403 Forbidden - New security feature ?

Cebeerre / pysecuritas

Client to access Securitas Direct Mobile API

MIT License

20 stars 3 forks source link

403 Forbidden - New security feature ? #14

Open bactisme opened 1 year ago

bactisme commented 1 year ago

Hello,

Everything was working correctly, but few days ago, I cannot anymore connect and get my alarm state.

requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://mob2217.securitasdirect.es (...)

If I visit the URL, It seems that they implemented a new security layer, provided by imperva.com.

Is it working for you?

Do we know why? Or how to deal with this security feature?

Cebeerre commented 1 year ago

Hi !

It's indeed not norking. Looks like they've finally demomissioned the old API that was being used by the previous version of the mobile app. My assumption is that they're just denying the requests through their WAF (Imperva).

The new mobile app, is making use of a different endpoint (https://customers.securitasdirect.es/owa-api/graphql), has been quite rewritten and they've added 2FA on top, so quite a challenge rewritting the current code ...

BR, Xavi

bactisme commented 1 year ago

Hi,

Are you interested or do you know people that can be interested in building a new library around it? 2FA introduces a complexity, but we should be able to auth API like an APP, what do you think ?

Best,

kdesroches89 commented 1 year ago

Hi all, I am interested in the redevelopment of the API. @Cebeerre , a lot of fork applications are based on yours, including mine in PHP :) Do you think it is possible to see how to manage this complexity of 2FA and be able to reuse the API?

Thanks Best regards

Cebeerre commented 1 year ago

This HomeAssistant component https://github.com/guerrerotook/securitas-direct-new-api already makes use of the new API. The component gets registered as a trusted device through the 2FA and seems to renew the token from time to time so it does not expire. Take a look at the code ...

I've been playing a bit with Node-Red and I've managed to pass the 2FA and get the hash token, but I haven't had time to figure out how to refresh the token as this developer does, so the thing keeps working without having to go through the 2FA again ...

Right now, I don't feel like re-coding this python package ... not sure what @nragon thinks ... he's actually the one that turned this project into proper python code :)