Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Unauthorized even though curl works

See original GitHub issue

Following my comment on your PR, here’s my current problem

Running

import qbittorrentapi

# instantiate a Client using the appropriate WebUI configuration
qbt_client = qbittorrentapi.Client(host='https://qbittorrent.DOMAIN.TLD', port=443, username='USER', password='PASS')

# the Client will automatically acquire/maintain a logged in state in line with any request.
# therefore, this is not necessary; however, you may want to test the provided login credentials.
try:
    qbt_client.auth_log_in()
except qbittorrentapi.LoginFailed as e:
    print(e)

# display qBittorrent info
print(f'qBittorrent: {qbt_client.app.version}')
print(f'qBittorrent Web API: {qbt_client.app.web_api_version}')
for k,v in qbt_client.app.build_info.items(): print(f'{k}: {v}')

# retrieve and show all torrents
for torrent in qbt_client.torrents_info():
    print(f'{torrent.hash[-6:]}: {torrent.name} ({torrent.state})')

gives me a

/home/seluj78/Pytorr/.venv/lib/python3.8/site-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'qbittorrent.seluj78.fr'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
  warnings.warn(
Traceback (most recent call last):
  File "/home/seluj78/Pytorr/test_qbittorrent_api.py", line 9, in <module>
    qbt_client.auth_log_in()
  File "/home/seluj78/Pytorr/.venv/lib/python3.8/site-packages/qbittorrentapi/auth.py", line 92, in auth_log_in
    self._post(
  File "/home/seluj78/Pytorr/.venv/lib/python3.8/site-packages/qbittorrentapi/request.py", line 212, in _post
    return self._request_manager(
  File "/home/seluj78/Pytorr/.venv/lib/python3.8/site-packages/qbittorrentapi/request.py", line 258, in _request_manager
    return self._request(**kwargs)
  File "/home/seluj78/Pytorr/.venv/lib/python3.8/site-packages/qbittorrentapi/request.py", line 290, in _request
    self.handle_error_responses(params=params, response=response)
  File "/home/seluj78/Pytorr/.venv/lib/python3.8/site-packages/qbittorrentapi/request.py", line 542, in handle_error_responses
    raise Unauthorized401Error(response.text)
qbittorrentapi.exceptions.Unauthorized401Error: Unauthorized

Process finished with exit code 1

while running

curl -v -d "username=USER&password=PASS" -X POST https://qbittorrent.DOMAIN.TLD/api/v2/auth/login

returns

Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 62.212.90.183:443...
* TCP_NODELAY set
* Connected to qbittorrent.DOMAIN.TLD (62.212.90.183) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=qbittorrent.DOMAIN.TLD
*  start date: Oct 27 04:40:42 2021 GMT
*  expire date: Jan 25 04:40:41 2022 GMT
*  subjectAltName: host "qbittorrent.DOMAIN.TLD" matched cert's "qbittorrent.DOMAIN.TLD"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5609d5161e10)
> POST /api/v2/auth/login HTTP/2
> Host: qbittorrent.DOMAIN.TLD
> user-agent: curl/7.68.0
> accept: */*
> content-length: 38
> content-type: application/x-www-form-urlencoded
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* We are completely uploaded and fine
< HTTP/2 200 
< content-security-policy: default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self'; frame-ancestors 'self';
< content-type: text/plain; charset=UTF-8
< date: Wed, 03 Nov 2021 15:57:29 GMT
< referrer-policy: same-origin
< set-cookie: SID=XXXX; HttpOnly; path=/; SameSite=Strict
< x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
< x-xss-protection: 1; mode=block
< content-length: 3
< 
* Connection #0 to host qbittorrent.DOMAIN.TLD left intact

Any clue ?

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:14 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
rmartin16commented, Dec 10, 2021

Ahhhh…this is great. Thank you @w1ldg00se.

An initial thought is that qBittorrent’s CSRF check is too naive since it is simply doing a blind comparison of ports between the target URL and origin URL. An HTTPS URL without a port implies port 443…therefore, it seems reasonable for qBittorrent’s check to incorporate this well-established standard.

OTOH, this check is frustrating in general for API use outside of the actual WebUI…after all, these Headers will always be spoofed because this client isn’t a browser. Given qBittorrent (at least now) doesn’t even perform CSRF checks if the Origin and Referer headers are absent from requests, I’m particularly inclined to stop populating them in requests from this client.

I’ll do some more testing (especially with older qBittorrent versions) and report back additional thoughts.

Thanks again.

0reactions
Seluj78commented, Dec 12, 2021

You’re welcome, thanks for the fix ! 🎉

Read more comments on GitHub >

github_iconTop Results From Across the Web

Curl responded with 401: Unauthorized even with username ...
Problem is in curl im getting a response of 401: Unauthorized even if i send the username and password compared to just entering...
Read more >
401 – Unauthorized Error When Running Simple Curl ...
Hi Prince, I logged in on the browser with the same credentials and retried the curl request, but received the same error. Hi...
Read more >
Resolved - Curl Request 401 Unauthorized - Plesk Forum
A test with a wrong password results in a silent exit, but not an "unauthorized". In your first post you are using "admin"...
Read more >
curl request always respond with 401 Unauthorized but only ...
I have a class that retreiving data from remote server (user/calendar data from icloud) using curl. Everything works perfectly, when i'm using single...
Read more >
401 Unauthorized Error: What It Is and How to Fix It
The 401 Unauthorized Error is an HTTP response status code indicating that the client could not authenticate a request.
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Unterminated string starting at

Next page

Incorrect URL created when qBittorrent is behind a reverse proxy causing 404 error