Skip to content

feat(auth): add DataDome bypass and PIN-based authentication #378

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jalaliamirreza wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat(auth): add DataDome bypass and PIN-based authentication #378

jalaliamirreza wants to merge 2 commits into from

Conversation

@jalaliamirreza
Copy link

@jalaliamirreza jalaliamirreza commented Feb 4, 2026
edited
Loading

Summary

  • DataDome bot protection bypass: Fetch SDK cookies from api-sdk.datadome.co with Android device fingerprint before API requests, preventing 403 CAPTCHA blocks
  • PIN-based authentication: Support the new auth/v5/authByRequestPin endpoint as primary auth method (TGTG moved from email link verification to PIN codes)
  • Central _post() method: All API calls route through _post() with automatic DataDome cookie management and 403 retry logic
  • x-correlation-id header: Sent on all requests to match real APK behavior

Details

The TooGoodToGo API now uses DataDome for bot detection, which blocks requests without a valid datadome cookie. This PR adds a _fetch_datadome_cookie() method that mimics the Android SDK's cookie request with proper device fingerprint parameters.

Authentication has also changed from email link verification to PIN codes sent via email. The new _auth_by_pin() method and updated start_polling() support this flow, with fallback to the existing polling method.

Test plan

  • All 23 existing tests pass (2 skipped - integration tests requiring TGTG_EMAIL)
  • Manual test: login with email, receive PIN, authenticate successfully
  • Manual test: verify get_favorites() returns results after login
  • Verify DataDome cookie is refreshed on 403 responses

🤖 Generated with Claude Code

jalaliamirreza and others added 2 commits February 4, 2026 20:59
@jalaliamirreza @claude
feat(auth): add DataDome bypass and PIN-based authentication
14bc995 
Handle DataDome bot protection by fetching SDK cookies before API
requests. Add central _post() method for all API calls with automatic
DataDome cookie management and 403 retry logic. Support PIN-based
authentication flow (authByRequestPin endpoint) as primary auth method.
Always send x-correlation-id header on all requests.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@pre-commit-ci
[pre-commit.ci] auto fixes from pre-commit.com hooks
ebe7965 
for more information, see https://pre-commit.ci
ahivert
ahivert reviewed Feb 5, 2026
View reviewed changes
CLAUDE.md
Copy link
Owner

@ahivert ahivert Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isn't it too much :o

silamon
silamon reviewed Feb 5, 2026
View reviewed changes
Copy link

@silamon silamon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work, seems to be rock solid. Still a bit unfortunate that there's an input requirement in the middle of the process, which can be considered a breaking change for non cli programs that use this library.

silamon
silamon reviewed Feb 5, 2026
View reviewed changes
tgtg/__init__.py
if pin:
return self._auth_by_pin(polling_id, pin)

for _ in range(MAX_POLLING_TRIES):
Copy link

@silamon silamon Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is dead code, if you don't enter the pin, you need to open the email on the exact same device. That's a new security enhancement of tgtg. Since we're mimicking the user agent and simulating the datadome protection, it's almost impossible to do so.

Copy link
Author

@jalaliamirreza jalaliamirreza Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I testet it and it's working. by the way tgtg is sending a pin and a link on email. opening link is not going to work but pin is working and bypassing the new sec control by tgtg. do you want to send you video of testing in the terminal?

Copy link

@silamon silamon Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe you and we're saying the same. I just think we should not keep the code that works on the email if it's clearly no longer working due to tgtg.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ahivert ahivert ahivert left review comments

+1 more reviewer

@silamon silamon silamon left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jalaliamirreza @ahivert @silamon