It is currently November 30th, 2021, 3:51 am

⭐ Google is turning on Two-Step Verification for ALL

Release announcements and important news from the developers.
User avatar
jsmorley
Developer
Posts: 22416
Joined: April 19th, 2009, 11:02 pm
Location: Fort Hunt, Virginia, USA

⭐ Google is turning on Two-Step Verification for ALL

Post by jsmorley »

As of November 25, 2021, Google is going to be forcing all users to set up and use Two-Step Verification. (2FA or Multi-Factor Authentication)

This will impact any GMail skins in Rainmeter you might be using.

What you need to do:

1) In your browser, go to your Google Account Settings and select Security from the navigation bar on the left.

2) Under Signing into Google, select App Passwords.

3) Under Select the app and device you want to generate the app password for, choose Select App.

4) Enter some custom name, likely just Rainmeter, and click on Generate.

5) Copy the new password that is generated.

6) Use this new password in the WebParser URL for your skin.

URL=https://#GMailID#:#GMailPassword#@mail.google.com/gmail/feed/atom/

This has no impact on the password you use to sign into Google in your browser or on any of your devices, just Rainmeter, where it can't react to or provide any Two-Step Verification code that is sent to your phone.

While this will not be "forced" until November 25, I recommend just turning on Two-Step Verification now, and get this app password set up for Rainmeter, so you have time to deal with it before it jumps on you.

If you are distributing skins that access GMail, I strongly recommend that you include some form of these instructions for your end-users.
User avatar
Jeff
Posts: 239
Joined: September 3rd, 2018, 11:18 am

⭐ Google is turning on Two-Step Verification for ALL

Post by Jeff »

Mind if I share another still-not-secured-because-important-data-is-in-plaintext method of doing this?
I tried to help someone with 2FA to connect to their Gmail using browser cookies because #GMailID#:#GMailPassword# HTTP authentication just straight up didn't work, we eventually discovered that

Code: Select all

[MeasureWeb]
Measure=WebParser
URL=https://mail.google.com/mail/u/0/feed/atom
Flags=Resync | NoCookies
Header="cookie: #GMailCookie#"
; GMailCookie variable is the "cookie" header from the very first request headers, the request named "atom"
; found by accessing the Dev Console > going to Network Tab > Refreshing the Page
works and also funny enough, the only reason the cookie header works is because of the previous NoCookie flag.
Only downside to this is that the cookie header is connected to session, so if you log out of your Google account by accident, you'll need to grab the new cookie again (well, for some crazy privacy people this may be an upside). Hope this Application password thing is permanent.
User avatar
jsmorley
Developer
Posts: 22416
Joined: April 19th, 2009, 11:02 pm
Location: Fort Hunt, Virginia, USA

⭐ Google is turning on Two-Step Verification for ALL

Post by jsmorley »

Jeff wrote: November 19th, 2021, 5:45 pm Mind if I share another still-not-secured-because-important-data-is-in-plaintext method of doing this?
I tried to help someone with 2FA to connect to their Gmail using browser cookies because #GMailID#:#GMailPassword# HTTP authentication just straight up didn't work, we eventually discovered that

Code: Select all

[MeasureWeb]
Measure=WebParser
URL=https://mail.google.com/mail/u/0/feed/atom
Flags=Resync | NoCookies
Header="cookie: #GMailCookie#"
; GMailCookie variable is the "cookie" header from the very first request headers, the request named "atom"
; found by accessing the Dev Console > going to Network Tab > Refreshing the Page
works and also funny enough, the only reason the cookie header works is because of the previous NoCookie flag.
Only downside to this is that the cookie header is connected to session, so if you log out of your Google account by accident, you'll need to grab the new cookie again (well, for some crazy privacy people this may be an upside). Hope this Application password thing is permanent.
Do we know what causes the failure of the https:// authentication to fail for that user? Is there some additional security setting in Google that disables HTTP authentication from the URL? It certainly works for me. I just replaced my regular password with that generated app password in my URL option in WebParser, and Bob's Your Uncle...

I use a measure like this to read the inbox:

Code: Select all

[MeasureMail]
Measure=WebParser
Flags=Resync | NoCookies
URL=https://#GMailID#:#GMailPassword#@mail.google.com/gmail/feed/atom/
RegExp="(?siU)(.*)$"
UpdateRate=120
DecodeCharacterReference=1
I think the form of the URL is important. You don't want to use the /u/o form of the call for this. That will depend on cookies.

And I use this to go to the inbox in my browser when I click on the skin:

LeftMouseUpAction=["https://mail.google.com/mail/u/0/?tab=cm#inbox"]

In that case, you do want cookies involved.