xtb-api-python 0.5.2__py3-none-any.whl

xtb_api/auth/browser_auth.py

@@ -0,0 +1,316 @@
+"""Browser-based CAS authentication for XTB xStation5.
+
+Uses Playwright to bypass Akamai WAF that blocks REST CAS API from datacenter IPs.
+Launches headless Chromium with stealth patches, performs login via the Angular web app,
+and intercepts the TGT from network responses.
+
+Browser is used ONLY for authentication — trading uses WebSocket API.
+"""
+
+from __future__ import annotations
+
+import asyncio
+import logging
+import time
+from typing import TYPE_CHECKING
+
+from xtb_api.types.websocket import (
+    CASError,
+    CASLoginResult,
+    CASLoginSuccess,
+    CASLoginTwoFactorRequired,
+)
+
+if TYPE_CHECKING:
+    from playwright.async_api import Browser, Page, Playwright, Response
+
+logger = logging.getLogger(__name__)
+
+LOGIN_URL = "https://xstation5.xtb.com/"
+PAGE_LOAD_TIMEOUT = 30_000  # 30s
+OTP_WAIT_TIMEOUT = 300  # 5 min
+
+# Anti-detection scripts injected before page load
+_STEALTH_JS = """
+Object.defineProperty(navigator, 'webdriver', { get: () => undefined });
+window.chrome = { runtime: {} };
+const _origQuery = window.navigator.permissions.query;
+window.navigator.permissions.query = (p) => (
+    p.name === 'notifications'
+        ? Promise.resolve({ state: Notification.permission })
+        : _origQuery(p)
+);
+Object.defineProperty(navigator, 'plugins', { get: () => [1, 2, 3, 4, 5] });
+Object.defineProperty(navigator, 'languages', { get: () => ['pl-PL', 'pl', 'en-US', 'en'] });
+"""
+
+
+class BrowserCASAuth:
+    """Browser-based CAS authentication using Playwright.
+
+    Launches headless Chromium with stealth patches, fills the login form on
+    xStation5, and intercepts the TGT from CAS network responses.
+    """
+
+    _browser: Browser | None
+    _page: Page | None
+    _playwright: Playwright | None
+
+    def __init__(self, *, headless: bool = True) -> None:
+        self._headless = headless
+        self._tgt: str | None = None
+        self._tgt_event = asyncio.Event()
+        self._two_factor_detected = asyncio.Event()
+        self._browser = None
+        self._page = None
+        self._playwright = None
+        self._login_ticket: str | None = None
+        self._two_factor_info: dict | None = None
+
+    async def login(self, email: str, password: str) -> CASLoginResult:
+        """Launch browser, navigate to xStation5, fill login form, and submit.
+
+        Returns CASLoginSuccess if TGT obtained directly, or
+        CASLoginTwoFactorRequired if 2FA is needed (call submit_otp() next).
+        """
+        try:
+            from playwright.async_api import async_playwright
+        except ImportError as e:
+            raise CASError(
+                "BROWSER_AUTH_MISSING_DEPENDENCY",
+                "Playwright is required for browser auth. "
+                "Install with: pip install playwright && playwright install chromium",
+            ) from e
+
+        needs_cleanup = True
+        self._playwright = await async_playwright().start()
+        try:
+            from playwright.async_api import Error as _PlaywrightError
+
+            try:
+                self._browser = await self._playwright.chromium.launch(
+                    headless=self._headless,
+                    args=["--disable-blink-features=AutomationControlled", "--no-sandbox"],
+                )
+            except _PlaywrightError as e:
+                msg = str(e)
+                if "Executable doesn't exist" in msg:
+                    raise CASError(
+                        "BROWSER_CHROMIUM_MISSING",
+                        "Chromium browser not found. The xtb-api-python library requires a "
+                        "Chromium install for XTB authentication.\n\n"
+                        "Run:\n    playwright install chromium\n\n"
+                        "See https://github.com/liskeee/xtb-api-python#post-install-setup "
+                        "for details.",
+                    ) from e
+                raise
+            context = await self._browser.new_context(
+                user_agent=(
+                    "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 "
+                    "(KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"
+                ),
+                locale="pl-PL",
+                timezone_id="Europe/Warsaw",
+            )
+
+            # Inject stealth scripts before any page loads
+            await context.add_init_script(_STEALTH_JS)
+
+            self._page = await context.new_page()
+            assert self._browser is not None
+            assert self._page is not None
+            assert self._playwright is not None
+
+            # Set up response interceptor for TGT / 2FA
+            self._page.on("response", self._on_response)
+
+            # Set consistent fingerprint to avoid "new device" emails.
+            # Must match the fingerprint generated by CAS REST client.
+            import hashlib as _hashlib
+
+            _fp = _hashlib.sha256(b"xStation5/2.94.1 (Linux x86_64)").hexdigest().upper()
+            await context.add_init_script(f"""
+                try {{
+                    localStorage.setItem('deviceFingerprint', '{_fp}');
+                    localStorage.setItem('fingerprint', '{_fp}');
+                }} catch(e) {{}}
+            """)
+
+            # Navigate to login page
+            logger.info("Navigating to %s", LOGIN_URL)
+            await self._page.goto(LOGIN_URL, wait_until="domcontentloaded", timeout=PAGE_LOAD_TIMEOUT)
+
+            # New xStation5 UI uses generic textbox inputs instead of named inputs.
+            # Wait for the email field (first textbox) to appear.
+            email_input = self._page.get_by_role("textbox").first
+            await email_input.wait_for(state="visible", timeout=PAGE_LOAD_TIMEOUT)
+            logger.info("Login form found")
+
+            # Type credentials with human-like delays (avoids bot detection)
+            await email_input.click()
+            # Clear any pre-filled value before typing
+            await email_input.fill("")
+            await self._page.keyboard.type(email, delay=30)
+
+            password_input = self._page.get_by_role("textbox").nth(1)
+            await password_input.click()
+            await password_input.fill("")
+            await self._page.keyboard.type(password, delay=30)
+
+            await self._page.wait_for_timeout(300)
+
+            # Submit form — new UI uses a button labeled "Login"
+            submit = self._page.get_by_role("button", name="Login")
+            if await submit.is_visible(timeout=3000):
+                await submit.click()
+            else:
+                await password_input.press("Enter")
+
+            logger.info("Login form submitted")
+
+            # Wait for either TGT or 2FA detection
+            tgt_task = asyncio.create_task(self._tgt_event.wait())
+            two_fa_task = asyncio.create_task(self._two_factor_detected.wait())
+
+            done, pending = await asyncio.wait(
+                {tgt_task, two_fa_task},
+                timeout=PAGE_LOAD_TIMEOUT / 1000,
+                return_when=asyncio.FIRST_COMPLETED,
+            )
+            for task in pending:
+                task.cancel()
+
+            if self._tgt:
+                await self.close()
+                return CASLoginSuccess(
+                    tgt=self._tgt,
+                    expires_at=time.time() + 8 * 3600,
+                )
+
+            if self._two_factor_detected.is_set():
+                info = self._two_factor_info or {}
+                login_ticket = self._login_ticket or "browser-2fa"
+                # Keep browser open for OTP submission
+                needs_cleanup = False
+                return CASLoginTwoFactorRequired(
+                    login_ticket=login_ticket,
+                    session_id=login_ticket,
+                    two_factor_auth_type=info.get("twoFactorAuthType", "SMS"),
+                    methods=[info.get("twoFactorAuthType", "SMS")],
+                    expires_at=time.time() + OTP_WAIT_TIMEOUT,
+                )
+
+            raise CASError("BROWSER_AUTH_TIMEOUT", "Login timed out — no TGT or 2FA detected")
+        except BaseException:
+            if needs_cleanup:
+                await self.close()
+            raise
+
+    async def submit_otp(self, code: str) -> CASLoginResult:
+        """Fill OTP code into the 2FA form in the browser and wait for TGT.
+
+        The 2FA component is `XS6-TWO-FACTOR-AUTHENTICATION` — a web component
+        with Shadow DOM. Playwright's get_by_placeholder/get_by_role auto-pierce
+        shadow DOM, so no manual shadowRoot traversal is needed.
+        """
+        if not self._page:
+            raise CASError("BROWSER_AUTH_NO_PAGE", "Browser page not available — call login() first")
+
+        try:
+            logger.info("Submitting OTP code via browser")
+            page = self._page
+
+            # Wait for 2FA modal to appear
+            await page.wait_for_timeout(2000)
+
+            # Playwright auto-pierces shadow DOM for these locators
+            otp_input = page.get_by_placeholder("Wprowadź kod tutaj")
+            await otp_input.wait_for(state="visible", timeout=10000)
+            await otp_input.fill(code)
+
+            # Click submit button
+            submit_btn = page.get_by_role("button", name="Weryfikacja")
+            await submit_btn.click()
+
+            logger.info("OTP submitted, waiting for TGT...")
+
+            # Wait for TGT from network response interceptor
+            try:
+                await asyncio.wait_for(self._tgt_event.wait(), timeout=30)
+            except TimeoutError as e:
+                raise CASError("BROWSER_AUTH_OTP_TIMEOUT", "Timed out waiting for TGT after OTP submission") from e
+
+            tgt = self._tgt
+            if not tgt:
+                raise CASError("BROWSER_AUTH_NO_TGT", "OTP submitted but no TGT received")
+
+            return CASLoginSuccess(
+                tgt=tgt,
+                expires_at=time.time() + 8 * 3600,
+            )
+        finally:
+            await self.close()
+
+    async def close(self) -> None:
+        """Clean up browser resources."""
+        try:
+            if self._browser:
+                await self._browser.close()
+        except Exception:
+            pass
+        try:
+            if self._playwright:
+                await self._playwright.stop()
+        except Exception:
+            pass
+        self._browser = None
+        self._page = None
+        self._playwright = None
+
+    async def _on_response(self, response: Response) -> None:
+        """Intercept network responses to extract TGT."""
+        try:
+            url = response.url
+
+            if "v2/tickets" in url and "serviceTicket" not in url:
+                ct = response.headers.get("content-type", "")
+                if "json" not in ct:
+                    return
+                try:
+                    body = await response.json()
+                except Exception:
+                    return
+
+                login_phase = body.get("loginPhase")
+                ticket = body.get("ticket") or body.get("tgt")
+
+                if login_phase == "TGT_CREATED" and ticket and ticket.startswith("TGT-"):
+                    logger.info("TGT intercepted from v2/tickets response")
+                    self._tgt = ticket
+                    self._tgt_event.set()
+                    return
+
+                if login_phase == "TWO_FACTOR_REQUIRED":
+                    self._login_ticket = body.get("ticket") or body.get("loginTicket") or body.get("sessionId") or ""
+                    self._two_factor_info = body
+                    self._two_factor_detected.set()
+                    ticket_preview = self._login_ticket[:30] if self._login_ticket else "?"
+                    logger.info("2FA required — login_ticket: %s", ticket_preview)
+                    return
+
+            # Check for CASTGT cookie in any response
+            headers = response.headers
+            set_cookie = headers.get("set-cookie", "")
+            if "CASTGT=" in set_cookie:
+                for part in set_cookie.split(";"):
+                    part = part.strip()
+                    if part.startswith("CASTGT="):
+                        tgt = part[len("CASTGT=") :]
+                        if tgt.startswith("TGT-"):
+                            logger.info("TGT intercepted from CASTGT cookie")
+                            self._tgt = tgt
+                            self._tgt_event.set()
+                            return
+
+        except Exception as e:
+            logger.debug("Error intercepting response: %s", e)