Nico new (forced) 2-factor login

[fireattack]

When I tried to login today, Niconico asked me to input the verification code sent to my email (it did send), which obviously nndownload didn't handle well.

This is probably something new, as I've never seen it before.

Logging in...
Failed to login.
Traceback (most recent call last):
  File "G:\_temp\nndownload\nndownload\nndownload.py", line 1757, in main
    session = login(account_username, account_password, session_cookie)
  File "G:\_temp\nndownload\nndownload\nndownload.py", line 1647, in login
    raise AuthenticationException("Failed to login. Please verify your account email/telephone and password")
nndownload.nndownload.AuthenticationException: Failed to login. Please verify your account email/telephone and password

[fireattack]

The webpage looks like this:

[AlexAplin]

Flow:

• POST to https://account.nicovideo.jp/login/redirector?show_button_twitter=1&site=niconico&show_button_facebook=1&sec=header_pc&next_url=%2F with usual cookies and form data
• Follow Location and GET https://account.nicovideo.jp/mfa?continue=https://account.nicovideo.jp/login/mfa/callback?site%3Dniconico%26sec%3Dheader_pc...
• POST the 2FA code to https://account.nicovideo.jp/mfa?site=niconico&continue=https%3A%2F%2Faccount.nicovideo.jp%2Flogin%2Fmfa%2Fcallback%3Fsite%3Dniconico%26sec%3Dheader_pc%26... as form data (otp, is_mfa_trusted_dace boolean to mark as trusted device)
• On 302 response, follow Location and GET https://account.nicovideo.jp/login/mfa/callback?site=niconico&sec=header_pc...
  • If 200 response, the code was invalid
• Callback sets session cookies

Trusting the device seems to do nothing for me, I'm prompted for a code each time. Maybe related to browser privacy fingerprinting.

[AlexAplin]

Basic scaffolding for this is done. Further detail:

• Even specifying a device name in our request, nndownload will show up as ブラウザ for the device name in the Nico account panel login history
• This is considered distinct from the normal 2FA process. I have 2段階認証の設定 disabled in my account but I'm getting prompted for this each login. Definitely seems like a check against suspicious requests, compromised accounts, etc.
• Session cookies (--session-cookie) should work as they always have, nothing has changed in how the session actually works
• OTP fails after 10 incorrect codes and requires restarting the auth flow

[AlexAplin]

@fireattack Can you try with the branch and tell me how it works for you?

[fireattack]

Looks good to me!

Given the circumstance, should we start considering saving session or session cookie (even by default, but at least having option) so we can re-use it without re-entering the code every time?

[AlexAplin]

Great! That also seems like a good idea -- probably a dedicated file similar to how we do --netrc but likely user-specified. I'll consider how to approach that.