Use browser headers on login POST and MFA verify by tobias-goertz · Pull Request #216 · matin/garth

tobias-goertz · 2026-03-19T12:48:39Z

Summary

Cloudflare detects the User-Agent switch between the sign-in page (browser UA via SSO_PAGE_HEADERS) and the login POST (default GCM-iOS UA) and returns 429 Too Many Requests.

Pass SSO_PAGE_HEADERS on both the login POST and MFA verify call to keep the User-Agent consistent within the session.

Test plan

Without fix: instant 429 on login POST, even after hours of no activity
With fix: login succeeds (200 + ticket)
Verified locally with non-MFA account

Summary by CodeRabbit

Bug Fixes
- Improved request handling for authentication and multi-factor authentication endpoints by including browser-like headers to enhance compatibility.
Chores
- Bumped package version to 0.7.11.

coderabbitai · 2026-03-19T12:48:54Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 63bbf198-f61a-4b83-b3e5-544d5d16dcef

📥 Commits

Reviewing files that changed from the base of the PR and between fa6f2b6 and 464c1b5.

📒 Files selected for processing (2)

src/garth/sso.py
src/garth/version.py

✅ Files skipped from review due to trivial changes (1)

src/garth/version.py

🚧 Files skipped from review as they are similar to previous changes (1)

src/garth/sso.py

Walkthrough

Added SSO_PAGE_HEADERS to two POST requests in login and handle_mfa so SSO authentication POSTs include predefined browser-like headers (User-Agent, Accept, Accept-Language, Sec-Fetch-*) instead of relying on default request headers; also bumped package version to 0.7.11.

Changes

Cohort / File(s)	Summary
SSO Headers `src/garth/sso.py`	Added `headers=SSO_PAGE_HEADERS` to `client.post` calls in `login` (`/mobile/api/login`) and `handle_mfa` (`/mobile/api/mfa/verifyCode`) to send browser-like SSO headers.
Version Bump `src/garth/version.py`	Updated `__version__` from `"0.7.10"` to `"0.7.11"`.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Make /portal/sso/embed best-effort to handle Cloudflare challenges #210: Adds browser-like headers to SSO HTTP requests in src/garth/sso.py for authentication endpoints.
Use dynamic MFA method from login response #215: Changes the same login and handle_mfa flows in src/garth/sso.py, touching SSO request behavior.
Revert browser headers on login POST and MFA verify #212: Adjusts HTTP headers used for login and MFA POSTs in src/garth/sso.py.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding browser headers to login POST and MFA verify requests to maintain User-Agent consistency and avoid Cloudflare 429 errors.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

📝 Coding Plan

Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

codecov · 2026-03-19T12:50:18Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.91%. Comparing base (9760c41) to head (464c1b5).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #216   +/-   ##
=======================================
  Coverage   99.91%   99.91%           
=======================================
  Files          68       68           
  Lines        3569     3569           
=======================================
  Hits         3566     3566           
  Misses          3        3

Flag	Coverage Δ
unittests	`99.91% <100.00%> (ø)`

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

tobias-goertz · 2026-03-19T12:50:45Z

@matin PTAL, this should fix at least the 429 issues the people are observing

Cloudflare detects the User-Agent switch between the sign-in page (browser UA) and the login POST (GCM-iOS UA) and returns 429. Use SSO_PAGE_HEADERS on both API calls to stay consistent.

jirinn · 2026-03-19T14:12:01Z

fixes 429 issue for me, now Im able to enter MFA again, but then it fails with 401 Client Error: Unauthorized for url: https://connectapi.garmin.com/oauth-service/oauth/preauthorized?ticket=ST-0204117-QsqjGSiIEdagLgEdqPHa-sso&login-url=https://mobile.integration.garmin.com/gcm/android&accepts-mfa-tokens=true.
garth session ID: 32ebb80208844d3c

papedefer · 2026-03-19T14:20:41Z

Thanks, instantly fixed the project withings-sync 🚀 !
🥇

tobias-goertz mentioned this pull request Mar 19, 2026

Did Garmin change authentication API? cyberjunky/python-garminconnect#332

Open

Use browser headers on login POST and MFA verify

464c1b5

Cloudflare detects the User-Agent switch between the sign-in page (browser UA) and the login POST (GCM-iOS UA) and returns 429. Use SSO_PAGE_HEADERS on both API calls to stay consistent.

tobias-goertz force-pushed the fix/consistent-login-ua branch from fa6f2b6 to 464c1b5 Compare March 19, 2026 12:59

matin merged commit 6c1b537 into matin:main Mar 19, 2026
23 checks passed

coderabbitai bot mentioned this pull request Mar 19, 2026

Remove SSO_PAGE_HEADERS from login POST and MFA verify #218

Open

1 task

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use browser headers on login POST and MFA verify#216

Use browser headers on login POST and MFA verify#216
matin merged 1 commit intomatin:mainfrom
tobias-goertz:fix/consistent-login-ua

tobias-goertz commented Mar 19, 2026 •

edited by coderabbitai bot

Loading

Uh oh!

coderabbitai bot commented Mar 19, 2026 •

edited

Loading

❌ Failed checks (1 warning)

Uh oh!

codecov bot commented Mar 19, 2026 •

edited

Loading

Uh oh!

tobias-goertz commented Mar 19, 2026

Uh oh!

Uh oh!

jirinn commented Mar 19, 2026

Uh oh!

papedefer commented Mar 19, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

tobias-goertz commented Mar 19, 2026 • edited by coderabbitai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Test plan

Summary by CodeRabbit

Uh oh!

coderabbitai bot commented Mar 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Possibly related PRs

❌ Failed checks (1 warning)

Uh oh!

codecov bot commented Mar 19, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

tobias-goertz commented Mar 19, 2026

Uh oh!

Uh oh!

jirinn commented Mar 19, 2026

Uh oh!

papedefer commented Mar 19, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

tobias-goertz commented Mar 19, 2026 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Mar 19, 2026 •

edited

Loading

codecov bot commented Mar 19, 2026 •

edited

Loading