Login and Sync does not work anymore

[clagger]

I noticed that the project isn't querying anymore.
Then I tried to renew the oauth token but the login is also failing (credentials are 100% correct - works via website).

A fix for this would be nice - thanks Moritz! :)

[clagger]

@moritzgloeckl while debugging the code I noticed that self._cookie['gke-route'] = get_login.cookies['gke-route'] is the errornous line in olclient.py:73.
Obviously the gke-route cookie is not part of the cookie collection of the session anymore.

I did not find any fix yet but I'll keep you up-to-date!

[talhajunaidd]

It seems like now they are using google captcha

[leucinw]

Hello, any progress on fixing this? thanks

[ihasdapie]

I'm having the same issues as of today as well; ols login fails with "incorrect login" and Project cannot be queried for already-synced projects.

[phyjswang]

same problem here, what I obtain after correctly entered my login info is the following:

Error: Login failed. Check username and/or password.

[talhajunaidd]

got this email from overleaf

If you have tried to log in to your Overleaf account in the last day or so, you will have noticed that we’re asking you to reconfirm your email address and set a new password.

This is because we have reset passwords for all users who logged in to Overleaf from Friday 28 May to Monday 31 May following what we now believe was a “credential stuffing” attack during that time. This type of cyberattack involves the use of account credentials previously stolen from other services to gain unauthorised access to user accounts through large-scale automated login requests.

If you have used the same password on Overleaf and other services, it is very important that you set new passwords, both on Overleaf and on your other accounts.

To regain access to your Overleaf account, we recommend that you set (or reset) a new, strong password that is not shared with any other site. Using a free password manager is a good approach.

If you have already reset your password in response to the account reconfirmation notice, no further action is required.

Was I affected?

Our investigation has identified roughly 19,000 IP addresses that we suspect were involved in the incident. Your account does not appear to have been successfully logged into from one of these suspicious IP addresses.

We have still reset your password as a precaution, to ensure that only you can access your account, but this does not imply that your account was affected.

We encourage you to be particularly vigilant for phishing emails or other suspicious activity that could be associated with the use of any of your account credentials.

It is important to reiterate that this attack did not result in the exposure of passwords from Overleaf, rather it is likely that unrelated cyberattacks were the source of the credentials used.

Has the attack ended?

Yes. On Monday 31 May, we introduced a reCAPTCHA on the login page to deter future attacks, and we have improved our systems for detecting them. We take this type of issue very seriously and shall continue doing everything we can to protect your accounts. 

They have added google recaptcha on login page.

[Jonathan-LeRoux]

I am having the same issue with my own Overleaf backup tool (forked from tbmihailov's and in which I took some login code from this repo) except that I get a "Bad Request" response.
Is going through the reCaptcha verification via Python requests a thing?
I got as far as getting the Overleaf sitekey, which is not much :)
data_sitekey=BeautifulSoup(get_login.content, 'html.parser').find('div', {'class': 'g-recaptcha'}).get('data-sitekey')

[talhajunaidd]

another way to overcome this problem is to open up a browser window and ask the user to log in on login we can grab the cookie and use that

[moritzgloeckl]

Hello everyone and thank you for your research on this.

I'm currently a bit busy, hence why I'm only replying now, sorry about that. Since they added reCaptcha it'll probably be quite hard to still have the authentication on the command line. Guess it's nearly impossible, if there's not an official tool by Google to have this built in. So we probably need to extract the authentication by opening a browser window as mentioned by @talhajunaidd - I'm gonna think of a way on how to do that, it's probably not that easy either and will take some time. But I'll leave this open so if you all have any suggestions feel free to comment here (PRs are always welcome too!).

Thanks,
Moritz

[clagger]

@moritzgloeckl using a selenium based login would work definitely!
Unfortunately , I neither have time for a quick implementation right now :(

[moritzgloeckl]

@clagger Selenium would be an option, but I think it'll add a huge dependency and the user is required to have specific browser installed. I'm rather thinking towards having a Qt-based web view with nothing more than just rendering the page and extracting the cookie once login was successful. I'm gonna come up with a quick POC and see if that would work!

[talhajunaidd]

@moritzgloeckl I've done a little POC on it I'm able to grab the cookies.

please review the gist

https://gist.github.com/talhajunaidd/25d657c63268d7e3b668c28cd2a18540

[moritzgloeckl]

@talhajunaidd Yes this is exactly what I was thinking. So I will add something like this to overleaf-sync hopefully soon. On which OS did you test this? It would be nice to have at least Linux, Mac, and Windows sorted to make sure this works as expected.

[Jonathan-LeRoux]

I wanted to try @talhajunaidd's solution on Windows but getting PyQt5 to work under Anaconda seems to be a pain on my machine. I'm getting

from PyQt5.QtWebEngineCore import QWebEngineUrlRequestInterceptor
ImportError: DLL load failed: The specified procedure could not be found.

As was also mentioned by @talhajunaidd, it's pretty straightforward to just grab the relevant information to build the auth cookie (namely the 'GCLB' and 'overleaf_session2' fields) in a regular browser using Web Developer Tools. Sadly, probably easier than to get PyQt5 to work on my end...

[talhajunaidd]

@talhajunaidd Yes this is exactly what I was thinking. So I will add something like this to overleaf-sync hopefully soon. On which OS did you test this? It would be nice to have at least Linux, Mac, and Windows sorted to make sure this works as expected.

I've tested it on Linux.

[moritzgloeckl]

Hello @everyone, I have pushed a beta branch called update-login-flow here it would be great if a few people could test this! This should fix the login issue by opening a Qt5-based web view, logging in there and extracting the cookies and csrf. The base command line utility has not changed much. Code suggestions also always welcome. If this passes the test I will create a new release soon, so you all can start focusing on your research projects again ;-)

[talhajunaidd]

Can you please create a MR so that it's easy to review.
Just noticed that we need to update the requirements file.

[moritzgloeckl]

@talhajunaidd I've created a PR for this issue.

[talhajunaidd]

@moritzgloeckl can we please put a please?

[moritzgloeckl]

Hello everyone,

great news a fix has been developed and a new release pushed to PyPi. Please make sure you're using the now latest version 1.1.5. As mentioned in this thread, the login flow changed and is now opening a self-contained mini browser to handle the login and CAPTCHA. Of course, still your login credentials are secure and NOT accessed by overleaf-sync.

Thank you to @talhajunaidd and @ndgnuh for reviewing the PR and testing the new changes.

I'd like to invite everyone to test the new login flow, and if you should notice any bugs, please create a new bug ticket. This bug ticket will be closed.