fix(drivers/139): Address login logic loop defect #1974
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Implemented a pre-auth validation check to prevent unnecessary logins when a valid session token exists. - Enhanced header sanitization to separate device fingerprint from session tokens, preventing login failures. - Added risk control handling to detect and stop login attempts when rate-limited.
fix(139yun): Address login logic loop defect
- Implemented a pre-auth validation check to prevent unnecessary logins when a valid session token exists. - Enhanced header sanitization to separate device fingerprint from session tokens, preventing login failures. - Added risk control handling to detect and stop login attempts when rate-limited. - Ensured a fixed order for sanitized cookies as per PR feedback.
- Implemented a pre-auth validation check to prevent unnecessary logins when a valid session token exists. - Enhanced header sanitization to separate device fingerprint from session tokens, preventing login failures. - Added risk control handling to detect and stop login attempts when rate-limited. - Ensured a fixed order for sanitized cookies as per PR feedback. - Improved pre-auth error handling to correctly differentiate between network errors and blocked redirects.
- Implemented a pre-auth validation check to prevent unnecessary logins when a valid session token exists. - Enhanced header sanitization to separate device fingerprint from session tokens, preventing login failures. - Added risk control handling to detect and stop login attempts when rate-limited. - Ensured a fixed order for sanitized cookies as per PR feedback. - Improved pre-auth error handling to correctly differentiate between network errors and blocked redirects. - Formatted code with `go fmt`.
- Implemented a pre-auth validation check to prevent unnecessary logins when a valid session token exists. - Enhanced header sanitization to separate device fingerprint from session tokens, preventing login failures. - Added risk control handling to detect and stop login attempts when rate-limited. - Ensured a fixed order for sanitized cookies as per PR feedback. - Improved pre-auth error handling to correctly differentiate between network errors and blocked redirects. - Formatted code with `go fmt`. - Added validation for MailCookies format to prevent invalid requests.
- Implemented a pre-auth validation check to prevent unnecessary logins when a valid session token exists. - Enhanced header sanitization to separate device fingerprint from session tokens, preventing login failures. - Added risk control handling to detect and stop login attempts when rate-limited. - Ensured a fixed order for sanitized cookies as per PR feedback. - Improved pre-auth error handling to correctly differentiate between network errors and blocked redirects. - Formatted code with `go fmt`. - Added validation for MailCookies format to prevent invalid requests. - Refactored the `request` function to remove goto and reduce nesting.
- Implemented a pre-auth validation check to prevent unnecessary logins when a valid session token exists. - Enhanced header sanitization to separate device fingerprint from session tokens, preventing login failures. - Added risk control handling to detect and stop login attempts when rate-limited. - Ensured a fixed order for sanitized cookies as per PR feedback. - Improved pre-auth error handling to correctly differentiate between network errors and blocked redirects. - Formatted code with `go fmt`. - Added validation for MailCookies format to prevent invalid requests. - Refactored the `request` function to remove goto and reduce nesting.
Fix 139 yun login loop
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 10 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This commit addresses several issues in the 139 driver, including: - A concurrency issue in preAuthLogin by creating a new resty client instance. - Removal of sensitive data from logs to prevent credential exposure. - Improved MailCookies validation to ensure it contains at least one name=value pair. - Corrected an inaccurate error message for better accuracy. - Clarified the sanitizeLoginCookies function with a comment. - Standardized error handling in preAuthLogin to allow a fallback to password login. - Fixed a mixed-language comment for consistency. - Strengthened a fragile error check by examining the underlying error type.
This commit addresses a concurrency issue that occurred when creating multiple instances of the 139 driver. The issue was caused by modifying the global `resty` client's redirect policy, which is not thread-safe. This commit fixes the issue by: - Creating a new `resty` client instance in `step1_password_login` to avoid modifying the global client. - Reverting a previous change to the error handling in `preAuthLogin` that was incorrect. These changes ensure that each driver instance has its own `resty` client, preventing race conditions and allowing multiple instances of the driver to be created without errors.
This commit fixes a regression where the `RMKEY` cookie was not being correctly extracted from the login response. This was caused by a previous change that switched to a local `resty` client but did not update the cookie extraction logic. This commit fixes the issue by: - Correctly parsing the cookies from the HTTP response. - Merging the new cookies with the existing `MailCookies`. This ensures that the `RMKEY` is properly saved and used in subsequent steps, allowing the login process to complete successfully.
fix(drivers/139): Address multiple issues in 139 driver
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+764
to
+789
| orderedCookieNames := []string{ | ||
| "behaviorid", | ||
| "Os_SSo_Sid", | ||
| "_139_index_isLoginType", | ||
| "_139_login_version", | ||
| "Login_UserNumber", | ||
| "cookiepartid8011", | ||
| "_139_login_agreement", | ||
| "UserData", | ||
| "rmUin8011", | ||
| "cookiepartid", | ||
| "UUIDToken", | ||
| "SkinPath28011", | ||
| "cbauto", | ||
| "areaCode8011", | ||
| "cookieLen", | ||
| "DEVICE_INFO_DIGEST", | ||
| "JSESSIONID", | ||
| "loginProcessFlag", | ||
| "provCode8011", | ||
| "S_DEVICE_TOKEN", | ||
| "taskIdCloud", | ||
| "UserNowState", | ||
| "UserNowState8011", | ||
| "ut8011", | ||
| } |
There was a problem hiding this comment.
The sanitizeLoginCookies function doesn't filter out authentication tokens like "a_l" and "a_l2" from the allowlist. According to the PR description, the problem is that carrying old a_l/a_l2 tokens in the login request triggers security protection. However, these tokens are not in the orderedCookieNames list, so they won't be included in the sanitized output. This appears to be working as intended, but it would be helpful to add a comment explaining that authentication tokens are intentionally excluded to prevent triggering security controls.
drivers/139/util.go
Outdated
| } | ||
| } | ||
|
|
||
| if resp.StatusCode() == 302 { |
There was a problem hiding this comment.
There is a potential nil pointer dereference issue. If the request at line 1331 fails with a non-redirect error, the response object resp might be nil when checking resp.StatusCode() at line 1343. The code should verify that resp is not nil before accessing its methods.
Co-authored-by: UcnacDx2 <[email protected]>
Co-authored-by: UcnacDx2 <[email protected]>
Co-authored-by: UcnacDx2 <[email protected]>
Co-authored-by: UcnacDx2 <[email protected]>
Co-authored-by: UcnacDx2 <[email protected]>
Co-authored-by: UcnacDx2 <[email protected]>
Co-authored-by: UcnacDx2 <[email protected]>
…sent Co-authored-by: UcnacDx2 <[email protected]>
… Password) Co-authored-by: UcnacDx2 <[email protected]>
Co-authored-by: UcnacDx2 <[email protected]>
…nd enforce password validation Optimize 139 driver login flow - eliminate unnecessary HTTP request and enforce password validation
xrgzs
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description / 描述
有用户报告称,遇到登陆问题,返回错误信息如下:
Failed init storage: login with password failed: failed to extract sid or cguid from login response
经查,目前 139 云盘驱动在处理初始化登录时存在逻辑闭环缺陷:
a_l/a_l2令牌的情况下,仍会尝试执行password_login(密码登录),导致短时间内频繁错误请求请求移动登录接口,触发ec=PML401010062(频率限制/风控)错误。Login.ashx)时,如果 Header 携带了旧的a_l/a_l2令牌等,会触发服务器的安全保护机制,导致重定向链接中缺失sid参数。Motivation and Context / 背景
Relates to #XXXX
How Has This Been Tested? / 测试
填入如下不同状态189mail cookie
①未进行设备认证
②已经进行设备认证,且处于登录状态
③已经进行设备认证,且处于注销状态
Checklist / 检查清单
我已阅读 CONTRIBUTING 文档。
go fmtor prettier.我已使用
go fmt或 prettier 格式化提交的代码。我已为此 PR 添加了适当的标签(如无权限或需要的标签不存在,请在描述中说明,管理员将后续处理)。
我已在适当情况下使用"Request review"功能请求相关代码作者进行审查。
我已相应更新了相关仓库(若适用)。