authenticating without saved credentials results in account lockout

[JessicaS11]

On a fresh pip install of 0.8.2 in a new mamba environment, I'm not getting prompted for authentication when it's needed:

# example from https://earthaccess.readthedocs.io/en/latest/howto/search-granules/
results = earthaccess.search_data(
    short_name = "ATL06",
    version = "006",
    cloud_hosted = True,
    bounding_box = (-10,20,10,50),
    temporal = ("2020-02", "2020-03"),
    count = 100
)

gives:

Authentication with Earthdata Login failed with:
{"error":"invalid_credentials","error_description":"Invalid user credentials"}

without ever prompting for credentials (I do not have environment or .netrc credentials set).

Subsequently calling earthaccess.login() results in the error repeated a few times until the "You have x more attempt(s) before being locked out for 10 minutes. You will not be able to reset your password while locked." piece is added to the error message, culminating in the account being locked. Only after 6+ error messages am I prompted to enter my username and password, by which point I obviously have to wait 10 minutes because my account is locked. Any idea why the prompting is not happening when credentials are not found, BEFORE an attempt is made at authentication? I've had this happen a few times on fresh installs over the past few weeks...

[mfisher87]

Jeez, sorry that's happening!

Unfortunately, no ideas from me, and probably no time to debug for around a week. I hope the issue is immediately obvious to someone else so we can do a quick bugfix release!

[betolink]

I think we know what's happening, it's a bug that we need to fix but not as bad as it sounds.... I think a while ago we introduced this "eager login" in the top level __init__() and not long ago searches to CMR started to use authenticated sessions. When we import the library and start searching before we do a valid earthaccess.login() it will try to use empty credentials to log into EDL,

After doing this N times, EDL warns us that are going to get our account locked out but the thing is we haven't told EDL who we are, fortunately this bug won't result in any account being locked by username. We need to fix it tho, as won't want EDL to block us by IP or if we are users that just want to use earthaccess for searching... that's a valid use too.

[JessicaS11]

It seems like some kind of lockout IS happening. Here's the (mostly unhelpful) list of error messages being reported out before it finally fails with an AuthError:

{"error":"invalid_credentials","error_description":"Invalid user credentials. You have 1 more attempt before being locked out for 10 minutes. You will not be able to reset your password while locked."}
Authentication with Earthdata Login failed with:
{"error":"invalid_credentials","error_description":"You have exceeded the maximum number of allowed login attempts. User profile has been locked temporarily for 10 minutes."}
Authentication with Earthdata Login failed with:
{"error":"invalid_account_status","error_description":"User [icepyx_devteam] is currently locked. Please wait 10 minutes and try again"}
Authentication with Earthdata Login failed with:
{"error":"invalid_account_status","error_description":"User [icepyx_devteam] is currently locked. Please wait 10 minutes and try again"}

Enter your Earthdata Login username:  icepyx_devteam
Enter your Earthdata password:  ········

Authentication with Earthdata Login failed with:
{"error":"invalid_account_status","error_description":"User [icepyx_devteam] is currently locked. Please wait 10 minutes and try again"}
Authentication with Earthdata Login failed with:
{"error":"invalid_account_status","error_description":"User [icepyx_devteam] is currently locked. Please wait 10 minutes and try again"}
Authentication with Earthdata Login failed with:
{"error":"invalid_account_status","error_description":"User [icepyx_devteam] is currently locked. Please wait 10 minutes and try again"}

[betolink]

This is odd, I wonder why is not picking up the write credentials, do you have the code line of code where this is happening. We'll have to do something in earthaccess regardless, will work on it this evening.

[JessicaS11]

do you have the code line of code where this is happening

Sorry, I don't (I was clearing notebook outputs). I can try to recreate tomorrow; for now I just wanted to note that it does seem like somehow an actual account lock is happening even once I finally do get to login.

[JessicaS11]

After some more debugging with @betolink, we determined the culprit was a bad local .netrc file that had somehow been populated with an entire page of the correct endpoint and username but password=None, which then inadvertently caused the bad login attempts even though the file was never intentionally created. The origins of the file are a mystery still, and its only contents were the bad edl logins...

:tl;dr: If you get repeated authentication failure errors before even attempting to login, check for a rogue .netrc file.

[mfisher87]

Awesome job figuring it out, all!