Sling TV login 401 in Selenium

[CrymanChen]

I was trying to log into Sling TV via Selenium. However, it returned HTTP 401 Unauthorized each time.

Here's the code below:

Code:

from selenium import webdriver

def _perform_login():
    STEALTH_JS = r'stealth.min.js'
    with open(STEALTH_JS) as f:
        js = f.read()
    options = webdriver.ChromeOptions()
    options.add_argument("--log-level=3")
    driver = webdriver.Chrome(options=options)

    driver.execute_cdp_cmd(
        cmd="Page.addScriptToEvaluateOnNewDocument",
        cmd_args={"source": js}
    )
    driver.get("https://www.sling.com/sign-in")
    driver.find_element(By.XPATH, "/html/body/main/section/div/div/div[3]/div/div/div/div/div/div/div[2]/form/div/div[1]/div[1]/input").send_keys("<ACCOUNT>")
    driver.find_element(By.XPATH, "/html/body/main/section/div/div/div[3]/div/div/div/div/div/div/div[2]/form/div/div[2]/div/input").send_keys("<PASSWORD>")

    driver.find_element(By.XPATH, "/html/body/main/section/div/div/div[3]/div/div/div/div/div/div/div[2]/form/div/button").click()
    time.sleep(60)
...

I've been loading "stealth.min.js" to bypass some detections but still couldn't make it.

[Attachment 81751 - Click to enlarge]
"stealth.min.js" has been uploaded in the attachment as a zip instead of a js file.
Does anyone have a clue? Appreciate y'all.

P.S. Account registration is for free. And there are free contents (Sling Freestream) on it.

[october262]

I was trying to log into Sling TV via Selenium. However, it returned HTTP 401 Unauthorized each time.

Here's the code below:

Code:

from selenium import webdriver

def _perform_login():
    STEALTH_JS = r'stealth.min.js'
    with open(STEALTH_JS) as f:
        js = f.read()
    options = webdriver.ChromeOptions()
    options.add_argument("--log-level=3")
    driver = webdriver.Chrome(options=options)

    driver.execute_cdp_cmd(
        cmd="Page.addScriptToEvaluateOnNewDocument",
        cmd_args={"source": js}
    )
    driver.get("https://www.sling.com/sign-in")
    driver.find_element(By.XPATH, "/html/body/main/section/div/div/div[3]/div/div/div/div/div/div/div[2]/form/div/div[1]/div[1]/input").send_keys("<ACCOUNT>")
    driver.find_element(By.XPATH, "/html/body/main/section/div/div/div[3]/div/div/div/div/div/div/div[2]/form/div/div[2]/div/input").send_keys("<PASSWORD>")

    driver.find_element(By.XPATH, "/html/body/main/section/div/div/div[3]/div/div/div/div/div/div/div[2]/form/div/button").click()
    time.sleep(60)
...

I've been loading "stealth.min.js" to bypass some detections but still couldn't make it.

[Attachment 81751 - Click to enlarge]
"stealth.min.js" has been uploaded in the attachment as a zip instead of a js file.
Does anyone have a clue? Appreciate y'all.

P.S. Account registration is for free. And there are free contents (Sling Freestream) on it.

try these tips under "sign in error codes" - https://www.sling.com/help/en/troubleshooting/error-messages

[2nHxWW6GkN1l916N3ayz8HQoi]

Is a selenium login better than direct API calls via a script?

Edit: they have captchas, I only noticed now

[CrymanChen]

Is a selenium login better than direct API calls via a script?

Edit: they have captchas, I only noticed now

Yes, originally I was trying to login with requests directly.
But in the login payload there's a responseToken which came from hCaptcha just like you mentioned.

Code:

data = {
    "username": "<ACCOUNT>",
    "password": "<PASSWORD>",
    "responseToken": "......",
    "foo": "bar",
}

So I turned to Selenium, and found that I always got 401.

[CrymanChen]

When I was coding scripts for other services, and found that this site uses some sort of reCaptcha, I would use Selenium and load "stealth.min.js". In most cases the problem solved except for this one today. I've got no idea now.

[2nHxWW6GkN1l916N3ayz8HQoi]

Just so I can understand. What is the purpose of this stealth.min.js? Bypassing the captcha? You could allow the user to manually solve the captcha in your script, and just automating the login flow using the generated responseToken

[Karoolus]

Can you use the mobile API, as I assume they don't let you solve captchas when you load the app?

[CrymanChen]

Just so I can understand. What is the purpose of this stealth.min.js? Bypassing the captcha? You could allow the user to manually solve the captcha in your script, and just automating the login flow using the generated responseToken

As far as I know, stealth.min.js lets browser bypass some detections about Selenium, so that the request can function well.

and just automating the login flow using the generated responseToken

That's true. I'll check that later. Thank you.

[CrymanChen]

Can you use the mobile API, as I assume they don't let you solve captchas when you load the app?

I tried to do so. But by inspecting their APP, I found that they used some sort of HMAC signature just like what Peacock does.
And there's also captcha on the APP, so I guess I'll still try the browser method that @2nHxWW6GkN1l916N3ayz8HQoi mentioned.

[2nHxWW6GkN1l916N3ayz8HQoi]

That's true. I'll check that later. Thank you.

I know it's not the same captcha. But here is an example for google captcha. It worked then, may not work now. The point is to show it can be done.

https://forum.videohelp.com/threads/414049-dtvgo-gh-keys#post2730785

Captchas are a major pain. And semi-automating them + cache mechanism may be the best solution. It's true that you can automate them completely using computer vision + machine learning, but that's just a silly mouse/cat game. The point of a captcha is to stop you from automating it.

[CrymanChen]

Yes you're right, if auto-login keeps to be failed, why don't we just get what we want and "walk out"

[CrymanChen]

Guys, just jumped into codes for a while, and was trying to get the captcha token and then use it to log in via curl_cffi.requests module.
I got the same result as the one when I got on Selenium, HTTP 401.

[Attachment 81757 - Click to enlarge]

Seems that this site has some sort of detections.

[2nHxWW6GkN1l916N3ayz8HQoi]

Could you paste the code here? Don't forget to remove password/email

[CrymanChen]

Sure.

Code:

import json
import time
from curl_cffi import requests
from seleniumwire import webdriver
from seleniumwire.utils import decode
from selenium.webdriver.common.by import By
from selenium.webdriver.support import expected_conditions as EC
from selenium.webdriver.support.ui import WebDriverWait


def _perform_login():
    responseToken = None
    chrome_options = webdriver.ChromeOptions()
    chrome_options.add_argument("--log-level=3")
    
    sw_options = {
        "proxy": {
            "http": "http://127.0.0.1:7890",
            "https": "http://127.0.0.1:7890"
        }
    }
    
    driver = webdriver.Chrome(
        options=chrome_options,
        seleniumwire_options=sw_options
    )
    driver.get("https://www.sling.com/sign-in")
    WebDriverWait(driver, 10).until(
        EC.presence_of_element_located((By.XPATH, "/html/body/main/section/div/div/div[3]/div/div/div/div/div/div/div[2]/form/div/div[1]/div[1]/input"))
    )
    username_input = driver.find_element(By.XPATH, "/html/body/main/section/div/div/div[3]/div/div/div/div/div/div/div[2]/form/div/div[1]/div[1]/input")
    username_input.send_keys("<USERNAME>")  # input username
    password_input = driver.find_element(By.XPATH, "/html/body/main/section/div/div/div[3]/div/div/div/div/div/div/div[2]/form/div/div[2]/div/input")
    password_input.send_keys("<PASSWORD>")  # input password
    signIn_button = driver.find_element(By.CSS_SELECTOR, "#main > section > div > div > div.account-form.parbase.aem-GridColumn.aem-GridColumn--default--12 > div > div > div > div > div > div > div.sc-kfGgVZ.fikudy > form > div > button")
    signIn_button.click()
    
    def wait_for_request(driver, url_substring):
        for request in driver.requests:
            if url_substring in request.url:
                time.sleep(3)
                return True
        return False
    WebDriverWait(driver, 20).until(lambda d: wait_for_request(d, "https://api.hcaptcha.com/checkcaptcha"))

    for request in driver.requests:
        if request.method == "POST" and request.host == "api.hcaptcha.com" and "checkcaptcha" in request.url:
            body = decode(request.response.body, request.response.headers.get("Content-Encoding", "identity")).decode("utf-8")
            responseToken = json.loads(body)["generated_pass_UUID"]
            break

    driver.quit()

    authenticate = requests.post(
        url="https://ms.p.sling.com/sling-api/oauth-helper/alpha/authenticate",
        headers={
            "Authorization": "null",
            "Referer": "https://www.sling.com/",
            "Origin": "https://www.sling.com",
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
        },
        json={
            "username": "<USERNAME>",
            "password": "<PASSWORD>",
            "clientId": "aem_agentless_idp_client",
            "siteKey": "3a45a762-80c1-4be9-b1f2-aa60cb9b0d4d",  # Maybe constant
            "responseToken": responseToken,
            "flowName": "login"
        },
        proxies={"http": "http://127.0.0.1:7890", "https": "http://127.0.0.1:7890"},
        impersonate="chrome120"
    )
    authenticate.raise_for_status()
    with open("authenticate.json", "w") as f:
        f.write(authenticate.text)

[CrymanChen]

When I was intercepting traffic from my Android device, I found that there's also an HTML called "hcaptcha.html" in which there's a bunch of codes containing HMAC calculation.
https://newassets.hcaptcha.com/captcha/v1/503a6fc/static/hcaptcha.html

[october262]

Sure.

Code:

import json
import time
from curl_cffi import requests
from seleniumwire import webdriver
from seleniumwire.utils import decode
from selenium.webdriver.common.by import By
from selenium.webdriver.support import expected_conditions as EC
from selenium.webdriver.support.ui import WebDriverWait


def _perform_login():
    responseToken = None
    chrome_options = webdriver.ChromeOptions()
    chrome_options.add_argument("--log-level=3")
    
    sw_options = {
        "proxy": {
            "http": "http://127.0.0.1:7890",
            "https": "http://127.0.0.1:7890"
        }
    }
    
    driver = webdriver.Chrome(
        options=chrome_options,
        seleniumwire_options=sw_options
    )
    driver.get("https://www.sling.com/sign-in")
    WebDriverWait(driver, 10).until(
        EC.presence_of_element_located((By.XPATH, "/html/body/main/section/div/div/div[3]/div/div/div/div/div/div/div[2]/form/div/div[1]/div[1]/input"))
    )
    username_input = driver.find_element(By.XPATH, "/html/body/main/section/div/div/div[3]/div/div/div/div/div/div/div[2]/form/div/div[1]/div[1]/input")
    username_input.send_keys("<USERNAME>")  # input username
    password_input = driver.find_element(By.XPATH, "/html/body/main/section/div/div/div[3]/div/div/div/div/div/div/div[2]/form/div/div[2]/div/input")
    password_input.send_keys("<PASSWORD>")  # input password
    signIn_button = driver.find_element(By.CSS_SELECTOR, "#main > section > div > div > div.account-form.parbase.aem-GridColumn.aem-GridColumn--default--12 > div > div > div > div > div > div > div.sc-kfGgVZ.fikudy > form > div > button")
    signIn_button.click()
    
    def wait_for_request(driver, url_substring):
        for request in driver.requests:
            if url_substring in request.url:
                time.sleep(3)
                return True
        return False
    WebDriverWait(driver, 20).until(lambda d: wait_for_request(d, "https://api.hcaptcha.com/checkcaptcha"))

    for request in driver.requests:
        if request.method == "POST" and request.host == "api.hcaptcha.com" and "checkcaptcha" in request.url:
            body = decode(request.response.body, request.response.headers.get("Content-Encoding", "identity")).decode("utf-8")
            responseToken = json.loads(body)["generated_pass_UUID"]
            break

    driver.quit()

    authenticate = requests.post(
        url="https://ms.p.sling.com/sling-api/oauth-helper/alpha/authenticate",
        headers={
            "Authorization": "null",
            "Referer": "https://www.sling.com/",
            "Origin": "https://www.sling.com",
            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
        },
        json={
            "username": "<USERNAME>",
            "password": "<PASSWORD>",
            "clientId": "aem_agentless_idp_client",
            "siteKey": "3a45a762-80c1-4be9-b1f2-aa60cb9b0d4d",  # Maybe constant
            "responseToken": responseToken,
            "flowName": "login"
        },
        proxies={"http": "http://127.0.0.1:7890", "https": "http://127.0.0.1:7890"},
        impersonate="chrome120"
    )
    authenticate.raise_for_status()
    with open("authenticate.json", "w") as f:
        f.write(authenticate.text)

see if this here will help - https://www.reddit.com/r/Python/comments/18dfcbp/how_to_bypass_recaptcha_in_selenium_automatically/

[CrymanChen]

Thanks, but I'm afraid not. It's relying on 2captcha which is not free.

[2nHxWW6GkN1l916N3ayz8HQoi]

Alright, so. In short I think selenium is detected by hcaptcha. First of all I removed the proxy servers in your script just so I could run it. I printed responseToken in 3 browsers, firefox, chrome and selenium chrome. Regarding length of encoded string, firefox and chrome were close. Selenium chrome was 2x. So major red flags. With curl cf I got 401. Without I got 403 in selenium. Then I did this just to see if there were other detections.

I went to normal chrome and placed a breakpoint right before it does post for login in js code. I wanted to make sure that responseToken wasn't consumed and that neither other types of requests were set of in background. I noticed the responseToken had duration 120 so I guess 2 minutes. I manually copied that short responseToken in the script and the login call went ok with cf requests impersonate chrome110. It returned a ref id. So I think that even though the hcaptcha is correctly completed, the information from their base64 contains data that points to you using selenium. Just a wild guess

[CrymanChen]

That's a huge discovery. Thanks @2nHxWW6GkN1l916N3ayz8HQoi
So I guess the major concern would be that how to disguise ourselves from hCaptcha detecting Selenium. I'll keep trying on that.

[2nHxWW6GkN1l916N3ayz8HQoi]

You should try what I did just to convince yourself and make sure you don't have doubts. Try it with a unconsumed responseToken stolen from a legit browser. That login call with the valid responseToken can also be done only once.

Edit: just to make sure the selenium captcha token wasn't consumed by accident, I added a breakpoint there as well. It still fails

[october262]

That's a huge discovery. Thanks @2nHxWW6GkN1l916N3ayz8HQoi
So I guess the major concern would be that how to disguise ourselves from hCaptcha detecting Selenium. I'll keep trying on that.

try changing the user agent on each request - https://stackoverflow.com/questions/58872451/how-can-i-bypass-the-google-captcha-with-...ium-and-python

[larley]

You can test your browser here: https://bot.sannysoft.com/

[Quint]

I just login (of course with option stay logged in by cookies) on many services with Chrome and close it. When I use Chromedriver with Selenium later I never had to log in again. Is there no permanent login at SlingTV? Just a stupid question.

[2nHxWW6GkN1l916N3ayz8HQoi]

Speaking of cookies, @cryman you should check if the tokens you need after a successful login if they can be found in the existing browser cookies. Or if you could generate them just by having the browser cookies. It might save you the headache of automating login.

[CrymanChen]

Speaking of cookies, @cryman you should check if the tokens you need after a successful login if they can be found in the existing browser cookies. Or if you could generate them just by having the browser cookies. It might save you the headache of automating login.

Got it. Thanks!