10.2.0 Unauthenticated response when using a cookie

[dnicolson]

Steps to reproduce

1. Run this after copying the cookie from YouTube:

const youtube = await Innertube.create({
	cookie: 'xxx',
});

console.log(await youtube.getPlaylists())

Failure Logs

throw new InnertubeError(`Request to ${response.url} failed with status ${response.status}`, yield response.text());
            ^

InnertubeError: Request to https://www.youtube.com/youtubei/v1/browse?prettyPrint=false&alt=json failed with status 401
    at HTTPClient.<anonymous> (<path>)
    at Generator.next (<anonymous>)
    at fulfilled (/Users/dave/Workspace/node_modules/tslib/tslib.js:166:62)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
  info: '{\n' +
    '  "error": {\n' +
    '    "code": 401,\n' +
    '    "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",\n' +
    '    "errors": [\n' +
    '      {\n' +
    '        "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",\n' +
    '        "domain": "global",\n' +
    '        "reason": "unauthorized"\n' +
    '      }\n' +
    '    ],\n' +
    '    "status": "UNAUTHENTICATED"\n' +
    '  }\n' +
    '}\n',
  date: 2024-07-27T20:29:11.248Z,
  version: '10.2.0'
}

Expected behavior

The cookie should function similarly to OAuth authentication.

Current behavior

As documented in #703, there is a difference between no cookies, invalid cookies, and authentic cookies. This doesn't appear to be the case for all endpoints though.

When running in the browser with a Userscript there is no issue. It's not clear what is different as the headers and payload look comparable.

Version

Default

Anything else?

No response

Checklist

• I am running the latest version.
• I checked the documentation and found no answer.
• I have searched the existing issues and made sure this is not a duplicate.
• I have provided sufficient information.

[LuanRT]

The cookies from your browser get rotated after a few minutes, thus becoming invalid. Nothing can be done about that unfortunately.

[dnicolson]

It doesn't seem to be a cookie expiration issue, as the immediate use of cookies also fails. Instead, it appears that browser mechanisms are preventing external clients.

Cookies work in the yt-playlists-delete-enhancer Userscript and I assume the Subscribe to YouTube Playlists browser extension.

It is still interesting that valid browser cookies will give a more populated getHistory() response, seemingly validating the cookie but not entirely.

[dnicolson]

Cookies can work, but these two keys need to be manually copied because they are HttpOnly:

• __Secure-1PSID
• __Secure-1PSIDTS

If these keys are appended to the document.cookie value, requests from Node.js are possible.

Requests from a Userscript or extension on youtube.com work with just document.cookie though.

I wonder if this is documented anywhere, or if it should be?