fix(aiograpi): generate 6-digit TOTP code instead of submitting raw seed#46
Merged
Conversation
`_ensure_logged_in` passed the static base32 `totp_seed` straight into `client.login(verification_code=...)`, which Instagram rejects as an invalid security code (400 Bad Request). Derive the current 6-digit code on the fly via aiograpi's `totp_generate_code` helper and submit that. Accounts without 2FA still send an empty code. Closes #45 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the
aiograpi2FA login failure reported in #45._ensure_logged_inpassed the static base32totp_seeddirectly intoclient.login(verification_code=...). Instagram expects a current 6-digitTOTP code, not the secret, so it rejected every attempt with
400 Bad Request: Please check the security code and try again.The fix derives the live code on the fly via aiograpi's synchronous
totp_generate_code(seed)staticmethod and submits that. Accounts without atotp_seedstill send an empty code, so non-2FA logins are unchanged.The stale module docstring (which referenced a non-existent
totp_seed=kwarg on
login) is corrected to match the actualverification_codepath.Changes
insto/backends/aiograpi.py— generate the 6-digit code beforelogin; fix docstring.tests/test_aiograpi_backend_login.py— new tests asserting the generated code (not the raw seed) reacheslogin, and that no-seed logins send"".Testing
ruff check/ruff format --check— cleanmypy insto— cleanpytest --cov=insto --cov-fail-under=75— 914 passed, 82.37% coverageCloses #45
🤖 Generated with Claude Code