401 - during the file attachment download

Question

401 - during the file attachment download

Closed this issue 9 months ago · 4 comments

Hi,

when i will call the script with:
main.py --verbose download --with-attachments --token xxxx

I getting a zip file and also csv files for my todoist projects. But when the script want to download Attachments i getting an 401 Unauthorized.

Is this a bug?

Answer 1 · 2018-10-24T11:40:06.000Z

Hi,

Thanks for your report. I saw this problem recently before since my regular backups failed, but (wrongly) didn't report it in the issue tracker here on GitHub.

Yes, this is a bug, which is due to a change in how Todoist handles attachments. Long short story, Todoist's attachment links used to require no authentication, i.e. you could give anybody else a link to an attachment, and they would be able to access it without any login required. However, recently, they added an extra layer of security that requires you to be logged in order to access the contents. This utility doesn't currently handle this, hence the error message if you try to download the newer attachments.

I took a look at how to fix this recently, and it's not exactly trivial, because as far as I have been able to see, having an API token isn't a valid authentication to download Todoist's attachments, only the cookie your browser gets when logging in.

I will take a look this weekend to see if the situation has changed with respect to the API, or otherwise, if there is no other way, see if it's viable to implement a "hack" to authenticate like the browser does.

Regards,

Joan

Answer 2 · 2018-11-02T12:04:50.000Z

Hi,

I have a quick fix/workaround for this... I still haven't had time to test it thoroughly, so I haven't made a new release yet, but it's commited to the repository, so you can download and try it.

It's not pretty, because I haven't found any way to download the attachments through Todoist's API. What the workaround does is basically simulate authentication through the regular user login page. So, it needs your real username and password, unfortunately.

Right now, for it to work, you have to call it like this, including all three parameters: Token, username and password:

full_offline_backup_for_todoist --verbose download --with-attachments --token 0123456789abcdef --email my@email.com --password P4ssw0rd

I'll polish it more when I get some time and make a release.

Regards,

Joan

EDIT 2019-10-31: If anyone is reading this, prefer giving the credentials using interactive console input or (carefully) using the TODOIST_TOKEN, TODOIST_EMAIL and TODOIST_PASSWORD environment variables, instead of the command line parameters mentioned above. In Linux, command line parameters are typically logged (e.g. .bash_history) and can be observed by any process by any user running on the same machine while the process is running.

Answer 3 · 2023-09-08T12:40:20.000Z

Thank you very much for this project @joanbm ! Not sure when it happened though attachment download with bearer token now works for me:

$ curl -H "Authorization: Bearer <token>" https://files.todoist.com/...
...
< HTTP/2 302 
< location: https://d1ysz50cxb9zwl.cloudfront.net/wRGPV...

HTH!

Answer 4 · 2023-12-31T21:22:32.000Z

@filippog Thank you very much for the heads up! I have just tested it and indeed, it appears that the workaround that was needed to download some attachments some time ago, is no longer needed (I see that they also changed the domain of all attachments to https://files.todoist.com/..., IIRC, it used to be an AWS/CloudFront domain instead, at least sometimes).

I will try to find some time to remove it and clean up the documentation.