code sample as follows

[...]
salt = fetch("GET", "/login/salt", {"email": email})['salt']
salt = salt.replace('-', 'A')
salt = salt.replace('_', 'A')
salt = salt + "=="
[...]

i'll work on pushing out a new version now :)

thanks so much for the PR!

from cohost.py.

Ok! Pushed the changes, and I've published a new version to pypi. I'll close this, but, if we have issues again with login, I'll reopen this issue.

release link: https://github.com/valknight/Cohost.py/releases/tag/release%2F0.2.0

from cohost.py.

oh! i’ve seen this as a possible solution, didnt think it was the issue as my salt didn’t contain that. using base64.urlsafe_b64decode was recommended instead of base64.b64decode as the proper way to fix it (i think its for this exact issue), give it a go if you can.

from cohost.py.

ah! let me try that real quick :)

from cohost.py.

Yeah, that hits me with good friend Exception: {'status': 422, 'message': 'Login Failed'}

I'll keep this issue open, but I'll change the title to "clean up base64 weirdness", considering login stuff is now working 😄

from cohost.py.