I've been unable to authenticate with thetrainline integration. Consistent 403 issues. Have changed password & confirmed I can log in on both the app and desktop with that new password, but still get "Something went wrong while activating the source. HTTPError: Unsuccessful HTTP response. Additional properties: status: 403"

cc @liamgarrison

So it looks like trainline are blocking the https://www.thetrainline.com/login-service/api/login POST route if you don't send a certain cookie with the request. This must be a new thing as I can't get get it to work in Postman any more without copying the cookies in that my browser is using to login on the website. It's hard to know which exact cookie it is as there are so many sent with the request when the browser does it.

@corradio any thoughts on how we could get round this?

I think experimenting with removing particular cookies (specifically the 'login' one from www.thetrainline.com - not thetrainline.com) may have got my account blocked. Getting "Access Denied. You don't have permission to access "http://www.thetrainline.com/login-service/api/login" on this server." when I try and log on normall now >.<

Same here, it appears if you don't send the right cookies to the POST login endpoint, the server doesn't connect, and it locks you out of your account after a few attempts. This must be a new security measure trainline have implemented.

If you do a password reset you can get back into your account.

Did you manage to figure out which cookies are required to be sent with the request? I've tried adding login=0 but that doesn't seem to work. There are a lot that are set when you load the login page on the trainline website, but can't figure out which one(s) are required.

I've tried using superagent to load the login page (GET https://www.thetrainline.com/my-account/login) before calling the login API, in the hope that any necessary cookies will be set. But this doesn't seem to work. Any help would be much appreciated! Will take a look again tomorrow eve.

Trying to find any documentation on Trainline's API online was pretty unsuccessful. Looks like they have an API for business users though. I have a feeling that this API is designed for use by Trainline's apps & websites, and introducing this cookie is a way of reducing people like us from getting the data out :(

I've looked into this for quite a few hours now and I'm pretty stumped. I've tried copying and pasting the request into cURL and it works there. I've tried playing around with the version of HTTP and it looks like it will only accept requests of HTTP2. if you try and send with 1.1 then it blocks your account. Superagent doesn't support HTTP2, and I'm not sure if React Native does either.

I think there is also a need to set the host header to www.thetrainline.com, as well as having specific cookies set, but I can't figure out what they are.

Perhaps we should prevent users using this integration until a better fix can be made, so that people don't get locked out of their accounts?

Hi @liamgarrison , @martincollignon is taking steps to reach out with Trainline and see what we can do.
cc @sorensvejstrup

Any news on this? Have trainline responded?

Yes they have. Sorry for not getting back to you earlier. Trainline recognize the need but aren't going to prioritize this right now. So sadly I see now other way that removing the integration from the app.