Unable to log in with login-cookie

[noccy80]

After 1½ years I got a message from the bridge: Logged out from Google account

Now any attempt to log in is met with: Those cookies don't seem to be valid

Have Google changed something with their API? GChat works via the website, so this is not an account issue, and I've tried assembling the login cookie from scratch 3 times.

[tulir]

After 1½ years

The latest version of the bridge has only been out for a month 🤔

Getting logged out periodically is expected on google workspace accounts because they do that on the website too. Relogin is supposed to work right away, but there could be some state issues that require restarting before it works

[noccy80]

That's 1½ year in total, I've been pulling updates along the way :)

It has stayed connected tho, with a "silent" logout a month ago after which login-cookie worked to get back online, and then this logout. But now it seems the cookie is not accepted for some reason. It takes a few seconds, and then I get the invalid cookie message back.

Also, to clarify - I did not have to login to Google again, chat.google.com loads right away, but the json cookie assembled from the cookies from the working site is no longer being accepted.

[haatveit]

I've been experiencing the same behavior since the weekend (which is when I
finally realized that the googlechat bridge had been silently logged out for
some weeks after the API change).

Logged in on Saturday 8th at 17:22 UTC, got kicked out Tuesday at 18:50, after
which point I would get Those cookies don't seem to be valid when trying to
feed my cookies back in.

Yesterday I deleted all my Google cookies, and was able to connect the bridge
again with the new cookies I got from logging back in.

Connected the googlechat bridge at 17:02, got kicked out again at 17:16. Didn't
get logged out from chat.google.com in the browser, mind.

[2023-07-12 17:16:50,506] [ERROR@mau.user.@haatveit:domain.tld] Exception in connection
Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/mautrix_googlechat/user.py", line 310, in _start
    await self.client.connect(max_age=1.5 * 60 * 60)
  File "/opt/mautrix-googlechat/maugclib/client.py", line 156, in connect
    await self._listen_future
  File "/opt/mautrix-googlechat/maugclib/channel.py", line 232, in listen
    await self._longpoll_request()
  File "/opt/mautrix-googlechat/maugclib/channel.py", line 412, in _longpoll_request
    raise exceptions.UnexpectedStatusError(
maugclib.exceptions.UnexpectedStatusError: Long poll request failed with HTTP 401 Unauthorized
[2023-07-12 17:16:50,509] [DEBUG@mau.user.@haatveit:domain.tld] Response error body: <!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 401 (Unauthorized)!!1</title>
  <style>
    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
  </style>
  <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
  <p><b>401.</b> <ins>That’s an error.</ins>
  <p>Your client does not have permission to the requested URL <code>/u/0/webchannel/events</code>.  <ins>That’s all we know.</ins>

[2023-07-12 17:16:50,510] [INFO@mau.user.@haatveit:domain.tld] Connection error has 401 status or invalid_grant error code, logging out

Thought maybe my server's IP had gotten on a blacklist or something since I saw
no issue posted about this at the time, so I decided to try moving the bridge
over to another VM in a different datacenter (and thus a completely different
network).

Logged in at 18:59 (after clearing my Google cookies again and getting new
ones), then was kicked out from the bridge on this second server too at 19:25.

[2023-07-12 19:25:19,284] [ERROR@mau.user.@haatveit:domain.tld] Exception in connection
Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/mautrix_googlechat/user.py", line 310, in _start
    await self.client.connect(max_age=1.5 * 60 * 60)
  File "/opt/mautrix-googlechat/maugclib/client.py", line 156, in connect
    await self._listen_future
  File "/opt/mautrix-googlechat/maugclib/channel.py", line 232, in listen
    await self._longpoll_request()
  File "/opt/mautrix-googlechat/maugclib/channel.py", line 412, in _longpoll_request
    raise exceptions.UnexpectedStatusError(
maugclib.exceptions.UnexpectedStatusError: Long poll request failed with HTTP 401 Unauthorized
[2023-07-12 19:25:19,285] [DEBUG@mau.user.@haatveit:domain.tld] Response error body: <!DOCTYPE html>
<html lang=en>
  <meta charset=utf-8>
  <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
  <title>Error 401 (Unauthorized)!!1</title>
  <style>
    *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
  </style>
  <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
  <p><b>401.</b> <ins>That’s an error.</ins>
  <p>Your client does not have permission to the requested URL <code>/u/0/webchannel/events</code>.  <ins>That’s all we know.</ins>

[2023-07-12 19:25:19,285] [INFO@mau.user.@haatveit:domain.tld] Connection error has 401 status or invalid_grant error code, logging out

[tulir]

If you keep the browser window used for login open, it will definitely break, that's why the instructions say to use a private window. Old cookies also obviously won't work, if they did the bridge wouldn't have got logged out

[noccy80]

If you keep the browser window used for login open, it will definitely break

I don't recall doing this in the past, but tried now and that cookie was accepted. Hopefully it stays connected :)

The instructions in the bridge (!help) does not mention this btw, only what cookies to combine.

[haatveit]

If you keep the browser window used for login open, it will definitely break, that's why the instructions say to use a private window.

Alright, that explains it then - thank you. I wanted to check that all events were coming through, which only served to make matters worse.

As @noccy80 writes, there was no mention of this in the help text from the bot - someone can probably PR a fix for that. In both docs and the bot help text I would suggest elaborating on why the private browser window is needed though (perhaps as a footnote in the authentication instructions and just link to it from the bot help text?).

[haatveit]

So I logged in to chat.google.com again on Friday, in a private browser window in Firefox as per the instructions this time [1]. Copied out the details for the bridge login cookie and closed the window in advance, to not have it sit around and break the session this time.

Connected the bridge at 14:20 UTC, got kicked out again at 18:32 with the exact same error as pasted twice in my earlier comment.

To make really sure I didn't inadvertently mess up something, I decided to take the isolation a couple steps further before commenting here again. I went on my laptop (which sleeps on weekends) and opened Chrome (which I don't use), and then logged into chat.google.com in a private window there. Copied cookie details out, quit Chrome, and put the laptop back to sleep.

Connected the bridge again at 18:54, and it stayed logged in (except for a couple of reconnections) until Sunday at 9:49 at which point I got kicked out again. Of both the bridge and all my browser sessions.

Trying to log in to mail again on my PC, I was presented with this:

You’ve been signed out for your protection

username@gmail.com

We detected suspicious activity, which shows that there may be malware on this device. Malware can be used to gain access to your personal account information, like your password.

Steps to remove the malware

1. Scan this device for malware with the antivirus software of your choice
2. Follow recommendations to remove any malware
3. Sign back in on this device only after running an antivirus scan.

Why am I seeing this?

Was forced to change my password, which was pretty annoying, and then relogin for browser based sessions with 2FA.

Now, I can't 100% prove that this was the bridge getting flagged as "suspicious" because the details Google provide are absolutely useless:

but I would be very surprised if it was anything else, given that I haven't been up to anything else "exciting" with my Google account, and my only Windows PC hasn't had any new programs installed for half a year or so.

[1] Well, almost. The Cookies view in Storage apparently defaulted to mail.google.com when opening it on chat.google.com, and without properly paying attention I copied the alphabetical first gmail_chat COMPASS value at first - which the bridge rejected with message "Those cookies don't seem to be valid" at 14:17 UTC. Logged out in the browser and started over again.

[barto95100]

Just for info I test and it's ok for me now with this exactly commanded:
login-cookie {"compass": "xxxxxx", "ssid": "xxxxxx", "sid": "xxxxx", "osid": "xxxxx", "hsid": "xxxxx"}

and with incognito browser connection is OK and work :)

[a22sc]

because I get logged out more frequently, I wrote a small bash script which consumes the text copied from the browser into a file gochat-cookie.lst

#!/bin/sh
echo 'login-cookie {'
cat gochat-cookie.lst | sed $'s/\\t/ /g' | grep "^COMPASS " | sed -e 's/^COMPASS \([^ ]*\) .*$/  "compass": "\1",/g'
cat gochat-cookie.lst | sed $'s/\\t/ /g' | grep "^SSID" | sed -e 's/^SSID \([^ ]*\) .*$/  "ssid": "\1",/g'
cat gochat-cookie.lst | sed $'s/\\t/ /g' | grep "^SID " | sed -e 's/^SID \([^ ]*\) .*$/  "sid": "\1",/g'
cat gochat-cookie.lst | sed $'s/\\t/ /g' | grep "^OSID " | sed -e 's/^OSID \([^ ]*\) .*$/  "osid": "\1",/g'
cat gochat-cookie.lst | sed $'s/\\t/ /g' | grep "^HSID " | sed -e 's/^HSID \([^ ]*\) .*$/  "hsid": "\1"/g'
echo '}'

[binfalse]

@a22sc I developed a tiny web extension to generate that login-cookie command without any dev-tools foo:

It's available for

• Firefox: https://addons.mozilla.org/en-US/firefox/addon/gchat-login-cookie-generator/ and
• Chromium based browsers: https://chrome.google.com/webstore/detail/matrix-gchat-bridge-login/mofmfbkepponmdchhamalbcldoajbmho

Sources are can be found on GitHub: https://github.com/binfalse/matrix-gchat-bridge-login-cookie-generator

[mijofa]

Mine just got logged out after a power outage, tried using @binfalse's browser extension here and I'm still getting "Those cookies don't seem to be valid".
Not seeing any useful messages in logs either.

UPDATE: Got it working, but had to use a fresh Chrome/Chromium profile, using Incognito mode did not help.

[kraem]

fwiw it didn't work to extract the cookies from firefox for me. i was successful using chromium instead.

i guess what's failing when extracting the cookies from firefox is that the compass value has the key gmail_chat instead of dynamite-ui (and is signicantly longer).

[evoL]

I hit that today as well. What finally helped was to follow the instruction exactly as written on a Guest profile in Chrome — I've previously used EditThisCookie in incognito mode to extract the cookies.

Make sure you extract the cookies from the chat.google.com domain. The cookies from the mail.google.com domain won't work.

[coandco]

Just wanted to chime in that it took a Guest profile in Chrome for me as well. I used the following Python script (on Windows) to efficiently extract the cookies from a chat.google.com "Copy as curl (bash)":

import win32clipboard
import uncurl
import json

win32clipboard.OpenClipboard()
raw_curl = win32clipboard.GetClipboardData()
win32clipboard.CloseClipboard()
raw_curl = raw_curl.replace("\\\r\n", "")
raw_cookies = uncurl.parse_context(raw_curl).cookies
valid_cookies = {"COMPASS", "SSID", "SID", "OSID", "HSID"}
print("login-cookie " + json.dumps({k: v for k, v in raw_cookies.items() if k in valid_cookies}))