22

  • Twitch stopped to recgonise the browser independent of configuration

  • BugsDesktopDone

I didn't see this thread before, and I also contacted Twitch.

As others have stated, everything on Twitch works as expected, except the integrity validation with Passport.

Here are the differences between the requests made by Orion and Safari to Twitch's Passport (https://passport.twitch.tv/integrity) – that are ultimately getting an HTTP/1.1 400 Bad Request:

  • User-agent from Safari: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Safari/605.1.15
  • User-agent from Orion: user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.1 Safari/605.1.15

(I correlated the difference in the Safari version from 16.3 to 16.1 since they stated they only support the latest version of Safari on their website. However, not sure if a minor version difference like this would cause any issues...)

Orion also adds these headers in the request:

sec-fetch-dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site

While other browsers don't. Not sure if this is related, but I also found some people online having problems with sec-fetch and Passport authentication.

Anyway, I tried to overwrite the headers to see if it would fix the issue, but I couldn't. If someone knows how to do that and wants to try it quickly, it may help to discover the issue! 🙂

I definitely would continue to use Orion since I love it, but I'll appreciate being able to use it to access Twitch since it is a site I use so much, and it is annoying needing two browsers and one just for one website :/

    Twitch support was responsive but not helpful - they just suggested using a supported browser, and making a request at https://twitch.uservoice.com. I asked them to please pass the bug report to the development team, but they gave no indication of doing so.

      I tried using the Chrome Requestly extension (http://requestly.io) in Orion to remove the three Sec-Fetch headers, and from the dev tools I can see it removed the headers properly, but I got the same error from the Twitch login page.

        5 days later

        Can anyone confirm in the new RC released today ? (from #rc-builds om discord)

          So just tried this with the latest RC and its still failing on the integrity check even with compatability mode active.

          But I was having a poke at this on the weekend and I am pretty sure this is not due to a header mismatch but actually due to Kasada Anit-Bot. I stripped off the first level of obfuscation so that the javascript was more readable and can see that this library will inject the kpsdk headers:

          x-kpsdk-cd: {"workTime":1679309802217,"id":"c4425fd69e35668169c976369a631c0b","answers":[7,2],"duration":1,"d":274,"st":1679309796816,"rst":1679309796964}
          x-kpsdk-ct: 0Puw0EeZkC9yS9DOlHlCrb1DNi2WgLzYavzZk6ZYsNZXaqZmteeK7fDaMpCXRws7JthROON6Te3JHdTzHWsMpT4q300AFKJOQBxgZTUR2Ka5d6YKvK0gsob72a26yO2zGqD5Cw89FiE7BoJVAhCw0yimP

          I did not have time to dig further to fully confirm as it seems like the timings here are really tight so I need to script some stuff up in MITM to be totally sure that Kasada is the issue. Or it could be that this is totally incorrect and something else is the issue.

            Okay so have made a bit more progress on this, looks like the culprit here is the x-kpsdk-ct aka the client token. The current work around I have found is that if you take a valid client token from another cookie store i.e. safari and insert that into the Orion cookie store, the browser is then deemed valid.

            Looks like the next step is going to be sifting through the obfuscated code to see how the client token is created, hopefully there is something obvious that will elude as to why Orion is failing the checks.

            • Vlad replied to this.

              @alexkornitzer thank you for your dedication on this. My 5 cents:

              I've been able to log in several weeks ago without any issues using an RC version. It obviously became problematic once I got logged out. However, I've noticed there was an issue with their GraphQL API even before I got logged out. Twitch has a functionality which allows you to sort of "announce" a resubscription to a streamer in the chat. It shows a popup allowing you to share a custom message. This worked, however submitting this form yielded a checksum error on the GraphQL API. This might be related to their new anti-bot protection, or maybe not, who knows.

                I just ran into this too. (Switched from another browser). Trying to log into Twitch and am seeing this error. Is there any movement on fixing this? This makes Orion useless to me.

                FWIW. Safari Technology Preview also has the same problem, normal Safari logs in just fine.

                • Vlad replied to this.

                  jtsom That seems to indicate the probem is with WebKit.

                  Someone should post an issue on webkit.org

                  https://webkit.org/reporting-bugs/

                  and confirm here with the ticket link. They are usually pretty fast to fix these.

                      Are we sure its actually a bug with the engine and not a breakage by design that is due to it not being a supported browser. The scripts employed by the site will intentionally create fingerprints to block unknown browsers...

                      I haven't had time to reverse the fingerprint fp endpoint yet.

                        FWIW, Safari Technical Preview V166 has fixed the issue.

                          Steps to reproduce: Tried to login with my account and got the message: "Your browser is not currently supported. Please use a recommended browser or learn more here." Tried everything from clearing cache to use "Compatibility mode" and nothing worked.

                          Expected behavior: Log in as normal.

                          Orion, OS version; hardware type: Orion 0.99.123.3-beta on a Mac Studio running Mac OS Ventura 13.2.1

                          Image/Video:

                            Merged 1 post from Twitch not letting me log in in Orion.

                              We will be upgrading to same WebKit or newer.

                                7 days later

                                I sincerely don't know if it's correlated but I went in the settings > web sites > content block > added www.twitch.tv (block active) and now the problem seems to be gone.

                                Last time I tried without this escamotage and had the recommended browser error was about a week ago, I do not know if in the mean time the error was already gone, anyway now I can use twitch with my account on Orion

                                  Cizzle4 I just went to try that and noticed that twitch.tv was already in the list, and set to "On". I removed twitch.tv and went to log in again, and got past entering my user id and password (got to the enter TFA code, which I never got to in the past. Go figure...