Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

How is challenge/response supposed to work?

See original GitHub issue

Hi! I’m trying to wrap my head around the challenge but can’t seem to figure it out.

When trying to login, I’m getting

StatusCodeError: 400 - {"message":"checkpoint_required","checkpoint_url":"/challenge/ABCABC/123123/","lock":false,"status":"fail"}

which means that a challenge needs a response.

I’ve tried browsing to instagram.com/challenge/ABCABC/123123 (in my normal web browser) and completing the challenge, but on the next attempt to login programmatically, I’m getting a new challenge, and so it continues.

I’ve also tried

logging in (and getting the challenge error)
requesting getChallenge, which responds with

{ challengeType: 'SelectVerificationMethodForm',
  errors: [],
  experiments: {},
  extraData:
   { __typename: 'GraphChallengePage',
     content: [ [Object], [Object], [Object], [Object] ] },
  fields:
   { choice: '1',
     fb_access_token: 'None',
     big_blue_token: 'None',
     google_oauth_token: 'None',
     email: '*********@gmail.com',
     phone_number: '+** ** *** ** **' },
  navigation:
   { forward: '/challenge/ABCABC/123123/',
     replay: '/challenge/replay/ABCABC/123123/',
     dismiss: 'https://www.instagram.com/' },
  privacyPolicyUrl: '/about/legal/privacy/',
  type: 'CHALLENGE' }

Updating the challenge

client.updateChallenge({ challengeUrl: "/challenge/ABCABC/123123/", choice: 1 })

But that updateChallenge is returning HTML content(!), which says

This page could not be loaded. If you have cookies disabled in your browser, or you are browsing in Private Mode, please try enabling cookies or turning off Private Mode, and then retrying your action

So how is the challenge-response flow supposed to work?

Issue Analytics

State:
Created 5 years ago
Comments:6 (1 by maintainers)

Top GitHub Comments

3reactions

mkgerasimenkocommented, Jun 2, 2019

@gutosanches, I may have solved that problem with:

await client.updateChallenge({challengeUrl, choice: 1});
await client.updateChallenge({ challengeUrl, securityCode: 'VERIFICATION_CODE_FROM_EMAIL'});

In my case I need to update Challenge with security code from Instagram email.

Full code (TS):

public async login(): Promise<Instagram> {
        const client = new Instagram({username: this.username, password: this.password});
        try {
            await client.login();
        } catch (err) {
            if (err.error && err.error.message === 'checkpoint_required') {
                const challengeUrl = err.error.checkpoint_url;

                await client.updateChallenge({challengeUrl, choice: 1});
                await client.updateChallenge({ challengeUrl, securityCode: '301794'}); // <== securityCode - set code from email.
            }
        }
        return await client;
    }

Notes:

I use Gmail email for Instagram.
I use imap-simple for getting the Security code from Instagram Email.

1reaction

samholmescommented, Mar 11, 2019

I spent a lot of time with these challenges in order to figure out the appropriate way to use the API. First, you’ll need to save the challengeUrl returned from the login form. I then use getChallenge to get the challenge JSON object. From there you can read the challengeType which will determine what do to. Here’s the challengeTypes that I found:

SelectVerificationMethodForm This is the form you see asking you whether to send the verification via email or mobile text. Use updateChallenge to set the choice, and after invocation, the verification email/text will be sent.
VerifyEmailCodeForm This is the form you see when asking for the verification code from email. This doesn’t require a choice when calling updateChallenge (in fact, I believe it will give an error). Instead, send the securityCode with the updateChallenge invocation. If no security code was sent, you can use replayChallenge to have the security code sent again.

There may be other challengeTypes worth documenting, but these are enough to get a working challenge passing algorithm started. I would log any other challenge types that aren’t handled by your app, and share them with some context so we can all figure out what they mean and document them.

Cheers!

Top Results From Across the Web

What is challenge-response authentication? - TechTarget

The goal of challenge-response authentication is to limit the access, control and use of digital resources to only authorized users and activities.

Challenge–response spam filtering - Wikipedia

A challenge–response (or C/R) system is a type of spam filter that automatically sends a reply with a challenge to the (alleged) sender...

Challenge – Response

Let U and S have an agreed-on secret function f. A challenge-response authentication system is one in which S sends a random message...

What Is Challenge-Response Authentication? - Arkose Labs

Challenge-response authentication is a method that businesses use to stop bad actors – as well as bots and scripts – from accessing crown-jewel...

What is Challenge-Response Authentication? - Techopedia

Another challenge-response authentication example is the use of CAPTCHA, a form of reverse-Turing test for the system to determine if the client is...