pyicloud: 'Failed to validate the credentials from cookie'

Since yesterday I have been hitting an error when attempting to authenticate and pull calendar data.

Traceback (most recent call last):
  File "chadCal.py", line 28, in <module>
    api = PyiCloudService(iCloudUser, iCloudPass)
  File "/Users/chadthurston/Documents/AMPScripts/pythvirtenv/lib/python2.7/site-packages/pyicloud/base.py", line 167, in __init__
    self.authenticate()
  File "/Users/chadthurston/Documents/AMPScripts/pythvirtenv/lib/python2.7/site-packages/pyicloud/base.py", line 190, in authenticate
    raise PyiCloudFailedLoginException(msg, error)
pyicloud.exceptions.PyiCloudFailedLoginException: ('Invalid email/password combination.', PyiCloudAPIResponseError(u'Failed to validate the credentials from cookie',))

I have verified that the password is correct, and I am able to log in online. I did not find the bug reported here, however the Home Assist community has a similar issue that is being tracked, it looks like it is using pyicloud API to interact as well.

https://community.home-assistant.io/t/icloud-device-tracker-error-after-update-to-94-x/121188

About this issue

  • Original URL
  • State: open
  • Created 5 years ago
  • Reactions: 12
  • Comments: 44 (8 by maintainers)

Most upvoted comments

I’ve done a little more research and it looks like there’s an additional security check at play here - something called 2SV, which is the thing that governs whether the browser client is “trusted” or not. If it’s not, then it’ll continually reenter the HSA login sequence. Basically, it’s a GET request to the endpoint https://idmsa.apple.com/appleauth/auth/2sv/trust which gives you a header back called “X-Apple-TwoSV-Trust-Token”. You then take this token alongside the standard session token and post it back to https://setup.icloud.com/setup/ws/1/accountLogin as a post body parameter called “TrustToken”.

Failure to do so results in being 2FA-challenged repeatedly. I’m seeing what I can do about that.

+12
joelmoses on Jun 13, 2019

https://github.com/picklepete/pyicloud/pull/207 - Just opened a pull request

+5
PeterHedley94 on Jun 24, 2019

421 response for calls like POST https://setup.icloud.com/setup/ws/1/login? I’m trying to understand what calls are made when browser logins.

+3
spljaa on Jun 11, 2019

So some good testing news…

I was able to make the variable name changes in the HA icloud integration (requires_2fa to requires_2sa) and install the new pyicloud package from @PeterHedley94 github. The “standard” device_tracker component is now working well and without constant notification e-mails from Apple.

Now bear in mind - my iCloud account does not have 2SV setup - so I don’t know what impact that might have. However, for my needs it’s working again. I’m able to enumerate and track the location of my Apple devices with the iCloud Find My Phone functionality.

Hopefully the pyicloud PR will get merged with a version bump. I’ll then file a PR with HA for the icloud integration variable name changes and updates to the manifest.json.

+2
jeffh0821 on Jun 26, 2019

@zeeqy I have a customized version of pyicloud supporting the Home Assistant icloud3 custom component that works with the original find-my-phone and the find-my-friends code. Additional credits for the code go to: - Original pyicloud - picklepete - https://github.com/picklepete - Update to 2fa - Peter Hadley
- https://github.com/PeterHedley94/pyicloud - Persistant Cookies - JiaJiunn Chiou - https://github.com/chumachuma/iSync - Find My Friends Update - Z Zeleznick - https://github.com/picklepete/pyicloud/pull/160

Right now is on my beta repository here but will get promoted to the custom_components/icloud3 soon.

+1
gcobb321 on Jul 17, 2019

@gcobb321 & @derd3000 the patch seems to be a merge from my bodged fix a week ago before going on a business trip. Hence the repo contains a file names hack.py so I would recommend cleaning it up before putting it into a production environment. I will try to find some time to do so now I am back.

@gcobb321 if you wish to use the repo then you can pip install from a github repo. i.e. the process is pip uninstall pyicloud pip install git+https://github.com/danielfmolnar/pyicloud

Your existing code should then work with no changes, but as I say the patch is not tested very well.

I tried this, but still getting the following errors:

$ pip install git+https://github.com/danielfmolnar/pyicloud
Collecting git+https://github.com/danielfmolnar/pyicloud
  Cloning https://github.com/danielfmolnar/pyicloud to /tmp/pip-FCdiuC-build
Requirement already satisfied: requests>=1.2 in /usr/lib/python2.7/site-packages (from pyicloud==0.9.1)
Requirement already satisfied: keyring<9.0,>=8.0 in /usr/lib/python2.7/site-packages (from pyicloud==0.9.1)
Requirement already satisfied: keyrings.alt<2.0,>=1.0 in /usr/lib/python2.7/site-packages (from pyicloud==0.9.1)
Requirement already satisfied: click<7.0,>=6.0 in /usr/lib/python2.7/site-packages (from pyicloud==0.9.1)
Requirement already satisfied: six>=1.9.0 in /usr/lib/python2.7/site-packages (from pyicloud==0.9.1)
Requirement already satisfied: tzlocal in /usr/lib/python2.7/site-packages (from pyicloud==0.9.1)
Requirement already satisfied: pytz in /usr/lib/python2.7/site-packages (from pyicloud==0.9.1)
Requirement already satisfied: certifi in /usr/lib/python2.7/site-packages (from pyicloud==0.9.1)
Requirement already satisfied: future in /usr/lib/python2.7/site-packages (from pyicloud==0.9.1)
Requirement already satisfied: idna<2.6,>=2.5 in /usr/lib/python2.7/site-packages (from requests>=1.2->pyicloud==0.9.1)
Requirement already satisfied: urllib3<1.23,>=1.21.1 in /usr/lib/python2.7/site-packages (from requests>=1.2->pyicloud==0.9.1)
Requirement already satisfied: chardet<3.1.0,>=3.0.2 in /usr/lib/python2.7/site-packages (from requests>=1.2->pyicloud==0.9.1)
Installing collected packages: pyicloud
  Running setup.py install for pyicloud ... done
Successfully installed pyicloud-0.9.1
You are using pip version 9.0.1, however version 19.1.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.


$ icloud --username=XXX@gmail.com
Enter iCloud password for XXX@gmail.com: 
Traceback (most recent call last):
  File "/usr/bin/icloud", line 11, in <module>
    load_entry_point('pyicloud==0.9.1', 'console_scripts', 'icloud')()
  File "/usr/lib/python2.7/site-packages/pyicloud/cmdline.py", line 202, in main
    password.strip()
  File "/usr/lib/python2.7/site-packages/pyicloud/base.py", line 194, in __init__
    self.authenticate()
  File "/usr/lib/python2.7/site-packages/pyicloud/base.py", line 208, in authenticate
    myICloud = hack.PyiCloudService()
  File "/usr/lib/python2.7/site-packages/pyicloud/hack.py", line 232, in __init__
    super(PyiCloudService, self).__init__(self)
TypeError: super() argument 1 must be type, not classobj
+1
loopy321 on Jun 29, 2019

@joelmoses, @walthowd Thanks for the advice. I wonder if @picklepete is going to take that on or if it will be someone else. I think the approach I may take over the next few days is to bypass iCloud completely and just use the interface with the HA ios app to get iCloud3 going again.

+1
gcobb321 on Jun 13, 2019
Read more comments on GitHub
← pyicloud: Authentication required for Account. (421) when trying to query api.calendar.events()
pyicloud: Ubiquity key error dsid →