Signed request expected / All Accounts banned at creation

ExTBH commented 2 years ago

Issue

Secret key got changed ...

Environment

If you're reporting a bug, please attach the output of the following commands:

7.35
b'rYKfoeKQOwMHtBNTrCgvXEvgJBdwAHeZJFVqsBYh'

Steverman commented 2 years ago

Somehow the HMAC calculation seems off. I tested the same requests in BurpSuite (using the HMAC calculator extension) and they work just fine. Even using BurpSuite as a proxy for the python_api works flawlessly. But i can't spot the difference between the two requests:

Signed by BurpSuite:

POST /api/v3/posts/?explorer=False HTTP/1.1
Host: api.jodelapis.com
Accept: */*
Connection: close
User-Agent: Jodel/8.0.1 Dalvik/2.1.0 (Linux; U; Android 16; Pixel 9 Build/AAAA.123456.789)
X-Location: 52.504062;13.386062
X-Timestamp: 2022-07-29T09:54:56Z
Content-Type: application/json; charset=UTF-8
Authorization: Bearer 88495644-abe900e3-ab95baad-b3db-47a4-bee1-ba8e4092bc1a
X-Api-Version: 0.2
X-Client-Type: android_8.0.1
Content-Length: 238
Accept-Encoding: gzip, deflate
X-Authorization: HMAC 50951DEC80310EA812391D5A82A568DAF72E0C73

{"color": "8ABDB0", "location": {"country": "DE", "city": "Berlin", "loc_coordinates": {"lat": 52.504062, "lng": 13.386062}, "loc_accuracy": 15.457}, "ancestor": null, "message": "Hallo zusammen", "channel_id": "5f8ebbb3fd37e500256f7a67"}

which is signed using the following HMAC input parameters:

[+] Signing request to https://api.jodelapis.com:443/api/v3/posts/
  [+] URL parameters: 
  explorer=False
  [+] Timestamp: 2022-07-29T09:54:56Z
  [+] Access token: Bearer 88495644-abe900e3-ab95baad-b3db-47a4-bee1-ba8e4092bc1a
  [+] Location: 52.504062;13.386062
  [+] Constructed HMAC String: POST%api.jodelapis.com%443%/api/v3/posts/%88495644-abe900e3-ab95baad-b3db-47a4-bee1-ba8e4092bc1a%52.504062;13.386062%2022-07-29T09:54:56Z%explorer%False%{"color": "8ABDB0", "location": {"country": "DE", "city": "Berlin", "loc_coordinates": {"lat": 52.504062, "lng": 13.386062}, "loc_accuracy": 15.457}, "ancestor": null, "message": "Hallo zusammen", "channel_id": "5f8ebbb3fd37e500256f7a67"}
  [+] New header:
      Host: api.jodelapis.com
      Accept: */*
      Connection: close
      User-Agent: Jodel/8.0.1 Dalvik/2.1.0 (Linux; U; Android 16; Pixel 9 Build/AAAA.123456.789)
      X-Location: 52.504062;13.386062
      X-Timestamp: 2022-07-29T09:54:56Z
      Content-Type: application/json; charset=UTF-8
      Authorization: Bearer 88495644-abe900e3-ab95baad-b3db-47a4-bee1-ba8e4092bc1a
      X-Api-Version: 0.2
      X-Client-Type: android_8.0.1
      Content-Length: 238
      Accept-Encoding: gzip, deflate
      X-Authorization: HMAC 50951DEC80310EA812391D5A82A568DAF72E0C73

which successfully creates a post. Performing the same request from python:

POST /api/v3/posts/?explorer=False HTTP/1.1
Host: api.jodelapis.com
User-Agent: python-requests / jodel_api 8.0.1 (https://github.com/JodelRaccoons/jodel_api/)
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
Authorization: Bearer 88778679-920de650-805418a1-07b7-40ab-9452-d7fb26cf140c
X-Location: 52.5041;13.3861
X-Client-Type: android_8.0.1
X-Api-Version: 0.2
X-Timestamp: 2022-07-29T09:59:39Z
X-Authorization: HMAC ADDE3B615AFE80B6B2610BEEED98DD138F123F5D
Content-Type: application/json; charset=UTF-8
Content-Length: 238

{"color": "8ABDB0", "location": {"country": "DE", "city": "Berlin", "loc_coordinates": {"lat": 52.504062, "lng": 13.386062}, "loc_accuracy": 15.457}, "ancestor": null, "message": "Hallo zusammen", "channel_id": "5f8ebbb3fd37e500256f7a67"}

with the following input parameters:

HMAC String: POST%api.jodelapis.com%443%/api/v3/posts/%88778679-920de650-805418a1-07b7-40ab-9452-d7fb26cf140c%52.5041;13.3861%2022-07-29T09:59:39Z%explorer%false%{"color": "8ABDB0", "location": {"country": "DE", "city": "Berlin", "loc_coordinates": {"lat": 52.504062, "lng": 13.386062}, "loc_accuracy": 15.457}, "ancestor": null, "message": "Hallo zusammen", "channel_id": "5f8ebbb3fd37e500256f7a67"}
Requesting https://api.jodelapis.com/api/v3/posts/
     Endpoint: /v3/posts/
     Payload: {'color': '8ABDB0', 'location': {'country': 'DE', 'city': 'Berlin', 'loc_coordinates': {'lat': 52.504062, 'lng': 13.386062}, 'loc_accuracy': 15.457}, 'ancestor': None, 'message': 'Hallo zusammen', 'channel_id': '5f8ebbb3fd37e500256f7a67'}
     Method: POST
     Headers: {'User-Agent': 'python-requests / jodel_api 8.0.1 (https://github.com/JodelRaccoons/jodel_api/)', 'Authorization': 'Bearer 88778679-920de650-805418a1-07b7-40ab-9452-d7fb26cf140c', 'X-Location': '52.5041;13.3861', 'X-Client-Type': 'android_8.0.1', 'X-Api-Version': '0.2', 'X-Timestamp': '2022-07-29T09:59:39Z', 'X-Authorization': 'HMAC ADDE3B615AFE80B6B2610BEEED98DD138F123F5D', 'Content-Type': 'application/json; charset=UTF-8', 'Accept-Encoding': 'gzip, deflate'}
     Parameters: {'explorer': False}

returns the 477 unknown.

Couple of things that caught my eye :

The parameter explorer=False is used in the request but in the HMAC string the value is written as false
Rounding is probably a mistake as X-Location no longer matches what's in the HMAC string https://github.com/JodelRaccoons/jodel_api/blob/61a0cf54cad5ed4aac7b08cea21a3f6e2e1e80f2/src/jodel_api/jodel_api.py#L84
This probably is unrelated but user-agent is hardcoded: https://github.com/JodelRaccoons/jodel_api/blob/e59450aebfeb12f8608563820341165c0067b5c9/src/jodel_api/jodel_api.py#L69

springjools commented 2 years ago

Try to use double quotes instead of single ones. I know in a previous project, that this was the issue. Also the format of string/number.

Also in this other project, I remeber there was some difference with how you supply the payload to requests. I think it was better to use json = parameter instead of data = parameter. See this: https://stackoverflow.com/questions/9733638/how-to-post-json-data-with-python-requests

ExTBH commented 2 years ago

Try to use double quotes instead of single ones. I know in a previous project, that this was the issue. Also the format of string/number.

the quotes make sense, i think i've worked in a file before i used single or double don't remember and it errored

springjools commented 2 years ago

I think json doesn't support single quotes, or was it requests? Or I may be wrong.

ExTBH commented 2 years ago

Yeah json is sensitive, maybe jodel server can't parse it

Unbrick commented 2 years ago

I replicated two absolute identical requests...the one in BurpSuire still worked, the one in python did not. Turned out you need to handle the HMAC key passed into the constructor instead of just ignoring it.

Pushed a new version.

ExTBH commented 2 years ago

Looks good rsz_181755242-0eec722f-21d3-46fc-9c24-4ad02f78d521

Unbrick commented 2 years ago

Sounds like we can close this issue for now 👍

JodelRaccoons / jodel_api

Signed request expected / All Accounts banned at creation #26

Issue

Environment