hydroxide: Login temporaroly not permitted

@dvalter Didn’t work on my end. I logged into an Incognito tab to ProtonMail and copied the Cookie Session ID and tried to pass that as an argument, it still says the same.

So I’ve been digging around and I think I might have a few theories on why this is happening:

1. The new web client came out, and with that, a new modulus pubkey for SRP. That being said, it seems that WebClient uses the same exact key
2. The API has changed and this one is depreciated now. Although I looked at the python one and it used the same exact API it seemed
3. ProtonMail has a way of detecting if the client sending is actually the bridge or not.

Things I’ve tried are:

• Using old.protonmail.com as the API URL instead of protonmail.ch (To see if it’s an API issue, as maybe the old WebUI has a different auth API than the new one)
• Changing the client version to the same as the new web client

Things I’ve noticed are:

• It seems the server doesn’t even get to the point of checking the password, since you can put in an incorrect password and still get the same error (9001)
• I don’t get this same error from the same exact connection when logging into the WebUI (Same exact computer)
• I seem to get this same error on all my machines, regardless of connection and location

Lemme know if there’s any more info that would help. I have been looking through the WebClient source code and honestly this whole thing feels like a mess of spaghetti, but I’m trying to figure out how exactly they are doing their API.

Man times like this just make me with ProtonMail would just release a documented API already. Even a poorly documented one would be better than this.

EDIT: I did a bit more digging and it seems the WebClient requires a human verification when 9001 occurs, so maybe something for this needs to be implemented?

EDIT 2: I went and cleared my cookies for ProtonMail as well and was not shown a captcha or anything of the sort, so that’s odd as well.

Oh, I would like to, but I am still too much of a novice on Github, but this is what I did: Open the file hydroxide/cmd/hydroxide/main.go Change lines 38 & 39 from

		RootURL:    "https://mail.protonmail.com/api",
		AppVersion: "Web_3.16.6",

to

		RootURL:    "https://old.protonmail.com/api",
		AppVersion: "Web_3.16.65",

Recompile hydroxide with the command: GO111MODULE=on go build ./cmd/hydroxide Authorixe hydroxide with the command: hydroxide auth [user.name]

And you should be good to go!

I have the same problem @dvalter workaround did not work on my end, even when having the same ip address

I have tested on newest master (so it uses the old. subdomain) and also have tried the cookie workaround on it. Neither seems to work now.

Protonmail seems to refresh the cookie as soon as I attempt to log in with hydroxide.

I think this issue should be reopened.

Looks like the only hope now is #184, I really hope Proton does not do this intentionally.

Unfortunately, even with the old endpoint and Web_3.16.65, I am seeing the error:

2021/07/27 13:10:53 request failed: POST https://old.protonmail.com/api/auth: [9001] Login temporarily not permitted from your connection for security reasons, please try again later. Using a VPN may cause this error
2021/07/27 13:10:53 [9001] Login temporarily not permitted from your connection for security reasons, please try again later. Using a VPN may cause this error

If it’s worth noting, I cloned hydroxide only after https://github.com/emersion/hydroxide/pull/183 was merged. So, that means I didn’t have to make any changes to this line myself:

https://github.com/emersion/hydroxide/blob/master/cmd/hydroxide/main.go#L39

Thanks @tomoqv for sharing your research! I tested your fix and it works. I got you covered and have submitted #183

On a fresh build of hydroxide, I no longer have this issue. I recommend rebuilding hydroxide after removing all the config and cache files