Open hacker1024 opened 3 years ago
I worked it out - the device is associated with the user like so:
Method
user.associateDevice
Request (encrypted)
{
"deviceId": "<deviceId>"
}
Response
{
"stat": "ok"
}
Leaving this issue open as this can be added to the documentation.
The official Android app can reauthenticate without storing the username and password, but I'm unable to do so myself. It's be great if we could work this out, and add it to the documentation. Below are my findings after exploring the login system.
Login types
There are four
loginType
values that can be used withauth.userLogin
:user
,deviceId
,accessToken
, andfirstIntroToken
.user
logs in with a username and password. An example request, with all the common user response parameters removed, looks like this:This login type is used by the Pandora Android app when a user first logs in, but not for subsequent logins. To reauthenticate expired sessions, and log in from storage, the app uses the
deviceId
type, which looks like this:As you can see, no loginType-specific user-specific information is required with this login type. Instead, the backend uses the
deviceId
value sent in every type of login request to authenticate the user.The
deviceId
The
deviceId
used is generated with [UUID.randomUUID()
](https://developer.android.com/reference/java/util/UUID?hl=en#randomUUID()) and stored upon first access. The same value is then used for all relevant API requests.The initial Pandora Android login flow
When the Android app launches for the first time, it does the following:
auth.partnerLogin
firstintroduction.v2.startFirstIntroduction
.../services/json/?method=...
.deviceId
is sent in this request, but I don't think this matters due to the next response.deviceId
login typedeviceNotFound
.user
login typeReauthentication
When an authentication token expires, subsequent API requests will fail with error 1001 (
invalidAuthToken
). When this happens, the official Android app will reauthenticate with thedeviceId
login type.Additionally, the
deviceId
login type is used on startup when the user is signed in. The username and password aren't stored.The issue
When I try to reauthenticate with the
deviceId
login type, it always fails with an error 1009 - even after I log in withuser
and provide the samedeviceId
.It looks like the Android app is somehow registering the device with Pandora, so reauthentication can be done. This must be happening somewhere in between step 3 of the login flow and reauthentication, but I can't work out how it works.