HTTP login requests blocked by Cloudflare, rendering client unusable for most servers

[delphinusryetropical]

Priority

High

Area

• Data
• Source
• Docker
• Other

What happened?

Description

The current HTTP login request is being blocked by Cloudflare with a 403 Forbidden response. This issue is critical as it prevents the client from connecting to almost any game server, effectively rendering it unusable.

Current Behavior

The current HTTP login request and response look like this:

REQUEST:

POST
/login.php
{
 "email": "1",
 "password": "1",
 "type": "login"
}
Accept  */*
Connection      close
Content-Length  53
Content-Type    application/json
Host    login.giveria.com
User-Agent      cpp-httplib/0.15.3

RESPONSE:

HTTP/1.1
403
Forbidden
[Response body omitted for brevity]

Expected Behavior

The HTTP login request should look like this:

POST http://login.giveria.com/login.php HTTP/1.1
Host: login.giveria.com
Content-Type: application/json
Content-Disposition: form-data; name="metadata"
Content-Length: 63
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,en,*
User-Agent: Mozilla/5.0

{"email":"1","password":"1","stayloggedin":true,"type":"login"}

Steps to Reproduce

1. Attempt to log in using the HTTP login method
2. Observe the request and response in the logs

Possible Solution

Update the loginHttpJson function to include the correct headers and JSON body format.

However, this alone may not be sufficient. We need to investigate how to properly handle Cloudflare protection in our HTTP requests. This may involve:

1. Implementing browser-like behavior to pass Cloudflare's checks
2. Using a headless browser or similar technology to make requests
3. Finding a way to handle Cloudflare's JavaScript challenges

Additional Context

This is a high-priority issue because:

1. Cloudflare is now widely used by most game servers for protection.
2. Due to this Cloudflare protection, the client is unable to connect to almost any server.
3. This effectively renders the client unusable for most, if not all, game servers.

The 403 Forbidden response is likely due to:

1. The format of our request not matching what Cloudflare expects from a legitimate client
2. Lack of necessary headers or cookies that Cloudflare uses to validate requests
3. Possibly triggering bot detection mechanisms in Cloudflare

To resolve this issue, we need to:

1. Exactly match the expected request format of a legitimate client
2. Investigate how to properly handle Cloudflare protection in our HTTP requests
3. Potentially implement browser-like behavior to pass Cloudflare's checks
4. Consider using a headless browser or similar technology to make requests if simple HTTP libraries are consistently blocked

This is a high-priority issue as it affects the core functionality of the client, preventing users from connecting to most game servers. Resolving this will require significant changes to how we handle HTTP requests and may involve replicating more browser-like behavior in our client.

What OS are you seeing the problem on?

Windows

Code of Conduct

• I agree to follow this project's Code of Conduct

[mehah]

4219a55

[delphinusryetropical]

4219a55

Solution of adding the "Mozilla/5.0" User-Agent header has indeed resolved the immediate issue for some servers.
This simple fix can be effective in many cases where servers perform basic User-Agent validation.
However, it's worth noting that there are more complex scenarios where additional headers or specific request formatting may be required.
For instance, consider the following example:

REQUEST

POST https://www.gunzodus.net/game/login/1330?nservice.php HTTP/1.1
Host: www.gunzodus.net
Content-Type: application/json
Content-Disposition: form-data; name="metadata"
Content-Length: 89
Connection: Keep-Alive
Accept-Encoding: gzip, deflate
Accept-Language: pl-PL,en,*
User-Agent: Mozilla/5.0
{"email":"testtest1@test.test","password":"testtest1","stayloggedin":true,"type":"login"}

RESPONSE

{"session":{"sessionkey":"60c1e638dd08f78f20b7154131b0827d26dd5bfa","lastlogintime":0,"ispremium":true,"premiumuntil":4294967295,"status":"active","returnernotification":false,"showrewardnews":false,"isreturner":false,"fpstracking":false,"optiontracking":false,"tournamentticketpurchasestate":0,"tournamentcyclephase":0},"playdata":{"worlds":[{"id":0,"name":"Gunzodus","externaladdressprotected":"login.gunzodus.net","externalportprotected":7172,"previewstate":0,"location":"EUR","externaladdressunprotected":"unprotected.gunzodus.net","externalportunprotected":7175,"anticheatprotection":false,"pvptype":0,"istournamentworld":false,"restrictedstore":false}],"characters":[{"worldid":0,"name":"Test Test","ismale":false,"tutorial":false,"level":20,"vocation":"Sorcerer","outfitid":128,"headcolor":44,"torsocolor":128,"legscolor":44,"detailcolor":44,"addonflags":0,"ishidden":false,"ismaincharacter":true,"istournamentparticipant":false,"dailyrewardstate":0}]},"worlds":[{"id":0,"name":"Gunzodus","externaladdressprotected":"login.gunzodus.net","externalportprotected":7172,"previewstate":0,"location":"EUR","externaladdressunprotected":"unprotected.gunzodus.net","externalportunprotected":7175,"anticheatprotection":false,"pvptype":0,"istournamentworld":false,"restrictedstore":false}]}

In this case, the server expects a specific set of headers and a particular request format.
When sent correctly, it returns a detailed JSON response with session and character information.
However, when the same request is sent through OTClient, even with the User-Agent header, it may still result in an error:

POST /game/login/1330?nservice.php
{"email":"testtest1@test.test","password":"testtest1","stayloggedin":true,"type":"login"}
Accept: */*
Connection: close
Content-Length: 89
Content-Type: application/json
Host: www.gunzodus.net
User-Agent: Mozilla/5.0

Response:
HTTP/1.1 200 OK
{"errorCode":3,"errorMessage":"Account login or password is not correct."}