search

AlexGustafsson / itslearning

A fully async API written in ES6 for the It's Learning platform
https://alexgustafsson.github.io/itslearning/
11 stars 3 forks source link

Any pointers for itslearning.com JSON REST API documentation? #6

Open Schepp opened 3 years ago

Schepp commented 3 years ago

Hey Alex,

finally with COVID, German schools starts to go digital, too - hell freezes over. Our city opted for itslearning.com as their platform of choice. As you probably have known for years, the UX of that platform is horrible - especially for kids on elementary school level. Even for for us parents it is hard to get an overview of what new task comes in and where things are located. So I had the idea to have a web service support me in not losing track and that's how I discovered your project.

Sadly a lot of things related to the authenticated user don't seem to work any more. If I could guess, I would say this has to do with changes of the REST API on itslearning's side. When I go to their site, all I can find, though, is an XML-(SOAP?)-based API, which uses completely different routes than the one you are using. I can also see traces of a JSON-based REST-API but access was recently blocked and the only place I can dig it up is in the Google Cache.

How did you come up with your interactions? Have you reverse engineered the network traffic from an older iOS-app?

Finally: thank you for open sourcing your work and greetings to Stockholm from Düsseldorf!

AlexGustafsson commented 3 years ago

Hi!

Fortunately for us, we've moved away from itslearning to another platform. Unfortunately this also means I've been out of touch when it comes to their platform for the last few years.

If I remember correctly, I downloaded their app and man-in-the-middled myself to watch the communication between the client and server. I then performed common actions such as searching for my institute, sign in, view news, read messages etc. Looking through the code it indeed seems like the API at one point was sent via JSON, but trying one of the paths it seems to have switched to XML. I don't remember finding any documentation etc. on their API.

You mention that the REST API seems to have been closed. As far as I can see, the API seems to be at least somewhat alive. For example, https://www.itslearning.com/restapi/sites/all/organisations/search/v1?searchText=Düsseldorf returns a list of institutes matching the query. Unfortunately I can no longer authenticate myself, so I cannot check the other APIs.

I'm not sure how far you were able to get with the API, so I'll leave some comments you might already be aware of.

If you want to extract information about the API from this code, I think you could find all the paths I use - such as restapi/personal/notifications/stream/v1 and extract them for further research. Each path is absolute and added to https://www.itslearning.com/. It doesn't seem to be necessary for requests, but the User Agent for the app was itslearningintapp/2.2.0 (com.itslearning.itslearningintapp; build:117; iOS 10.2.1) Alamofire/4.2.0 when I developed this project.

Most of the requests are authenticated with tokens you retrieve using your credentials. The request below is responsible for the actual authentication. The client_id seems to be an ID bound to the app, which might have changed since it was originally implemented. According to a comment in the code I extracted this from the MITM analysis. It is also entirely possible that I misunderstood what it was for when I coded this and that it was bound to my organization somehow which was not apparent by the API requests made by the app. So I assume it's entirely possible that if you find the correct ID, some things will start working in this code.

Here is a curl request you can try to authenticate yourself, given that you find the correct client_id.

curl --request POST \
  --url https://www.itslearning.com/restapi/oauth2/token \
  --header 'content-type: application/x-www-form-urlencoded' \
  --data client_id=10ae9d30-1853-48ff-81cb-47b58a325685 \
  --data grant_type=password \
  --data username=myusername \
  --data password=mypassword

For more context and to ensure that the entire API hasn't changed, I suggest you try to MITM yourself as well to see exactly how various parts of the API is used. If I remember correctly, this was quite a quick procedure and it's probably the best choice if you want to write new code.

One user once mentioned that itslearning may be nice about developers, so you could investigate that lead.

Good luck, and feel free to contribute to this project, or if you develop something similar, drop a link here so that I can refer users there instead as I have no real ability or reason to further update this code myself.

Schepp commented 3 years ago

Hey Alex,

thank you for your long and kind and very helpful reply! This helps a lot and I'm about to install mitmproxy and listen to the app's communication.

Interestingly the itslearning's Rest API is not fully disfunctional. Authentication still works the same, but then it deviates in the data that get's returned and also in what more detailed methods are available. Once I find out, I will do a pull request.

BTW, here is the link to the Google Cache that shows traces of a former JSON-based REST API documentation: https://webcache.googleusercontent.com/search?q=cache:WOiJDH9ykFsJ:https://www.itslearning.com/restapi/help+&cd=1&hl=de&ct=clnk&gl=de

AlexGustafsson commented 3 years ago

Don't feel required to fit your improvements in with the current code structure or API - feel free to do whatever you think works best. Break things if you have to or want to. Also, feel free to switch over to TypeScript if that's something you're interested in.

Good luck!

jurifm2406 commented 2 months ago

hey, I know its a very late reply but if you're still interested you can find some API endpoints via google with this query:

site:itslearning.com inurl:api | site:/rest | site:/v1 | site:/v2 | site:/v3