Cloudflare IM NOT A ROBOT blocking API?!?

Hi team,

My production website that has been working for months is now being blocked by your cloudflare IM NOT A ROBOT “protection”.

How is my API meant to click the “IM NOT A ROBOT” button, it is LITERALLY a robot, and can’t click that, the ENTIRE POINT of an API is that a ROBOT would be calling it.

Please provide advice on how to use your API if you put the cloudflare protections in front of it.

Ah, instead of a JSON response my server is getting a web page meant for a human.

The title of the document being served is “Attention Required! | Cloudflare” and a snippet of content is “Please complete the security check to access www.patreon.com”.

Similar or same issue reported in this older post: Cloudflare Challenge On https://www.patreon.com/api/oauth2/token

Like the post linked above, I am also encountering the CAPTCHA when trying to talk to https://www.patreon.com/api/oauth2/token

Ah ha!

I was able to get my API client working again by passing a “User-Agent” header along with every request. I have a suspicion that any string will placate the current settings being used by Patreon + CloudFlare but I did not test that. The user agent string I used was “node” which is what I wrote my API client in.

I’m hoping this fix will be a permanent fix as I suddenly had a lot of users who could not get to or lost access to their membership reward. :o

I had been running the client for over a month without a user agent string so I wonder if a Patreon + CloudFlare setting changed recently or if I just got lucky and hit some kind of threshold recently.

Anyway, hoping the “user-agent” fix suggest here helps others in the same boat. Cheers! :slight_smile:

I am getting the same issue now, too, and my users cannot log in. I had some hopes reading here, but I was setting the user agent using passport.js already, and even a value of

‘User-Agent’: ‘Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.117 Safari/537.36’

is still resulting in the challenge and a non-functional oauth2.

I would love some feedback on

  • why are those changes made without communication
  • what must be changed on our sides to make our sites working again

Thanks,
Sebastian

I’m seeing the same issue. This is preventing me from acquiring new users. Very frustrating.

Let’s hope Patreon reads this forum and is able to address the issue quickly.

Hello All! I’m Jackie, Security Lead here at Patreon. Yesterday, we moved to challenge (serve Captcha) to requests that do not include a user agent. This is because historically, there have been a large number of badware or malware that omits user agents. Adding a proper user agent will circumvent this. We also serve captcha to suspected bad automated traffic. If you believe your legitimate app is being served captcha, we can work with you - feel free to privately message me here, and I’ll get back to you as soon as I can.

2 Likes

Thanks for the reply, Jackie.

Because Amazon controls account linking for Alexa Skills, I’ve sent you a private message in the hopes you can “unbreak” this for people, like me, who are connecting patrons to their Alexa products.

We hope you can somehow convince your authorization system to interpret Amazon’s Alexa as a “legitimate app.”

Update I just got from Patreon: “At this point, Patreon does not officially support linking with Amazon as a supported feature set.”

This post was flagged by the community and is temporarily hidden.

Thanks for the feedback, Ash. Managing security and availability is always a difficult task, and I apologize that this is causing you trouble. We’ll look into a way to notify API developers in the future before changes.

2 Likes

Thanks for the reply, but also sad that you would Mark my post as offensive and hide it, it’s a factual statement to say what I said, by making these changes and not telling people, you affect the people who depend on Patreon for their well-being / lively hood. You also affect your own revenue stream because any lost Patrons directly lowers the money you get from us, your customer base.

You need to provide private API tokens to be allowed to call these APIs, so under no realistic situation would you ever trust a web browser to make these API calls, so you would never have a normal user agent, it’s literally just a hoop to jump through for no reason.