fix: use curl_cffi Chrome TLS impersonation to bypass Cloudflare

chatgpt.com uses Cloudflare's TLS fingerprinting (JA3/JA4) which blocks Python requests regardless of cookies. curl_cffi impersonates Chrome's exact TLS handshake, making requests indistinguishable from a real browser at the transport layer. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-28 05:20:52 -05:00
parent d236fdb21a
commit 5c6dcafa34
4 changed files with 48 additions and 6 deletions
--- a/debug_auth.py
+++ b/debug_auth.py
@@ -0,0 +1,26 @@
+"""Debug script — checks what /api/auth/session returns using curl_cffi Chrome impersonation."""
+import os
+from dotenv import load_dotenv
+from curl_cffi import requests as curl_requests
+
+load_dotenv()
+token = os.getenv("CHATGPT_SESSION_TOKEN")
+if not token:
+    print("ERROR: CHATGPT_SESSION_TOKEN not found in .env")
+    raise SystemExit(1)
+
+s = curl_requests.Session(impersonate="chrome120")
+s.cookies.set("__Secure-next-auth.session-token", token, domain="chatgpt.com", path="/")
+s.headers.update({
+    "Referer": "https://chatgpt.com/",
+    "Accept": "*/*",
+    "sec-fetch-dest": "empty",
+    "sec-fetch-mode": "cors",
+    "sec-fetch-site": "same-origin",
+})
+
+print("Calling /api/auth/session (with Chrome TLS impersonation) ...")
+r = s.get("https://chatgpt.com/api/auth/session", timeout=15)
+print(f"Status: {r.status_code}")
+print(f"Content-Type: {r.headers.get('content-type', '(none)')}")
+print(f"Response body (first 500 chars):\n{r.text[:500]}")