Cloudflare Challenge On https://www.patreon.com/api/oauth2/token

Hey Patreon Developer Community legends! Mike here from Bonjoro

When hitting https://www.patreon.com/api/oauth2/token using GitHub - thephpleague/oauth2-client: Easy integration with OAuth 2.0 service providers. we are receiving the following challenge from Cloudflare where previously everything was working as expected:

<head>
<title>Attention Required! | Cloudflare</title>
<meta name="captcha-bypass" id="captcha-bypass" />
<meta charset="UTF-8" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1" />
<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />
<!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->
<style type="text/css">body{margin:0;padding:0}</style>


<!--[if gte IE 10]><!--><script type="text/javascript" src="/cdn-cgi/scripts/zepto.min.js"></script><!--<![endif]-->
<!--[if gte IE 10]><!--><script type="text/javascript" src="/cdn-cgi/scripts/cf.common.js"></script><!--<![endif]-->




</head>
<body>
  <div id="cf-wrapper">
    <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div>
    <div id="cf-error-details" class="cf-error-details-wrapper">
      <div class="cf-wrapper cf-header cf-error-overview">
        <h1 data-translate="challenge_headline">One more step</h1>
        <h2 class="cf-subheadline"><span data-translate="complete_sec_check">Please complete the security check to access</span> www.patreon.com</h2>
      </div><!-- /.header -->
      
      <div class="cf-section cf-highlight cf-captcha-container">
        <div class="cf-wrapper">
          <div class="cf-columns two">
            <div class="cf-column">
            
              <div class="cf-highlight-inverse cf-form-stacked">
                <form class="challenge-form" id="challenge-form" action="/cdn-cgi/l/chk_captcha" method="get">
  <input type="hidden" name="s" value="b72ff855e31e23be20e23d1091a2d9912e33367b-1567481824-1800-AYY8tgm1jcArw2CBhkivQdtphpVg7pCV84hvflTyy9z4lmq0nOV6CsZnCTF+ZkDW ▶
  <script type="text/javascript" src="/cdn-cgi/scripts/cf.challenge.js" data-type="normal"  data-ray="5104aed85ef3da4e" async data-sitekey="6LfBixYUAAAAABhdHynF ▶
  <div class="g-recaptcha"></div>
  <noscript id="cf-captcha-bookmark" class="cf-captcha-info">
    <div><div style="width: 302px">
      <div>
        <iframe src="https://www.google.com/recaptcha/api/fallback?k=6LfBixYUAAAAABhdHynFUIMA_sa4s-XsJvnjtgB0" frameborder="0" scrolling="no" style="width: 302p ▶
      </div>
      <div style="width: 300px; border-style: none; bottom: 12px; left: 25px; margin: 0px; padding: 0px; right: 25px; background: #f9f9f9; border: 1px solid #c1 ▶
        <textarea id="g-recaptcha-response" name="g-recaptcha-response" class="g-recaptcha-response" style="width: 250px; height: 40px; border: 1px solid #c1c1c ▶
        <input type="submit" value="Submit"></input>
      </div>
    </div></div>
  </noscript>
</form>

                
              </div>
            </div>

            <div class="cf-column">
              <div class="cf-screenshot-container">
              
                <span class="cf-no-screenshot"></span>
              
              </div>
            </div>
          </div><!-- /.columns -->
        </div>
      </div><!-- /.captcha-container -->

      <div class="cf-section cf-wrapper">
        <div class="cf-columns two">
          <div class="cf-column">
            <h2 data-translate="why_captcha_headline">Why do I have to complete a CAPTCHA?</h2>
            
            <p data-translate="why_captcha_detail">Completing the CAPTCHA proves you are a human and gives you temporary access to the web property.</p>
          </div>

          <div class="cf-column">
            <h2 data-translate="resolve_captcha_headline">What can I do to prevent this in the future?</h2>
            

            <p data-translate="resolve_captcha_antivirus">If you are on a personal connection, like at home, you can run an anti-virus scan on your device to ma ▶

            <p data-translate="resolve_captcha_network">If you are at an office or shared network, you can ask the network administrator to run a scan across th ▶
            
          </div>
        </div>
      </div><!-- /.section -->
      

      <div class="cf-error-footer cf-wrapper">
  <p>
    <span class="cf-footer-item">Cloudflare Ray ID: <strong>5104aed85ef3da4e</strong></span>
    <span class="cf-footer-separator">&bull;</span>
    <span class="cf-footer-item"><span>Your IP</span>: 1.42.109.12</span>
    <span class="cf-footer-separator">&bull;</span>
    <span class="cf-footer-item"><span>Performance &amp; security by</span> <a href="https://www.cloudflare.com/5xx-error-landing?utm_source=error_footer" id="b ▶
    
  </p>
</div><!-- /.error-footer -->


    </div><!-- /#cf-error-details -->
  </div><!-- /#cf-wrapper -->

  <script type="text/javascript">
  window._cf_translation = {};
  
  
</script>


  
</body>
</html>

This is a dump of the request being dispatched from our Patreon integration:

image690×784 70.8 KB

However when hitting directly using a request tool like Paw I get the correct response:

{“access_token”: “6SFrMJwJNQLzxPPFIuqwnchz49wYntXXX”, “expires_in”: 2678400, “token_type”: “Bearer”, “scope”: “identity identity[email] campaigns campaigns.members campaigns.members[email] w:campaigns.webhook”, “refresh_token”: “5Rd2FIqWdixqoC4vwsOzXB5JIv_DKViTM-M619UXXXX”, “version”: “0.0.1”}

Sounds similar to this issue:

Is there anything that’s changed recently or any new requirements for making requests to this endpoint? The issue has our Patreon Automation on Bonjoro being blocked completely so any help insight would be amazing.

Hi Mike,
What’s the user agent Bonjoro is using?
Thanks!
Jackie

I was having this very same issue which for me, just started recently.

The fix for me was to add a “User-Agent” header to all my requests to the API. I had used the API since December 2019 without needing a user agent header so I’m not sure if something changed or if my client hit some kind of threshold.

More info at Cloudflare IM NOT A ROBOT blocking API?!? for anyone in the same situation.

Cheers!

I can report that using a User Agent does not resolve my issue since I am sending one all the time, and the service stopped working all of a sudden. Even with copying the user agent of my current browser into that field does not resolve the issue.

Can we get some official statement here?

Same thing here! Suddenly out of nowhere my app stopped working.

Whenever my application calls the Authorization endpoint to obtain the Oauth code, the code is retrieved properly, but as soon as i try to exchange that code for an Authorization Token via https://www.patreon.com/api/oauth2/token, i get a 403 unauthorized error and a human-readable website ( even thou im doing these calls from a backend service in asp.net core ) this website contains a captcha “Im not a robot” verification. I’m assuming that, since i was running some tests and called for the authorization token several times that it detected it as an unusual connection and it’s asking for human verification. The issue is, this happened to me over 24 hours ago and im still stuck here. I tried the suggested modification of the user-agent but that didn’t work. I also tried eliminating the client and creating it from scratch but that didnt work either.

Is there a way to bypass this? Also, is there any testing endpoint where i can make requests for development that wont block me out after multiple attempts?

cheers

Hello All! I’m Jackie, Security Lead here at Patreon. Yesterday, we moved to challenge (serve Captcha) to requests that do not include a user agent. This is because historically, there have been a large number of badware or malware that omits user agents. Adding a proper user agent will circumvent this. We also serve captcha to suspected bad automated traffic. If you believe your legitimate app is being served captcha, we can work with you - feel free to privately message me here, and I’ll get back to you as soon as I can.

It’s disappointing to see that a breaking change is made to the API without providing any notice to the community. Could the API documentation be updated to reflect this change?

Since the Cloudflare rule changes, I’m also seeing CAPTCHAs regardless of user agents when interacting with the undocumented public API, eg the posts endpoint (https://www.patreon.com/api/posts). I know using these end points aren’t recommended, however it’s the only way to obtain basic information which the official oAuth API omits.

Additionally, I’ve noticed Discord’s rich link preview feature is broken, I’m guessing their IPs are being hit by the CAPTCHA as well.

I’m not even getting any cloudflare challanges. I’m just getting 403 errors when trying to access the public API.