[GH-ISSUE #811] Cloudflare Turnstile keeps running checks without ever giving access to downloading #7836

Open
opened 2026-04-21 19:49:54 -05:00 by GiteaMirror · 30 comments
Owner

Originally created by @zhongqiuj1 on GitHub (Oct 6, 2024).
Original GitHub issue: https://github.com/imputnet/cobalt/issues/811

bug description

stuck by "bot protection". it always show " still checking if you're not a bot. wait for the spinner to disappear and try again.

if it takes too long, please let us know! we use cloudflare turnstile for bot protection and sometimes it blocks people for no reason."

reproduction steps

when i paste any URL to start downloading

screenshots

No response

No response

platform information

win10

additional context

No response

Originally created by @zhongqiuj1 on GitHub (Oct 6, 2024). Original GitHub issue: https://github.com/imputnet/cobalt/issues/811 ### bug description stuck by "bot protection". it always show " still checking if you're not a bot. wait for the spinner to disappear and try again. if it takes too long, please let us know! we use cloudflare turnstile for bot protection and sometimes it blocks people for no reason." ### reproduction steps when i paste any URL to start downloading ### screenshots _No response_ ### links _No response_ ### platform information win10 ### additional context _No response_
GiteaMirror added the main instance issue label 2026-04-21 19:49:54 -05:00
Author
Owner

@Zane2b2t commented on GitHub (Oct 21, 2024):

can agree. this didn't happen with old cobalt

<!-- gh-comment-id:2426614796 --> @Zane2b2t commented on GitHub (Oct 21, 2024): can agree. this didn't happen with old cobalt
Author
Owner

@haohaoxiao commented on GitHub (Nov 3, 2024):

+1

<!-- gh-comment-id:2453252120 --> @haohaoxiao commented on GitHub (Nov 3, 2024): +1
Author
Owner

@wukko commented on GitHub (Nov 10, 2024):

we won't turn off bot protection in the foreseeable future, but you can try switching networks, clearing cookies, or using a different browser. we don't control cloudflare turnstile and unfortunately can't help much :(

<!-- gh-comment-id:2466627825 --> @wukko commented on GitHub (Nov 10, 2024): we won't turn off bot protection in the foreseeable future, but you can try switching networks, clearing cookies, or using a different browser. we don't control cloudflare turnstile and unfortunately can't help much :(
Author
Owner

@adeep commented on GitHub (Feb 27, 2025):

we won't turn off bot protection in the foreseeable future, but you can try switching networks, clearing cookies, or using a different browser. we don't control cloudflare turnstile and unfortunately can't help much :(

Hi, i have this turnstile problem on my android/chrome too. I understand you can't prevent this but at least you can add option in settings to manual turnstile for bot prevention like this if you can.
Thanks

Image

<!-- gh-comment-id:2687704769 --> @adeep commented on GitHub (Feb 27, 2025): > we won't turn off bot protection in the foreseeable future, but you can try switching networks, clearing cookies, or using a different browser. we don't control cloudflare turnstile and unfortunately can't help much :( Hi, i have this turnstile problem on my android/chrome too. I understand you can't prevent this but at least you can add option in settings to manual turnstile for bot prevention like this if you can. Thanks ![Image](https://github.com/user-attachments/assets/ccb9fece-93b3-4b26-8a32-1927778091d6)
Author
Owner

@HunterWesley commented on GitHub (Mar 6, 2025):

Turnstile is broken. Unless you think people are bots. In which case, your service is worthless to actual humans.

<!-- gh-comment-id:2702922699 --> @HunterWesley commented on GitHub (Mar 6, 2025): Turnstile is broken. Unless you think people are bots. In which case, your service is worthless to actual humans.
Author
Owner

@wukko commented on GitHub (Mar 6, 2025):

@HunterWesley it’s not broken! it works as intended. all suspicious clients don’t pass the captcha. from what i’ve seen before, if you’re using brave or any other browsers/extensions that break web apis or the regular flow of requests, then it might fail. we don’t control cloudflare turnstile, so we can’t do anything about the actual tests. we also can’t remove the captcha because else it’d allow for abuse of our processing instances that we host for everyone for free.

alternatively, you can host your own processing instance and put it into instance settings.

<!-- gh-comment-id:2702934369 --> @wukko commented on GitHub (Mar 6, 2025): @HunterWesley it’s not broken! it works as intended. all suspicious clients don’t pass the captcha. from what i’ve seen before, if you’re using brave or any other browsers/extensions that break web apis or the regular flow of requests, then it might fail. we don’t control cloudflare turnstile, so we can’t do anything about the actual tests. we also can’t remove the captcha because else it’d allow for abuse of our processing instances that we host for everyone for free. alternatively, you can [host your own processing instance](https://github.com/imputnet/cobalt/blob/main/docs/run-an-instance.md) and put it into [instance settings](https://cobalt.tools/settings/instances#community).
Author
Owner

@gigirassy commented on GitHub (Mar 13, 2025):

Is it possible that you might offer the option to configure alternative captcha options in place of Turnstile, which is often biased, for anyone who wants to host their own Cobalt instance? Like hCaptcha, mCaptcha, reCaptcha, and the like.

<!-- gh-comment-id:2719572620 --> @gigirassy commented on GitHub (Mar 13, 2025): Is it possible that you might offer the option to configure alternative captcha options in place of Turnstile, which is often biased, for anyone who wants to host their own Cobalt instance? Like hCaptcha, mCaptcha, reCaptcha, and the like.
Author
Owner

@Grawl commented on GitHub (Mar 18, 2025):

Its infinite

<!-- gh-comment-id:2733692469 --> @Grawl commented on GitHub (Mar 18, 2025): Its infinite
Author
Owner

@gitcakes commented on GitHub (Mar 20, 2025):

Is it possible that you might offer the option to configure alternative captcha options in place of Turnstile, which is often biased, for anyone who wants to host their own Cobalt instance? Like hCaptcha, mCaptcha, reCaptcha, and the like.

Wondering the same thing! Currently safe-hosting and I have no idea why I'm even concerned by Turnstile?

<!-- gh-comment-id:2741857696 --> @gitcakes commented on GitHub (Mar 20, 2025): > Is it possible that you might offer the option to configure alternative captcha options in place of Turnstile, which is often biased, for anyone who wants to host their own Cobalt instance? Like hCaptcha, mCaptcha, reCaptcha, and the like. Wondering the same thing! Currently safe-hosting and I have no idea why I'm even concerned by Turnstile?
Author
Owner

@ToS0 commented on GitHub (Mar 25, 2025):

I use different browsers, and I even don't get the dialog, just the spinning wheel forever. I use Pi-hole and a VPN, but I am not turning this off!

A better bot protection must be used, and it must be turned off for self-hosting, otherwise the service is completely useless. This is both solvable.

<!-- gh-comment-id:2750955542 --> @ToS0 commented on GitHub (Mar 25, 2025): I use different browsers, and I even don't get the dialog, just the spinning wheel forever. I use Pi-hole and a VPN, but I am not turning this off! A better bot protection must be used, and it must be turned off for self-hosting, otherwise the service is completely useless. This is both solvable.
Author
Owner

@wukko commented on GitHub (Mar 25, 2025):

A better bot protection must be used

such as what exactly? we don't know of any better solutions that are just as effective and don't invade people's privacy

it must be turned off for self-hosting

turnstile is not used for self-hosted instances unless you put turnstile keys into env

<!-- gh-comment-id:2750977553 --> @wukko commented on GitHub (Mar 25, 2025): > A better bot protection must be used such as what exactly? we don't know of any better solutions that are just as effective and don't invade people's privacy > it must be turned off for self-hosting turnstile is not used for self-hosted instances unless you put turnstile keys into env
Author
Owner

@ToS0 commented on GitHub (Mar 25, 2025):

It is not even working when VPN ist temporarily turned off, and Cloudflare DNS is whitelisted. This is what the client-side debugger says:
Image

<!-- gh-comment-id:2750998672 --> @ToS0 commented on GitHub (Mar 25, 2025): It is not even working when VPN ist temporarily turned off, and Cloudflare DNS is whitelisted. This is what the client-side debugger says: ![Image](https://github.com/user-attachments/assets/6dc4d944-e9d9-477e-bc7e-c7d886d1dfe6)
Author
Owner

@wukko commented on GitHub (Mar 25, 2025):

This is what the client-side debugger says: "error code from turnstile: 110200"

Image

are you trying to use the main instance api on self-hosted frontend? it won't work, you have to host your own api instance. see: https://developers.cloudflare.com/turnstile/troubleshooting/client-side-errors/error-codes/

<!-- gh-comment-id:2751005075 --> @wukko commented on GitHub (Mar 25, 2025): > This is what the client-side debugger says: "error code from turnstile: 110200" <img width="762" alt="Image" src="https://github.com/user-attachments/assets/489453db-bc71-424f-80b1-4c6d2600088a" /> are you trying to use the main instance api on self-hosted frontend? it won't work, you have to host your own api instance. see: https://developers.cloudflare.com/turnstile/troubleshooting/client-side-errors/error-codes/
Author
Owner

@ToS0 commented on GitHub (Mar 25, 2025):

Thanks a lot for responding!

A better bot protection must be used

such as what exactly? we don't know of any better solutions that are just as effective and don't invade people's privacy

well, if a captcha worked before, and the automated solution does not, we'd prefer the captcha

it must be turned off for self-hosting

turnstile is not used for self-hosted instances unless you put turnstile keys into env

standard docker, no env vars set at all

<!-- gh-comment-id:2751005546 --> @ToS0 commented on GitHub (Mar 25, 2025): Thanks a lot for responding! > > A better bot protection must be used > > such as what exactly? we don't know of any better solutions that are just as effective and don't invade people's privacy well, if a captcha worked before, and the automated solution does not, we'd prefer the captcha > > > it must be turned off for self-hosting > > turnstile is not used for self-hosted instances unless you put turnstile keys into env standard docker, no env vars set at all
Author
Owner

@wukko commented on GitHub (Mar 25, 2025):

well, if a captcha worked before, and the automated solution does not, we'd prefer the captcha

turnstile is a captcha, but an invisible one in cobalt's case. we've been using it starting from ~late september, nothing changed since.

<!-- gh-comment-id:2751009932 --> @wukko commented on GitHub (Mar 25, 2025): > well, if a captcha worked before, and the automated solution does not, we'd prefer the captcha turnstile *is* a captcha, but an invisible one in cobalt's case. we've been using it starting from ~late september, nothing changed since.
Author
Owner

@ToS0 commented on GitHub (Mar 25, 2025):

well, if a captcha worked before, and the automated solution does not, we'd prefer the captcha

turnstile is a captcha, but an invisible one in cobalt's case. we've been using it starting from ~late september, nothing changed since.

Invisible seems less and less to work. Sometime, after a long time it does, but often not. This became worse with the last weeks / months. No difference between self-hosted or hosted. So visible might be better if you don't have a fix

<!-- gh-comment-id:2751018625 --> @ToS0 commented on GitHub (Mar 25, 2025): > > well, if a captcha worked before, and the automated solution does not, we'd prefer the captcha > > turnstile _is_ a captcha, but an invisible one in cobalt's case. we've been using it starting from ~late september, nothing changed since. Invisible seems less and less to work. Sometime, after a long time it does, but often not. This became worse with the last weeks / months. No difference between self-hosted or hosted. So visible might be better if you don't have a fix
Author
Owner

@wukko commented on GitHub (Mar 25, 2025):

I guess I have the backend running at :9013 and the frontend at :9009

you probably forgot to set the default api url in env variables for frontend

<!-- gh-comment-id:2751019784 --> @wukko commented on GitHub (Mar 25, 2025): > I guess I have the backend running at :9013 and the frontend at :9009 you probably forgot to set the [default api url in env variables](https://github.com/imputnet/cobalt/tree/main/web#:~:text=as%20receiver%20backend.-,WEB_DEFAULT_API,-https%3A//api.cobalt) for frontend
Author
Owner

@ToS0 commented on GitHub (Mar 25, 2025):

I guess I have the backend running at :9013 and the frontend at :9009

you probably forgot to set the default api url in env variables for frontend

I did it in the UI, but obviously it wasn't saved although I clicked on the checkbox. However, did it again and it works without the captcha as expected. Thanks a lot!

So self-hosting is the solution if Turnstile doesn't work. Visible captcha would work for hosted as well. Your call obviously, but thank you, great job!

<!-- gh-comment-id:2751037155 --> @ToS0 commented on GitHub (Mar 25, 2025): > > I guess I have the backend running at :9013 and the frontend at :9009 > > you probably forgot to set the [default api url in env variables](https://github.com/imputnet/cobalt/tree/main/web#:~:text=as%20receiver%20backend.-,WEB_DEFAULT_API,-https%3A//api.cobalt) for frontend I did it in the UI, but obviously it wasn't saved although I clicked on the checkbox. However, did it again and it works without the captcha as expected. Thanks a lot! So self-hosting is the solution if Turnstile doesn't work. Visible captcha would work for hosted as well. Your call obviously, but thank you, great job!
Author
Owner

@wukko commented on GitHub (Mar 25, 2025):

So self-hosting is the solution if Turnstile doesn't work.

you could also use the main frontend (https://cobalt.tools) with the same setting set to your self-hosted backend, with no turnstile ever being loaded!

<!-- gh-comment-id:2751045809 --> @wukko commented on GitHub (Mar 25, 2025): > So self-hosting is the solution if Turnstile doesn't work. you could also use the main frontend (https://cobalt.tools) with [the same setting set to your self-hosted backend](https://cobalt.tools/settings/instances#community), with no turnstile ever being loaded!
Author
Owner

@Grawl commented on GitHub (Mar 26, 2025):

turnstile is a captcha, but an invisible

Recaptcha can be invisible too, but visible when it's not clear to detect a human. And hCaptcha too.

<!-- gh-comment-id:2753131208 --> @Grawl commented on GitHub (Mar 26, 2025): > turnstile _is_ a captcha, but an invisible Recaptcha can be invisible too, but visible when it's not clear to detect a human. And hCaptcha too.
Author
Owner

@wukko commented on GitHub (Mar 26, 2025):

Recaptcha can be invisible too, but visible when it's not clear to detect a human. And hCaptcha too.

neither of them are as privacy-respecting as turnstile. both of them would also cost a lot to use at our scale, while turnstile is free

<!-- gh-comment-id:2753224454 --> @wukko commented on GitHub (Mar 26, 2025): > Recaptcha can be invisible too, but visible when it's not clear to detect a human. And hCaptcha too. neither of them are as privacy-respecting as turnstile. both of them would also cost a lot to use at our scale, while turnstile is free
Author
Owner

@Grawl commented on GitHub (Mar 26, 2025):

yeah we just will wait a minute every time

<!-- gh-comment-id:2753228704 --> @Grawl commented on GitHub (Mar 26, 2025): yeah we just will wait a minute every time
Author
Owner

@wukko commented on GitHub (Mar 26, 2025):

yeah we just will wait a minute every time

that’s simply not true, turnstile solves the challenge within 2 seconds for essentially all users. if it wasn’t the case, this issue would’ve been way more active than it is right now.

are you using a weird browser like brave? have you tried doing any troubleshooting steps that cobalt recommends you to do? i don’t see any info about your specific issue that would let me help you.

<!-- gh-comment-id:2753237498 --> @wukko commented on GitHub (Mar 26, 2025): > yeah we just will wait a minute every time that’s simply not true, turnstile solves the challenge within 2 seconds for essentially all users. if it wasn’t the case, this issue would’ve been way more active than it is right now. are you using a weird browser like brave? have you tried doing any troubleshooting steps that cobalt recommends you to do? i don’t see any info about your specific issue that would let me help you.
Author
Owner

@Grawl commented on GitHub (Mar 26, 2025):

I use Cobalt only on my iPhone

<!-- gh-comment-id:2753366908 --> @Grawl commented on GitHub (Mar 26, 2025): I use Cobalt only on my iPhone
Author
Owner

@HunterWesley commented on GitHub (Apr 26, 2025):

it’s not broken! it works as intended. all suspicious clients don’t pass the captcha. from what i’ve seen before, if you’re using brave or any other browsers/extensions

I'm sorry, I had a useragent which made it never work. It works if I turn it off, which is annoying but fine.

<!-- gh-comment-id:2832146421 --> @HunterWesley commented on GitHub (Apr 26, 2025): > it’s not broken! it works as intended. all suspicious clients don’t pass the captcha. from what i’ve seen before, if you’re using brave or any other browsers/extensions I'm sorry, I had a useragent which made it never work. It works if I turn it off, which is annoying but fine.
Author
Owner

@tropicaaal commented on GitHub (Jun 2, 2025):

I understand that this has already been recommended before, but turnstile's "invisible mode" has far higher false-positive rates compared to just rendering out the capcha in something like a toast. Furthermore, cobalt seems to rerun the turnstile every time the page is loaded, which puts me back through hell even on the rare occasion I can load the site. As someone who primarily uses a VPN when browsing, i've only ever gotten the main instance to pass turnstile like, once or twice. Ever.

I understand that this is totally my burden (I 100% agree that a captcha system is the right decision from an engineering perspective) and that alternatives like hCaptcha are not financially viable at cobalt's scale, but I do think there are a few actionable things that could improve user experience here; notably:

  • Caching the user's authentication state in localStorage or some other temporary persistent storage with an expiry (maybe 30 minutes?) so that turnstile doesn't run on literally every single page load. This wouldn't be viable given turnstile's single-use token architecture, and would probably require a whole auth stack to do properly.
  • Disabling invisible mode or offering a fallback for user-agents deemed "high-risk" by turnstile, to prevent the common occurance of infinite loops when using an unconventional browser or a VPN.
<!-- gh-comment-id:2932391527 --> @tropicaaal commented on GitHub (Jun 2, 2025): I understand that this has already been recommended before, but turnstile's "invisible mode" has *far higher* false-positive rates compared to just rendering out the capcha in something like a toast. Furthermore, cobalt seems to rerun the turnstile every time the page is loaded, which puts me back through hell even on the rare occasion I can load the site. As someone who primarily uses a VPN when browsing, i've only ever gotten the main instance to pass turnstile like, once or twice. *Ever.* I understand that this is totally my burden (I 100% agree that a captcha system is the right decision from an engineering perspective) and that alternatives like hCaptcha are not financially viable at cobalt's scale, but I do think there are a few actionable things that could improve user experience here; notably: - ~~Caching the user's authentication state in localStorage or some other temporary persistent storage with an expiry (maybe 30 minutes?) so that turnstile doesn't run on literally every single page load.~~ This wouldn't be viable given turnstile's single-use token architecture, and would probably require a whole auth stack to do properly. - Disabling invisible mode or offering a fallback for user-agents deemed "high-risk" by turnstile, to prevent the common occurance of infinite loops when using an unconventional browser or a VPN.
Author
Owner

@Excel73 commented on GitHub (Jul 28, 2025):

Happens with me. Google, endless. Android app that's just chrome, endless. Chrome in general, endless. No vpn, doesn't work on my laptop, nothing.

<!-- gh-comment-id:3125432530 --> @Excel73 commented on GitHub (Jul 28, 2025): Happens with me. Google, endless. Android app that's just chrome, endless. Chrome in general, endless. No vpn, doesn't work on my laptop, nothing.
Author
Owner

@rchltmedia commented on GitHub (Aug 19, 2025):

i'm using wifi extenders and always get stuck too long in turnstile checking page. not just you, every single website uses turnstile have these problems. it's infuriates me. i know turnstile does it's job and free but seeking free and open source alternatives maybe a must.

i had fewer problems with other captchas from google, hcaptcha etc. but as you said before, it's all about budget.

<!-- gh-comment-id:3199649432 --> @rchltmedia commented on GitHub (Aug 19, 2025): i'm using wifi extenders and always get stuck too long in turnstile checking page. not just you, every single website uses turnstile have these problems. it's infuriates me. i know turnstile does it's job and free but seeking free and open source alternatives maybe a must. i had fewer problems with other captchas from google, hcaptcha etc. but as you said before, it's all about budget.
Author
Owner

@Malix-Labs commented on GitHub (Aug 27, 2025):

Happens on Chrome on my Android (Nothing Phone (1))

<!-- gh-comment-id:3229759134 --> @Malix-Labs commented on GitHub (Aug 27, 2025): Happens on Chrome on my Android (Nothing Phone (1))
Author
Owner

@koushiroue commented on GitHub (Oct 7, 2025):

failed the cloudflare turnstile infinitely on samsung internet browser

<!-- gh-comment-id:3375107539 --> @koushiroue commented on GitHub (Oct 7, 2025): failed the cloudflare turnstile infinitely on samsung internet browser
Sign in to join this conversation.