111 lines
4.4 KiB
Markdown
111 lines
4.4 KiB
Markdown
# OpenAI phone verification long-run + post-phone OAuth pitfalls (2026-05-11)
|
||
|
||
Session-specific notes from a long Codex/CPA onboarding run using ClawEmail + 5sim + visible Chrome/CDP.
|
||
|
||
## Outcome
|
||
|
||
- Account: `chickliu.efxudmrg@claw.163.com`.
|
||
- Phone verification finally received SMS on activation `1007069622`.
|
||
- Successful country: `indonesia` (`+62`).
|
||
- Total real 5sim activations used before SMS success: **335**.
|
||
- `no free phones` was not counted; only bought activation ids counted.
|
||
|
||
## Long-run runner lessons
|
||
|
||
1. For “run until it works”, persist counters in a state file on every bought activation:
|
||
- `current_activation_id`
|
||
- `new_numbers`
|
||
- `total_numbers`
|
||
- `country`
|
||
2. Add a large but explicit safety cap, e.g. `MAX_NEW_NUMBERS=300`, so runaway spend is bounded while still honoring “run until success”.
|
||
3. Always write the latest activation id to `/tmp/current_fivesim_activation_id.txt` so an interrupted runner can check/cancel/finish the order.
|
||
4. CDP `WebSocketTimeoutException` during submit/verification should be treated as **automation failure**, not proof of phone failure. Immediately inspect:
|
||
- runner tail
|
||
- state file
|
||
- current activation id
|
||
- 5sim `/user/check/<activation_id>`
|
||
5. If logs show `sms_received` before the crash, do **not** buy more numbers. Resume code submission against the existing `RECEIVED` activation.
|
||
|
||
## SMS code extraction pitfall
|
||
|
||
The first generic regex `(?<!\d)(\d{4,8})(?!\d)` selected a 4-digit substring from the SMS/order text while OpenAI’s page required exactly 6 characters.
|
||
|
||
Preferred extraction:
|
||
|
||
```python
|
||
cands = re.findall(r'(?<!\d)(\d{6})(?!\d)', text)
|
||
if not cands:
|
||
cands = re.findall(r'(?<!\d)(\d{4,8})(?!\d)', text)
|
||
code = cands[-1] if cands else ''
|
||
```
|
||
|
||
Check the OpenAI page text for “验证码应正好包含 6 个字符” / “code should contain exactly 6 characters” and prefer 6-digit candidates when present.
|
||
|
||
## 5sim finish ordering pitfall
|
||
|
||
If an incorrect/truncated code was submitted but the correct SMS was already retrieved, the order may have been `FINISHED` prematurely. This does not necessarily prevent submitting the correct code to OpenAI if the code is already known, but future runners should only call `/user/finish/<activation_id>` after OpenAI leaves `phone-verification`.
|
||
|
||
## About-you form pitfall
|
||
|
||
OpenAI `about-you` had visible required fields:
|
||
|
||
```text
|
||
input[name=name]
|
||
input[name=age]
|
||
input[name=birthday] hidden
|
||
```
|
||
|
||
A naive loop that wrote `Boss` into all visible inputs left validation errors. Use native React-compatible setters by name:
|
||
|
||
```js
|
||
function setVal(sel, val) {
|
||
const el = document.querySelector(sel);
|
||
const proto = HTMLInputElement.prototype;
|
||
Object.getOwnPropertyDescriptor(proto, 'value').set.call(el, val);
|
||
el.dispatchEvent(new Event('input', {bubbles:true}));
|
||
el.dispatchEvent(new Event('change', {bubbles:true}));
|
||
}
|
||
setVal('input[name=name]', 'Boss');
|
||
setVal('input[name=age]', '35');
|
||
setVal('input[name=birthday]', '1991-01-01');
|
||
```
|
||
|
||
## Consent / workspace pitfall
|
||
|
||
After phone + about-you success, Codex OAuth consent can fail with:
|
||
|
||
```text
|
||
hydra_api_accept_login_request_error
|
||
Workspaces not found in client auth session
|
||
```
|
||
|
||
Observed state:
|
||
|
||
- `auth.openai.com/sign-in-with-chatgpt/codex/consent` showed the account email and a Continue button.
|
||
- Clicking Continue produced “Workspaces not found in client auth session”.
|
||
- Opening `https://chatgpt.com/` in the same profile showed **not logged in** (“登录 / 免费注册”), so ChatGPT workspace/session was not initialized despite OpenAI auth phone completion.
|
||
|
||
Recommended recovery:
|
||
|
||
1. Do not buy more phone numbers; phone verification is done.
|
||
2. Initialize/login ChatGPT in the same visible Chrome profile first.
|
||
3. Then generate a fresh CPA OAuth URL and redo Codex consent.
|
||
4. If password login fails for the freshly created account, avoid stale OAuth states; use a fresh CPA URL and the visible ChatGPT/OpenAI login path. OTP links on stale password pages can return `invalid_state`.
|
||
|
||
## CDP navigation pitfall
|
||
|
||
`Runtime.evaluate(... awaitPromise=True)` around a click that navigates may fail with:
|
||
|
||
```text
|
||
Inspected target navigated or closed
|
||
```
|
||
|
||
For navigation clicks, prefer:
|
||
|
||
1. Inspect current DOM.
|
||
2. Execute a non-awaited click (`awaitPromise=False`) or dispatch input/click and close the websocket.
|
||
3. Sleep briefly.
|
||
4. Reattach to the current tab via `/json/list` and inspect the new URL.
|
||
|
||
This avoids treating a normal navigation as a fatal browser failure.
|