"Request failed with status code Forbidden" on start up

[kupet00]

Describe the bug
When starting the app, I get greeted by the following login screen ("Request failed with status code Forbidden"):

Logging in on the official website or Android App does work with the same credentials.

To Reproduce
Steps to reproduce the behavior:

1. Start the app

Expected behavior
Either a login screen without errors and being able to login in or no login screen at all (being automatically logged in)

Desktop (please complete the following information):

• Windows 11 Pro 21H2
• 64bit
• App version 2.6.3

F1TV account

• Subscription type: Pro
• Netherlands
• Using VPN or proxy? No

[PostMalone]

I have the same issue as you. Request failed with status code Forbidden

Its happening hours before FP1 in Australia.

[robvdpol]

Hmm, they might have disabled the api key we're using for the login request. We would have to check the contents of the login request from one of the official apps to see what has changed. I'm not sure how to do that unfortunately :/ Maybe someone else is able to do it. It's a bit tricky since it's of course encrypted.

[sartsj]

API key seems fine, what I needed to do to make the auth request working again was adding this new euconsent cookie (not going to paste it here, not sure what it contains).

Just tried it with postman, and with this cookie it works again.

[robvdpol]

@sartsj The cookie shouldn't contain private information, you could try to decode it at http://iabtcf.com/#/decode to verify. I would really like to have it so I can fix the login.

[sartsj]

Specifically, the necessary cookie is the one called 'reese84'

[robvdpol]

Ah the reese84 stuff again. There used to be an exception for 'RaceControl' user agent not needing it, but apparantly they removed that exception :( They seem to be cracking down on third party tools this season.

See also SoMuchForSubtlety/f1viewer#111

[SoMuchForSubtlety]

Maybe we can send them a nice email asking to add the exception back 😄

[imnotnoa]

This cookie is associated with Imperva Networks and is used to determine if a user will receive a captcha.

[imnotnoa]

SoMuchForSubtlety/f1viewer#231 (comment)

This gives us some hope

I'll see how far this gets me

[imnotnoa]

@sartsj could you share your postman request? I'm having no luck logging in, even after syncing the reese84 cookie from my browser. Still get the "Pardon Our Interruption
As you were browsing something about your browser made us think you were a bot. There are a few reasons this might happen..." 403 page.

Using the correct cookie, api key, user-agent and credentials

[sartsj]

@dhuit90 I'm honestly not having much luck anymore either. The only way I can get a succesfull auth request in postman now is by literally copying the one from my firefox dev console after logging in on the f1tv website.

Even if I only copy the reese84 cookie value from that request I can't get it to work anymore. I must be messing something up.

[imnotnoa]

So one (very ugly) solution might be running a headless browser to get the token and use that to handle the login in RaceControl... I guess

[robvdpol]

I'll see how far this gets me

The reese84-token that you get from that request doesn't work. When I use the reese84-token from my webbrowser console it does work.

[imnotnoa]

I'll see how far this gets me

The reese84-token that you get from that request doesn't work. When I use the reese84-token from my webbrowser console it does work.

Same here, i've been syncing the cookies from my browser (logged in to F1TV website) to postman but no luck

[MueR]

This curl request will get you the required value for a reese84 cookie. Still unsure how it works though.

curl --location --request POST 'https://api.formula1.com/6657193977244c13?d=account.formula1.com' \
--data-raw '{"solution":{"interrogation":{"st":162229509,"sr":1959639815,"cr":78830557},"version":"stable"},"error":null,"performance":{"interrogation":185}}'

edit: never mind, including the token doesn't work half the time

[imnotnoa]

@flyingwraptor is the code you supplied in SoMuchForSubtlety/f1viewer#111 (comment) a solution for this?

[eXhumer]

I have a better solution for subscription token handling, but it requires access to an embedded web browser from which you can listen to cookie events. I used Qt's Framework in C++ to essentially listen for login-session session cookie for formula1.com in a Qt WebEngine after allowing a user to log in. Upon successful login, F1 will add the cookie which includes the subscription token.

https://github.com/eXhumer/eXF1TV/blob/main/Source/F1TVService.cxx#L30

[robvdpol]

I have a better solution for subscription token handling, but it requires access to an embedded web browser from which you can listen to cookie events. I used Qt's Framework in C++ to essentially listen for login-session session cookie for formula1.com in a Qt WebEngine after allowing a user to log in. Upon successful login, F1 will add the cookie which includes the subscription token.

https://github.com/eXhumer/eXF1TV/blob/main/Source/F1TVService.cxx#L30

I was thinking of doing something similar using an Edge WebView2 component. Let the user login on the official website and fetch the sessiontoken from response or cookie.

[eXhumer]

You can also allow manual token as temporary fix this weekend. Here is an easy way to get the current logged in session token from browser.

[JustJoostNL]

Is there any easy actual working fix for this right now?

[robvdpol]

Nope but I'm working on a fix. Proof of concept is ready, just need to integrate it into Race Control now. Hope I can do it tonight.

[BeanXOfficial]

Nope but I'm working on a fix. Proof of concept is ready, just need to integrate it into Race Control now. Hope I can do it tonight.

You're a legend, thanks for all the work you put into this project!

[Tanguille]

You can also allow manual token as temporary fix this weekend. Here is an easy way to get the current logged in session token from browser.

Nice idea. Do you use that token instead of your password then?
Is there a way to do this via the android app? Can only log in there. In all my browsers I can't login. After some research I discovered this could be because F1TV is restricting IP-adresses to avoid account sharing. Any way I could fix this?
Answers to my questions would be much appreciated. Or if robvdpol could achieve a miracle and fix RaceControl until FP1 it would solve all of my above questions. Good luck and courage and thanks in advance!

[thedave42]

I have a better solution for subscription token handling, but it requires access to an embedded web browser from which you can listen to cookie events. I used Qt's Framework in C++ to essentially listen for login-session session cookie for formula1.com in a Qt WebEngine after allowing a user to log in. Upon successful login, F1 will add the cookie which includes the subscription token.

https://github.com/eXhumer/eXF1TV/blob/main/Source/F1TVService.cxx#L30

This is what I'm doing as well. I'm using Chromium and there is still a need for some extensions to get around the checks.

[AtlAntA118]

This might not be very usefull at all but i figured i might share this bit of info anyway. I can login just fine with RaceControl 2.6.3. No error message whatsoever and i can play all streams just fine.

The thing i do run on my PC is adguard with the extension called 'i dont care about cookies'. This might be doing something with the cookies and how they are handled.

[NH-Networks]

Oh ok!! What is the link of sox.pm website? I was using an hls player firefox extension & i was very very happy with that.. What a pity I cannot use it anymore!

@iebb is working on self hosted version i see... maybe he can do some magic, time will tell

[ricky732]

That would be amazing

[iebb]

Oh ok!! What is the link of sox.pm website? I was using an hls player firefox extension & i was very very happy with that.. What a pity I cannot use it anymore!

@iebb is working on self hosted version i see... maybe he can do some magic, time will tell

It's a simple reverse proxy, all i need to do is some code cleanups, wouldn't take long

[sartsj]

i was able to login and continue using this app just fine, and the previous races from this and older seasons wor just fine. but i did notice that i was not able to watch Australian gp fp1 live or now as a archived session. other players stay empty but the internal one tries to load something, however that is just some pink mess with no audio. have they changed some drm things or is this just related to this issue as well and the upcoming 2.6.4 will resolve this issue as well?

As for this issue, for now you can still use the v1 endpoint to request a playback url, that one will return the original non-widevine hls stream format

Are you sure about this? I can also get unencrypted HLS on the v2 endpoint right now. It seems to me they just provide the unencrypted video when an event is not live anymore.

(assuming with v1 and v2 you mean just changing the /2.0/ to /1.0/ in the url and vice versa)

[OhSoooLucky]

i was able to login and continue using this app just fine, and the previous races from this and older seasons wor just fine. but i did notice that i was not able to watch Australian gp fp1 live or now as a archived session. other players stay empty but the internal one tries to load something, however that is just some pink mess with no audio. have they changed some drm things or is this just related to this issue as well and the upcoming 2.6.4 will resolve this issue as well?

As for this issue, for now you can still use the v1 endpoint to request a playback url, that one will return the original non-widevine hls stream format

Are you sure about this? I can also get unencrypted HLS on the v2 endpoint right now. It seems to me they just provide the unencrypted video when an event is not live anymore.

(assuming with v1 and v2 you mean just changing the /2.0/ to /1.0/ in the url and vice versa)

I must admit, I haven't tested the current weekend sessions, but as far as I am aware, last week I was able to circumvent the DRM using the 1.0/v1 endpoint.

EDIT: Yes only live content is encrypted with DRM, replays work fine using both endpoints

[sartsj]

i was able to login and continue using this app just fine, and the previous races from this and older seasons wor just fine. but i did notice that i was not able to watch Australian gp fp1 live or now as a archived session. other players stay empty but the internal one tries to load something, however that is just some pink mess with no audio. have they changed some drm things or is this just related to this issue as well and the upcoming 2.6.4 will resolve this issue as well? ![2022-04-08 (1)]

As for this issue, for now you can still use the v1 endpoint to request a playback url, that one will return the original non-widevine hls stream format

Are you sure about this? I can also get unencrypted HLS on the v2 endpoint right now. It seems to me they just provide the unencrypted video when an event is not live anymore.
(assuming with v1 and v2 you mean just changing the /2.0/ to /1.0/ in the url and vice versa)

I must admit, I haven't tested the current weekend sessions, but as far as I am aware, last week I was able to circumvent the DRM using the 1.0/v1 endpoint.

EDIT: Yes only live content is encrypted with DRM, replays work fine using both endpoints

Well last week it was also possible to get unencrypted streams from the v2 endpoint for live sessions :)
I guess we'll have to wait until FP3 to see whether the v1 trick works.

[ricky732]

@iebb so if I understood, if you make your code cleanups, we can host the stream by ourselves, but in that case, what player should we use to play it?

[Tanguille]

I think they are overloaded because it keeps loading for me at the moment.

Edit: BTW is there a thread on your repo or something which you can put a link for here so we can discuss it further without flooding this issue thread?

[iebb]

I think they are overloaded because it keeps loading for me at the moment.

Edit: BTW is there a thread on your repo or something which you can put a link for here so we can discuss it further without flooding this issue thread?

https://github.com/iebb/F1-Web-Viewer/issues/

[moi427]

@KroontjesPen , @Tanguille and @ricky732

this should work now, I forgot to update the backend when I modified cookie stuffs. This website and https://tv.ieb.systems/ (US) and https://f1tv-eu.ieb.systems/ (DE) should all be working now. (ieb.systems site are more preferred, while sox.pm is more like experimental playgrounds)

I'm sorry, but nothing is loading here after starting both the sites and login. I'm just a user of the great RaceControl, so most of the comments here are not something I understand.

[Digi421]

If you have the subscription token you can paste it in the settings JSON file located at %LOCALAPPDATA%\RaceControl\RaceControl.settings.json (field 'SubscriptionToken'). Make sure to set the 'LastLogin' to something recent (less than a week ago). Then it should auto login, but still you would have the DRM issue.

Not sure about the "LastLogin" part, am i supposed to put in the date there?
Like this?: https://i.imgur.com/kS4SON8.png

Put it like this:

"LastLogin": "2022-04-08T13:17:23.2004797Z",

This actually worked for me (Win10, app v2.6.3). Added Subscription Token (from browser) and LastLogin into RaceControl.settings.json. I can watch FP1 without problems but FP2 is garbled/encrypted -weird.
FP1:

FP2:

[thedave42]

Looks like v2 is returning unencrypted for FP1 now but still not for FP2. I can get the unencrypted HLS for FP1 via the v2 api using BIG_SCREEN_HLS. v1 is also now returning working, un-encrypted links for FP1 but still giving 403s for FP2.

[MueR]

Go figure, FOM skimping on having to pay the fees for the DRM..

[eXhumer]

Go figure, FOM skimping on having to pay the fees for the DRM.

What makes you say that? The fact that they remove the DRM for you?

Looks like v2 is returning unencrypted for FP1 now but still not for FP2. I can get the unencrypted HLS for FP1 via the v2 api using BIG_SCREEN_HLS. v1 is also now returning working, un-encrypted links for FP1 but still giving 403s for FP2.

i was able to login and continue using this app just fine, and the previous races from this and older seasons wor just fine. but i did notice that i was not able to watch Australian gp fp1 live or now as a archived session. other players stay empty but the internal one tries to load something, however that is just some pink mess with no audio. have they changed some drm things or is this just related to this issue as well and the upcoming 2.6.4 will resolve this issue as well?

As for this issue, for now you can still use the v1 endpoint to request a playback url, that one will return the original non-widevine hls stream format

Are you sure about this? I can also get unencrypted HLS on the v2 endpoint right now. It seems to me they just provide the unencrypted video when an event is not live anymore.
(assuming with v1 and v2 you mean just changing the /2.0/ to /1.0/ in the url and vice versa)

I must admit, I haven't tested the current weekend sessions, but as far as I am aware, last week I was able to circumvent the DRM using the 1.0/v1 endpoint.

EDIT: Yes only live content is encrypted with DRM, replays work fine using both endpoints

Using V1/V2 will have no difference to the actual stream they give you other than the errors. There is no bypass with V1. FOM protects live content and recent VODs with DRM for the first few hours and removes them to allow HLS playback like before. They have been doing this since Bahrain / Saudi Arabia.

@robvdpol I also suggest locking this issue until you have some update yourself, most of the comments here add nothing to help with the issue other than spreading FUD.

[DaveFlashNL]

weird, on Mac OS im just now watching FP1, and I was able to lift the m3u8 and dump it into ffmpeg and YouTube downloader, no drm in sight here. I thought they already added it no? oh one weird thing, YouTube_dl only saves the Portuguese audio and ffmpeg only the English commentary.

[iebb]

weird, on Mac OS im just now watching FP1, and I was able to lift the m3u8 and dump it into ffmpeg and YouTube downloader, no drm in sight here. I thought they already added it no? oh one weird thing, YouTube_dl only saves the Portuguese audio and ffmpeg only the English commentary.

only the most recent VOD / live contents are with DRM (currently FP2 only)

[OhSoooLucky]

I have not tested the last 2 sessions live sadly, but last weekend I had the same DRM issues, and my v1 fallback did work, adding the set-cookie headers to the headers of any http request to the cdn.

I'll test FP2 in a minute (as I heard people saying there's still DRM on playback) and FP3 in a couple of hours and provide you my findings.

[thedave42]

I have not tested the last 2 sessions live sadly, but last weekend I had the same DRM issues, and my v1 fallback did work, adding the set-cookie headers to the headers of any http request to the cdn.

Can confirm I experienced this last weekend as well. v1 would always return working URLs w/o DRM - even for live. Last week the live was always an MPD, even if you requested HLS, but the MPD was working and returning a stream in the clear.

[sartsj]

I 100% used v2 endpoint last weekend for live sessions and got unencrypted HLS streams. It also has to do with the user-agents provided what stream you get, so probably that it why you were getting encrypted streams.

[eXhumer]

GET https://f1tv.formula1.com/1.0/R/ENG/WEB_HLS/ALL/CONTENT/PLAY?channelId=1033&contentId=1000005127

Response

{"resultCode":"OK","message":"200","errorDescription":"","resultObj":{"entitlementToken":"entitlementToken","url":"https://ott-video-cf.formula1.com/f1d26a28c95485cc/out/v1/613432380c864ec6847609656c317695/index.mpd?kid=1042&exp=1649527434&ttl=1440&token=<token>&start=1649397304&end=1649401586","streamType":"DASHWV","drmType":"widevine","laURL":"https://f1tv.formula1.com/2.0/R/ENG/WEB_HLS/ALL/CONTENT/LA/widevine?channelId=1033&contentId=1000005127","channelId":1033},"systemTime":1649441033706}

[DaveFlashNL]

only the most recent VOD / live contents are with DRM (currently FP2 only)

so after FP3, FP2 becomes drm free? that seems weird

[JohnLBergqvist]

For those who are struggling to understand why some sessions are encrypted and some aren't: F1 TV is now returning the DRM-protected DASH format for videos that originate as a live session. All other videos use HLS. Since the beginning of this week, live streams have been returned as DASH, even when you've used the HLS endpoints.

Most of the time (but not always), a few hours after the session, the original DRM-protected replay is replaced with a standalone video. Once you request the video from that point onwards, you'll get it in un-encrypted HLS format. They've done this for Australia FP1 (which is why it's viewable), but at the time of writing, not FP2.

The difference between the original replay (available straight after the session ends), and the later "standalone" version, is that the "original" is the live stream URL, with &start and &end parameters on the end, to restrict the player to only show that part of the original stream (which is otherwise transmitting 24x7). This allows them to make the replay available so quickly after the event finishes.

[DaveFlashNL]

They've done this for Australia FP1 (which is why it's viewable), but at the time of writing, not FP2.

i suspect either in a few hrs time or after fp3, they've processed the videos through their system and FP2 becomes available in HLS on that endpoint you mentioned, and so, based on the comments here I assume it is this way because F1/FIA/LibGlob. still needs the HLS streams for certain devices/scenarios, that they have yet to migrate to the new systems and endpoints that are fully drmed up.

[robvdpol]

Login issue is fixed in 2.6.4 release.

[snowice0]

Looks like im running into the issue just before FP1 Miami