Skip to content

HTTP/WS driver throws ClearanceRequired even though cf_clearance is present in token.json #35

Description

@c8dhjp4tyv-bit

The pure HTTP/WebSocket driver (copilot/driver.py) fails with ClearanceRequired, even after clearance is successfully refreshed and cf_clearance is confirmed present in session/token.json.
Steps to reproduce:

python -m copilot login (via Google account) — succeeds, cf_clearance earned and saved.
python tests/diagnostic.py — the browser-based live protocol capture works flawlessly every time (real chat replies received over wss://copilot.microsoft.com/c/api/chat).
The HTTP driver probe in the same diagnostic run fails:

auto_clear reports clearance: warm-up reply received — gate passed and clearance refreshed
Retry (attempt 2/2) immediately fails again with ClearanceRequired

Installing the missing websockets package (noted as NOT INSTALLED in the diagnostic env section) fixed the cookie snapshot (cf_clearance now shows present in token.json), but the HTTP driver still throws the same error afterward.

Environment:

OS: Fedora 45 (Rawhide), Linux 7.2.0
Python 3.15.0b3
curl_cffi 0.15.0, playwright 1.61.0, websockets 16.0
Signed in via Google account (consumer Microsoft account)
No VPN/proxy in use

Traceback:
Traceback (most recent call last):
File "copilot/client.py", line 234, in chat
for item in s:
File "copilot/client.py", line 68, in iter
for item in self._chunks:
File "copilot/client.py", line 182, in _stream_with_recovery
for item in self._driver.create_completion(prompt, **kw):
File "copilot/driver.py", line 172, in create_completion
yield from self._read_stream(wss, send_frame, timeout)
File "copilot/driver.py", line 217, in _read_stream
raise ClearanceRequired(...)
copilot.driver.ClearanceRequired: Copilot chat is gated behind a Cloudflare Turnstile (challenge method=None); cf_clearance is stale or missing.
Full diagnostic_report.txt attached (secrets redacted by the tool).
It looks like the browser-based WSS connection (used in the live protocol capture) consistently succeeds, but the driver's own WSS/HTTP connection (via curl_cffi) is rejected even with a fresh, present cf_clearance cookie — possibly a TLS fingerprint mismatch or cookie-passing issue between the browser-earned clearance and the curl_cffi client.

diagnostic_report.txt

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions