mirror of
https://github.com/imputnet/cobalt.git
synced 2026-07-17 20:42:39 -05:00
[GH-ISSUE #811] Cloudflare Turnstile keeps running checks without ever giving access to downloading #9324
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @zhongqiuj1 on GitHub (Oct 6, 2024).
Original GitHub issue: https://github.com/imputnet/cobalt/issues/811
bug description
stuck by "bot protection". it always show " still checking if you're not a bot. wait for the spinner to disappear and try again.
if it takes too long, please let us know! we use cloudflare turnstile for bot protection and sometimes it blocks people for no reason."
reproduction steps
when i paste any URL to start downloading
screenshots
No response
links
No response
platform information
win10
additional context
No response
@Zane2b2t commented on GitHub (Oct 21, 2024):
can agree. this didn't happen with old cobalt
@haohaoxiao commented on GitHub (Nov 3, 2024):
+1
@wukko commented on GitHub (Nov 10, 2024):
we won't turn off bot protection in the foreseeable future, but you can try switching networks, clearing cookies, or using a different browser. we don't control cloudflare turnstile and unfortunately can't help much :(
@adeep commented on GitHub (Feb 27, 2025):
Hi, i have this turnstile problem on my android/chrome too. I understand you can't prevent this but at least you can add option in settings to manual turnstile for bot prevention like this if you can.
Thanks
@HunterWesley commented on GitHub (Mar 6, 2025):
Turnstile is broken. Unless you think people are bots. In which case, your service is worthless to actual humans.
@wukko commented on GitHub (Mar 6, 2025):
@HunterWesley it’s not broken! it works as intended. all suspicious clients don’t pass the captcha. from what i’ve seen before, if you’re using brave or any other browsers/extensions that break web apis or the regular flow of requests, then it might fail. we don’t control cloudflare turnstile, so we can’t do anything about the actual tests. we also can’t remove the captcha because else it’d allow for abuse of our processing instances that we host for everyone for free.
alternatively, you can host your own processing instance and put it into instance settings.
@gigirassy commented on GitHub (Mar 13, 2025):
Is it possible that you might offer the option to configure alternative captcha options in place of Turnstile, which is often biased, for anyone who wants to host their own Cobalt instance? Like hCaptcha, mCaptcha, reCaptcha, and the like.
@Grawl commented on GitHub (Mar 18, 2025):
Its infinite
@gitcakes commented on GitHub (Mar 20, 2025):
Wondering the same thing! Currently safe-hosting and I have no idea why I'm even concerned by Turnstile?
@ToS0 commented on GitHub (Mar 25, 2025):
I use different browsers, and I even don't get the dialog, just the spinning wheel forever. I use Pi-hole and a VPN, but I am not turning this off!
A better bot protection must be used, and it must be turned off for self-hosting, otherwise the service is completely useless. This is both solvable.
@wukko commented on GitHub (Mar 25, 2025):
such as what exactly? we don't know of any better solutions that are just as effective and don't invade people's privacy
turnstile is not used for self-hosted instances unless you put turnstile keys into env
@ToS0 commented on GitHub (Mar 25, 2025):
It is not even working when VPN ist temporarily turned off, and Cloudflare DNS is whitelisted. This is what the client-side debugger says:

@wukko commented on GitHub (Mar 25, 2025):
are you trying to use the main instance api on self-hosted frontend? it won't work, you have to host your own api instance. see: https://developers.cloudflare.com/turnstile/troubleshooting/client-side-errors/error-codes/
@ToS0 commented on GitHub (Mar 25, 2025):
Thanks a lot for responding!
well, if a captcha worked before, and the automated solution does not, we'd prefer the captcha
standard docker, no env vars set at all
@wukko commented on GitHub (Mar 25, 2025):
turnstile is a captcha, but an invisible one in cobalt's case. we've been using it starting from ~late september, nothing changed since.
@ToS0 commented on GitHub (Mar 25, 2025):
Invisible seems less and less to work. Sometime, after a long time it does, but often not. This became worse with the last weeks / months. No difference between self-hosted or hosted. So visible might be better if you don't have a fix
@wukko commented on GitHub (Mar 25, 2025):
you probably forgot to set the default api url in env variables for frontend
@ToS0 commented on GitHub (Mar 25, 2025):
I did it in the UI, but obviously it wasn't saved although I clicked on the checkbox. However, did it again and it works without the captcha as expected. Thanks a lot!
So self-hosting is the solution if Turnstile doesn't work. Visible captcha would work for hosted as well. Your call obviously, but thank you, great job!
@wukko commented on GitHub (Mar 25, 2025):
you could also use the main frontend (https://cobalt.tools) with the same setting set to your self-hosted backend, with no turnstile ever being loaded!
@Grawl commented on GitHub (Mar 26, 2025):
Recaptcha can be invisible too, but visible when it's not clear to detect a human. And hCaptcha too.
@wukko commented on GitHub (Mar 26, 2025):
neither of them are as privacy-respecting as turnstile. both of them would also cost a lot to use at our scale, while turnstile is free
@Grawl commented on GitHub (Mar 26, 2025):
yeah we just will wait a minute every time
@wukko commented on GitHub (Mar 26, 2025):
that’s simply not true, turnstile solves the challenge within 2 seconds for essentially all users. if it wasn’t the case, this issue would’ve been way more active than it is right now.
are you using a weird browser like brave? have you tried doing any troubleshooting steps that cobalt recommends you to do? i don’t see any info about your specific issue that would let me help you.
@Grawl commented on GitHub (Mar 26, 2025):
I use Cobalt only on my iPhone
@HunterWesley commented on GitHub (Apr 26, 2025):
I'm sorry, I had a useragent which made it never work. It works if I turn it off, which is annoying but fine.
@tropicaaal commented on GitHub (Jun 2, 2025):
I understand that this has already been recommended before, but turnstile's "invisible mode" has far higher false-positive rates compared to just rendering out the capcha in something like a toast. Furthermore, cobalt seems to rerun the turnstile every time the page is loaded, which puts me back through hell even on the rare occasion I can load the site. As someone who primarily uses a VPN when browsing, i've only ever gotten the main instance to pass turnstile like, once or twice. Ever.
I understand that this is totally my burden (I 100% agree that a captcha system is the right decision from an engineering perspective) and that alternatives like hCaptcha are not financially viable at cobalt's scale, but I do think there are a few actionable things that could improve user experience here; notably:
Caching the user's authentication state in localStorage or some other temporary persistent storage with an expiry (maybe 30 minutes?) so that turnstile doesn't run on literally every single page load.This wouldn't be viable given turnstile's single-use token architecture, and would probably require a whole auth stack to do properly.@Excel73 commented on GitHub (Jul 28, 2025):
Happens with me. Google, endless. Android app that's just chrome, endless. Chrome in general, endless. No vpn, doesn't work on my laptop, nothing.
@rchltmedia commented on GitHub (Aug 19, 2025):
i'm using wifi extenders and always get stuck too long in turnstile checking page. not just you, every single website uses turnstile have these problems. it's infuriates me. i know turnstile does it's job and free but seeking free and open source alternatives maybe a must.
i had fewer problems with other captchas from google, hcaptcha etc. but as you said before, it's all about budget.
@Malix-Labs commented on GitHub (Aug 27, 2025):
Happens on Chrome on my Android (Nothing Phone (1))
@koushiroue commented on GitHub (Oct 7, 2025):
failed the cloudflare turnstile infinitely on samsung internet browser