Change in PIN Authentification protocol ?

[JpEncausse]

Hello, 6 months ago I implement the protocol and use it every day with the same UUID in order to handle pins once for all.

Since today,

• Blink send client : { 'verification_required : true' } and I receive a PIN by mail.
• I perform the Pins authentication that is correct

But after a new login attempt I still get a client : { 'verification_required : true' } even if I change the UUID. Does anybody has the same issue ?

[TECHDUDE2021]

YES, Having the same problem. started 3pm est 1/28/2021. Sends a verification pin email every 40 minutes when the backup script is being run. I use the PowerShell version of of the backup script. I get client verification required true as a response and tried yesterday to add pin verify code and best I get was thumbnails and an unauthorized access 101 error when downloading video clips. Need code in powershell lanquage to pass the pin over to $URI and get the client verified.

[JpEncausse]

I'm on EU server, I think the problem might be on Blink side like if the UUID validation was not recorded. I don't find workaround on client side since the pin code is sent by mail (I won't parse my mail every time ...)

[ChenX1993]

Some issue here. Haven't find a workround yet

[jeff-zacuto]

I'm guessing this is why my script just hangs? :)

[axid2006]

me too - also on EU server :-( is there also a workaround found :-/ (also get a pin via mail) thx

[TECHDUDE2021]

Man is annoying. I have it running thru the powershell script which I can edit. Is the Python script having the same issue might be time to switch. It needs to authenticate the computer device (i.e. client) with the pin# just like when a new phone is used. I just do not know how to write something like that. UM HELP!!!

[CannyGent]

Yes - same issue here on e002 tier. I was thinking is a problem at their end but my iOS client is not experiencing the same issue which makes me wonder if the protocol changed somehow?

[axid2006]

https://github.com/nayrk/Blink/issues/14 this is working FINE! with entering PIN code!

[CannyGent]

this is working FINE! with entering PIN code!

No, the behaviour has changed. It used to be that providing the 2FA PIN was a 1-time exercise after which you were good but currently a PIN needs to be provided regularly. This is no good for those of us with integrations that run without user input.

[CannyGent]

Ok - I just proxied my Blink traffic on iOS and noticed that it is now hitting a v5 endpoint for the login request... https://rest-prod.immedia-semi.com/api/v5/account/login rather than v4

The PIN is still verified at /api/v4/account/{accountid}/client/{clientid}/pin/verify

I am going to update my code to hit that v5 login and see if that fixes it.

[ReuDa]

I changed my scripts to V5-Login and still getting Auth-Tokens :-(

V5-Login-Response changed a bit, documented here: https://github.com/MattTW/BlinkMonitorProtocol/pull/51

[tstibbs]

I also tried moving to v5, but no difference (but thanks for sharing your findings anyway @Ajdthomson)

I did however get an email from blink saying that they're rolling out 2FA and that I need to enter my phone number to receive pin verifications, so I wonder if this is related in some way - maybe once the pins start arriving via SMS the verify step will actually work. (I would try it out, but the app won't accept my phone number...)

[ReuDa]

Nope, I signed up for SMS-Auth a few days ago. Verify-Pins now coming via SMS instead of mail, but nothing else changed :-(

[MicOestergaard]

Using PINs received via SMS doesn't make a difference.

It seems like the unique_id parameter is ignored.

[CannyGent]

I also tried moving to v5, but no difference (but thanks for sharing your findings anyway @Ajdthomson)

Yes - I was going to update this thread with my findings too but you beat me to it... same behaviour. I even tried setting the user-agent and headers to be the same as the iOS app but that hasn't worked either. Really hoping Blink fix this!

[CannyGent]

And something else odd I have spotted... so I have a token here retrieved at 2021-02-08T07:27:17... this token is good for https://rest-e002.immedia-semi.com/api/v1/accounts/{myaccountid}/media/changed?since=2021-02-07T20:58:12 but when I then try and grab one of the mp4 files e.g. https://rest-e002.immedia-semi.com/api/v2/accounts/{accountid}/media/clip/566322510.mp4 then I get a 401 Unauthorized response using that exact same token!

[ReuDa]

I have proxied my Blink-App and didn't use the app for a day.

Result: The app sends a loging-request with a property: "reauth":true,

I would bet this controls the verify-pins. I will check this and come back. :-)

[CannyGent]

@ReuDa Oh nice work - i must have missed that when I proxied. Sounds promising... will investigate as well.

[ReuDa]

Yepp, tested, seems to work. I will open a PR with the reauth-Flag documented.

[tstibbs]

@ReuDa reauth improves things, but doesn't quite fix it for me. Making multiple logins in short succession only results in a single pin being sent (which is better than before when I was being spammed) however if I leave it 40+ mins (so the pin expires) and then login again, I get sent another pin.

[ReuDa]

@tstibbs Did you ever verified your client? If you still get something like

        "account_verification_required": false,
        "phone_verification_required": false,
        "client_verification_required": **true**,

from the login-endpoint, you have to call the verify-endpoint. I did this once using a sms-pin, after that I am using the login-endpoint with reauth=true and didn't get any new pins.

[JpEncausse]

Didn't and no longer work for me :-(

1. I setup my phone number for SMS
2. I set login url to api/v5
3. I add reauth : false to my parameters

Then I receive the payload and an SMS for the PIN {"message":"Unauthorized Access","code":101}

1. I set the previous authtoken
2. I set the PIN
3. I perform the PIN Verify
4. I reveive a validated payload {"valid":true,"require_new_pin":false,"message":"Client has been successfully verified","code":1626}

So I assume my third party app is authenticated

1. I perform a new login with reauth : true
2. I do not receive the PINs but the payload state {"message":"Unauthorized Access","code":101}

EDIT:

1. I roll back to api/v4
2. Perform a Login the authenticate with the SMS PINS
3. Perform a login with "reauth": true (still in v4)

It's seems to be ok, the action has been performed and the "reauth": true prevent from receiving the Email/SMS

Note: At the begining of this Thread I was receiving the email BUT the action was performed. Addin ONLY "reauth": true prevent from receiving the email/pins

[ReuDa]

@JpEncausse Did you maybe send your Auth-Token to the login-endpoint after the verify? Just in case - You should NOT do. It doesn't work like a refresh-token.

Everything else is exactly as I am doing...

[JpEncausse]

@JpEncausse Did you maybe send your Auth-Token to the login-endpoint after the verify? Just in case - You should NOT do. It doesn't work like a refresh-token.

Everything else is exactly as I am doing...

Sorry I fix/edit my post just before https://github.com/MattTW/BlinkMonitorProtocol/issues/49#issuecomment-776712714

No I always to a clean login if I don't have authtoken, otherwise I send my command

[tstibbs]

@tstibbs Did you ever verified your client?

Apologies @ReuDa you're right - I had previously verified, but because I had since sent requests without reauth it seems that the previous validations were ignored. Now I've updated my code to send reauth every time, I did have to verify once more, but it appears to persist now.

[strunker]

This issue is very annoying. And it seems to come and go. reauth:true does seem to have a positive impact, least for a little while until it ultimately breaks again.

Below is the code I wrote i have been using that seems to work well enough. I updated it for the new v5 auth endpoint. Just annoying, whatever they changed. The v4 code was stable for me for many many months after writing it and just randomly started breaking start of this month same as it did for all of you. Wish that MFA was optional, or they would finally develop a simple "real" rest api for their product. All I want to be able to do is programmatically arm and disarm my camera, same way I do my foscam cams (which by the way have a really good rest API and its official from the vendor).

The unique ID i use is the same exact uuid that my mobile app uses. I used fiddler to middle man the traffic from the mobile app and extract my uuid a long with all the below data. Anyway if you wanted to try yourself you would need your own unique ID and there is also an account number that looks to be unique to each person all of which is listed in the capital X's. I also store my password in a global var called Blink.

Even this function though, as I mentioned earlier, doesnt always work. Sometimes it does, other times I get prompted for MFA, then I simply auth the code inside the app and it goes back to working for a while before breaking again. Very annoying.

I call the below function with either BlinkToggle("arm") or BlinkToggle("disarm").

def BlinkToggle(state):
    Blink = os.getenv("Blink")
    authBody = {"app_version":"6.1.6 (9289) #8fee5f53c-mod","password":"{}".format(Blink),"reauth":"true","os_version":"14.4","device_identifier":"iPhone11,8","unique_id":"XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX","client_type":"ios","email":"MYEMAIL@gmail.com","client_name":"iPhone Xr"}
    authheaders = {"host":"rest-prod.immedia-semi.com",'Accept':'*/*','Content-Length':'255','LOCALE':'en_US','Accept-Language':'en-US','User-Agent':'Blink/9289 CFNetwork/1220.1 Darwin/20.3.0','Accept-Encoding':'en-us','APP-BUILD': 'IOS_9289'}
    try:
        #Auth to blink get token
        request = api.post("https://rest-prod.immedia-semi.com/api/v5/account/login",headers=authheaders,data=authBody,verify=False)
        code = request.status_code
        message = request.text
        jsonData = json.loads(message)
        authToken = jsonData["auth"]["token"]
        print(Fore.YELLOW +  "\nBlink Cam Token: " + authToken) 
        if code != 200 or len(authToken) <= 0:
            errorString = "An error has been thrown during camera auth.\nCode: {}\nMessage: {}".format(code,message)
            raise NameError(errorString)
        else:
            #Perform cam action with new token.
            camHeaders = {"host":"rest-u026.immedia-semi.com",'Accept':'*/*',"X-Blink-Time-Zone":"America/New_York",'Content-Length':'0','TOKEN-AUTH': 'PLACEHOLDER','LOCALE':'en_US','Accept-Language':'en-US','User-Agent':'Blink/9289 CFNetwork/1220.1 Darwin/20.3.0','Accept-Encoding':'gzip, deflate, br','APP-BUILD': 'IOS_9289'}
            camHeaders["TOKEN-AUTH"]=authToken
            request = api.post("https://rest-u026.immedia-semi.com/api/v1/accounts/XXXXX/networks/XXXXX/state/{}".format(state),headers=camHeaders,verify=False)
            code = request.status_code
            message = request.text            
            if code != 200:
                errorString = "An error has been thrown during camera command send.\nCode: {}\nMessage: {}".format(code,message)
                raise NameError(errorString)
            else:
                return "Blink Success"
    except Exception as E:
        return "Blink Error: {}".format(str(E))