Jumbo authentication is currently broken

[RinseV]

Jumbo seems to have changed their API for authenticating or retrieving orders, so currently retrieving your orders is not possible through this wrapper.

[RinseV]

It seems Jumbo is using Akamai Bot Manager to protect their API against bots which means it'll be quite hard to bypass this, thus logging in / viewing your orders probably won't be possible any more until there's a workaround. For a similar issue, see here.

[MWeesenaar]

I threw a Tweet towards Jumbo's Twitter account, might be worth a shot. If there's no response or nothing of use, I might be able to get hold of another route via someone who owns/runs a Jumbo supermarket.

[RinseV]

@MWeesenaar Thank you! I get why they would add bot protection to their API though. The API is only meant to be used in combination with the mobile app.

The only work around I've found so far is to just hardcode your own Jumbo token into the wrapper since the token does not seem to have an expiry date. Although getting the token can still be quite annoying (you have to use something like mitmproxy to sniff the packets and get the token from the request headers).

If they do decide to open up their API some more, I'll see what I can do with incorporating it into the wrapper.

[MWeesenaar]

I haven't received a reply on my Tweet, so I have sent a formal question through their website to ask whether they are interested in talking about possible solutions for having an open(er) API available for the community, rather than the community constantly reverse engineering their mechanisms. I guess it would be a win for both ends. :)

[MWeesenaar]

Minor update from my side: I received two emails (16-11 and 22-11) that Jumbo had not forgotten me, but they also have not replied me with an answer yet. This morning I asked for an update. To be continued.

[yvelk]

Minor update from my side: I received two emails (16-11 and 22-11) that Jumbo had not forgotten me, but they also have not replied me with an answer yet. This morning I asked for an update. To be continued.

Did they reply yet?

[MWeesenaar]

Nope still not. Last Friday I sent out a DM via Twitter to please get back to me on that dossier - but no reply there either, yet. This Friday I might just call their call center.

[MWeesenaar]

Another update: I reached out via Twitter again, they cannot find my original letter towards them, so I explained, again, what my/our question is. Hopefully they might be able to respond.

[RinseV]

Thanks for the update! With v2.0.0 you can now initialize the Jumbo object with your access token, allowing you to retrieve your orders once again. Getting your access token is not the easiest thing in the world (you'll need to reverse engineer the app), but luckily the token never expires so once you have it you should be good to go.

[MWeesenaar]

Great step forward :) I did a quick Google about reversing an Android app (easier than an iPhone app, I assume) and with some proper tooling it 'should be doable' - last famous words... Were you able to get the access token from the app, or by any other means?

In other news; this morning I got a reply from Jumbo, on Twitter, that they are willing to forward my request to those responsible. To be continued again.. 😄

[RinseV]

I got my token from the Android app. You probably want to use a tool like mitmproxy to sniff the requests sent by the app and then grab the token from the X-jumbo-token header sent with every request. This will require you to remove the certificate pinning from the app to allow you to use the proxy however. Normally you could decompile the app, remove the pinning and rebuild and sign the app. However, I was only able to find .xapk files for the Jumbo app which makes this process a little more difficult.

In the end, I used a combination of root + Magisk + LSPosed to install a module that removes SSL pinning for apps you specify. However, this will require a rooted Android phone.

[peternijssen]

Just to let you know that I have been experiencing the same issue in https://github.com/peternijssen/home-assistant-jumbo. I've been trying to see if I could mimic the browser login, but no luck so far. You probably need to scrape the log in page in order to do so.

You can slightly compare it with the PostNL mentioned earlier and the work around here: https://github.com/ToonSoftwareCollective/postnl

Anyway, following the issue with interest, as I have not been able to get a hold of Jumbo myself.

[MWeesenaar]

I am still spamming Jumbo via Twitter. But every new message I send, results in a new empty conversation on their end. So I just screenshotted everything I had communicated with Jumbo, and with quite a few sorry's, they again asked 'the department responsible for this' to contact me. Next step might be 'stalking' employees via LinkedIn 😛

[TheRichardW]

Is there an update for this issue?

[MWeesenaar]

I have called with Jumbo three times now, they forwarded my question towards their software department already four times.. So I was thinking of just trying to find another route to get to their IT dept (e.g. via LinkedIn or anything). I just found that they have job applications for the IT-front, so it might be worth to send out an email to one of their recruiters to try to get via that route. I must say that due to the slowness of Jumbo replying, I tend to forget to post my updates here. Please stalk me if you want me to drop any news.

[helmerzNL]

@MWeesenaar any news? It has been a bit over 6 months and I would love to have this integration to work again? If you need help contacting Jumbo (the more people ask them, the bigger the change they respond I would say), let me know.

[MWeesenaar]

@helmerzNL ; Nope, no official news. I got someone on the inside too now, it seems that it’s not much of a priority. Maybe it is good to get more people pushing. I will ask my contact whether there are HA people within Jumbo willing to help.

Sorry that I don’t have any better news.

[helmerzNL]

@helmerzNL ; Nope, no official news. I got someone on the inside too now, it seems that it’s not much of a priority. Maybe it is good to get more people pushing. I will ask my contact whether there are HA people within Jumbo willing to help.

Sorry that I don’t have any better news.

No problem at all. They should have an HA community internally, every big company has one (we even have a worldwide one. So, let’s hope that the internal HA people will help pushing. Btw, do the other supermarkets have an (open) API that you know?

[peternijssen]

Let's be honest, they've implemented bot protection for a reason. There aren't going to upon up their "private" APIs to some open source projects unfortunately.

[RinseV]

Btw, do the other supermarkets have an (open) API that you know?

I have made similar wrappers for other Dutch supermarkets: Albert Heijn, Coop, Plus and Aldi but none of them have any authentication methods included. I tried to include it in the Albert Heijn one but they are using some form of OAuth which, while not as bad as Jumbo's bot protection, I did not really want to bother with.

Keep in mind that you can still authenticate with the Jumbo API, but you'll need your authorization (JWT) token (which never expires). Getting this token however is a bit more complicated...

[TheRichardW]

Is there some news? I noticed that Jumbo updated their security. The auth token from their mobile app expires after some time now.

[RinseV]

Yes, Jumbo moved away from long lived access tokens towards auth tokens that have to be refreshed every 24 hours somewhere around the beginning of October last year. It seems they are now using Auth0 with the standard authorization code flow. It's still possible to get a token using the auth flow but it's a significant amount of work to get it working.

I unfortunately don't have the time to add this functionality to this library, but I'm happy to point others in the right direction.

Currently, Jumbo authentication can work because it does not look like there's any bot protection. However, authenticating through the "Jumbo Extra's" app is not as easy since there's a Captcha at every request.

[MWeesenaar]

I haven't had contact with Jumbo on this for quite a while. They promised me to come back to me, which never occurred. I could have another poke, soon. Will try to update this thread if I have more information.