REST API - invalid username/password error even with valid credentials

[Behinder]

As in topic. Tested in PAW.

[hucario]

Have you read through #45 ?

[Behinder]

Now I read this whole discussion, and I understand there is system against bots that prevent using this API. And solution is not described in documentation and the whole discussion is one year old, lot of things could change during this time So what is current state? Which partner login needs to be used for authentication? what are the all headers fields required? I had no luck with getting partner auth token.

On Sun, Sep 4, 2022 at 4:24 AM hucario @.***> wrote:

Have you read through #45 https://github.com/PromyLOPh/pandora-apidoc/issues/45 ?

— Reply to this email directly, view it on GitHub https://github.com/PromyLOPh/pandora-apidoc/issues/55#issuecomment-1236235540, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEQPFWQWXVQF44WSI7B5DLV4QB5DANCNFSM6AAAAAAQEC4PTE . You are receiving this because you authored the thread.Message ID: @.***>

[hucario]

OK, so the workaround we figured out is thus:

• The user auth token (UAT) you get from the JSON api works with the REST api as well
• log in with the JSON api
• use the UAT provided by that for the REST api

holdups / possible problem points:

• the JSON api requires you to have a User-Agent of libcurl. We haven't tested very many others, but we know that one works and browser User-Agents generally don't.
• the JSON api uses an encryption (more than just using TLS, as this was made before TLS became widely used(!)) for security over insecure connections (i.e. straight HTTP). this is pain. the partner login step doesn't use this, but the user login step does

i'll post working example code Soon:tm:. it'll be Typescript, because that's what I use

[Behinder]

Thanks for quick response. I am looking forward to your code example. I wanted to write Pandora client in Swift because why not :)

On Sunday, 4 September 2022, hucario @.***> wrote:

OK, so the workaround we figured out is thus:

• The user auth token (UAT) you get from the JSON api works with the REST api as well
• log in with the JSON api
• use the UAT provided by that for the REST api

holdups / possible problem points:

• the JSON api requires you to have a User-Agent of libcurl. We haven't tested very many others, but we know that one works and browser User-Agents generally don't.
• the JSON api uses an encryption (more than just using TLS, as this was made before TLS became widely used(!)) for security over insecure connections (i.e. straight HTTP). this is pain. the partner login step doesn't use this, but the user login step does

i'll post working example code Soon™️. it'll be Typescript, because that's what I use

— Reply to this email directly, view it on GitHub https://github.com/PromyLOPh/pandora-apidoc/issues/55#issuecomment-1236389632, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEQPFV4JN3KYDNSNQ5MM2TV4TQSFANCNFSM6AAAAAAQEC4PTE . You are receiving this because you authored the thread.Message ID: @.***>

[hucario]

Alright, here's an implementation ripped straight from hucario/Anesidora:typescript and further lobotomized for just the purpose of getting a UAT. I have tested this precisely 0 times, but it should show what you need to do.

https://gist.github.com/hucario/9ca6b9f6a16d7d9a26573c7ca740ff03

If it helps, here are the typings I use for the Pandora API: https://gist.github.com/hucario/b222408a7d4ed7c2cc18c2878de18332

[Behinder]

Big thanks for the effort. I was trying to convert your code to Swift. This is unfortunately not possible as u use functions like fromCharCode that has no equivalent in Swift. I tried different solutions and once e.g. for code '44' i got letter "D" and on Javascript MDN page 44 means ",". Swift does not offer possibility for getting character from unicode stored in variable. It's pity but that's life. I will just use pianobar as long as it's working :)

[hacker1024]

@Behinder Maybe this is useful to you - I made a cross-platform CLI tool that logs in to Pandora and retrieves an authentication token. It works well programmatically through standard input and output channels.

https://github.com/EpimetheusMusicPlayer/pandora_authenticator

Dart is not the best language for such a tool (the resultant programs are relatively large and slow), but I'm leveraging my existing library so I didn't have much of a choice. It might be a good project to rewrite as I learn Rust - but I can't promise anything.

[Behinder]

Thank you very much for the effort. I learned what you recently discovered that some programming language are not suitable to do certain task. Big appreciation that you were able to finish this CLI tool.

for reason unknown dart pub get gives me error I cannot connect to github, which is weirs as I was able to clone your repo.

[hacker1024]

Ah, that's because I was using the no-longer-supported git:// protocol - try now. I also have binaries for every platform in the releases.

[Behinder]

It really looks that API is impossible to use :(

Ok I was able to get token from your binary, however token received is invalid. After doing request I always get:

{
  "errorCode": 1001,
  "errorString": "INVALID_REQUEST",
  "message": "Auth Token is Expired - VIKLISw0a56rHjOglxdTCMUStTA0jpbWChFfyWDkRKa1wCjsywEztEgA=="
}

I am also including in request X-CsrfToken taken from HEAD request:

HTTP/1.1 200 OK
Date: Thu, 08 Sep 2022 13:17:24 GMT
Server: Apache
Content-Type: text/html;charset=utf-8
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Strict-Transport-Security: max-age=31536000
X-Frame-Options: SAMEORIGIN
Set-Cookie: v2regbstage=;Path=/;Domain=.pandora.com;Expires=Thu, 01-Jan-1970 00:00:00 GMT;Max-Age=0
Set-Cookie: csrftoken=259fbd3e7ae5a46a;Path=/;Domain=.pandora.com;Secure
Connection: close

so either authtoken is invalid just few seconds after generation, or expired cookie invalidates token.

[hucario]

Alternatively, you could use the JSON API, which - while clumsier - still does work. That's what I use, and I have few problems

[Behinder]

So, using REST API not possible :( JSON API does not work for me either as I proven authToken is invalid, csrf token got from HEAD request set expired cookie. Thanks for all the help tough, one less project out of my head and lot of time spared.

On Fri, Sep 9, 2022 at 4:31 AM hucario @.***> wrote:

Alternatively, you could use the JSON API, which - while clumsier - still does work. That's what I use, and I have few problems

— Reply to this email directly, view it on GitHub https://github.com/PromyLOPh/pandora-apidoc/issues/55#issuecomment-1241428933, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAEQPFSZH25Q4Z7LUFRE75LV5KOQLANCNFSM6AAAAAAQEC4PTE . You are receiving this because you were mentioned.Message ID: @.***>