Alternative authorisation

[MikeyMan83]

Hi all,

I'm using node red in combination with this developer API. This works fine. For a while that is. At intermittent periods, the token seems to get invalid. And i'm confronted with sunscreens that are not working. This is driving me absolutely mad tbh. Generating and activating a new token, and keeping track of the old ones is too much maintenance for something running on my own network.

I really need a simpler autorisation for local access. Is there any way we can look into this?

Even creating an indefinite token would be better than this.

[bjorn085]

On my side it seems that token never expire... I use one that is ok since at least 6 month. what information let you think your token get invalid due to expiration ?

[MikeyMan83]

It gives an authorisation error after a couple of weeks. Creating a new token solves it. So it must me expiring.

This experience is also built into for instance the domoticz plugin.

[iMicknl]

For me it doesn't expire as well, so not sure what goes wrong in your way. Can you share the link to the specific code / retry logic in the Domoticz plugin?

[MikeyMan83]

That is very weird... Can I ask you guys for the API call you're using to create the token?

[flhoest]

Creating the token is not a API as such, more a http request capturing a SESSION COOKIE. This is what I'm doing : https://github.com/flhoest/somfy/blob/main/syFramework.php check the first function (function syGetToken), this is a 3 steps mechanism.

[MikeyMan83]

That seems to be the API I'm using as well.

I was curious if that was also using the devmode parameter. And it seems to be. No difference there

[bjorn085]

Don't you talk about 2 different things ?

• First, you login on central server to get a JSESSIONID cookie. https://github.com/Somfy-Developer/Somfy-TaHoma-Developer-Mode#login This JSESSIONID probably expires when your session expires, on central server, this would be curios that this never expires as central server is probably not able to keep everyone logged in forever :)

• Then, you call API (on central server also), with JSESSIONID, to create and activate a token usable on your local tahoma https://github.com/Somfy-Developer/Somfy-TaHoma-Developer-Mode#generate-a-token You get the token in the body in the first call, and then you activate through the next API (config) This is this token, known by your local tahoma, that never expires.

@MikeyMan83, are you indeed talking about the second one ?

[bjorn085]

And to add some elements, I call generate a token API through PostMan, that translates my call this way :

curl --location 'https://ha101-1.overkiz.com/enduser-mobile-web/enduserAPI/config/xxxxxx/local/tokens/' \ --header 'Content-Type: application/json' \ --header 'Cookie: JSESSIONID=xxxxxx

and i get a token that never expires. Same when calling this through GuzzleHttp:

$this->authClient = new Client([

        'base_uri' => 'https://ha101-1.overkiz.com/enduser-mobile-web/enduserAPI/'
    ]);  

[...]

$activateTknResponse = $this->authClient->request( 'POST', 'config/'.$this->POD.'/local/tokens', [ 'headers' => [ 'Content-Type' => 'application/json' ], 'cookies' => $this->jar, 'body' => json_encode([ 'label'=>$tokenLabel, 'token'=>$tokenCreated, 'scope'=>'devmode' ])

        ]
    );

[MikeyMan83]

Thanks for the feedback. I'm manually using postman to do a login, generate and activate call. Haven't automated it (yet). Might be useful to do.

GET /enduser-mobile-web/enduserAPI/config/2017-8871-5701/local/tokens/generate HTTP/1.1
Content-Type: application/json
User-Agent: PostmanRuntime/7.33.0
Accept: */*
Cache-Control: no-cache
Postman-Token: bc7e5210-953d-456b-820c-e0eee2779f8d
Host: ha101-1.overkiz.com
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: JSESSIONID=E1~F417FB3E094CEEAD10F80D5FA8670851

HTTP/1.1 200 OK
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Cache-Control: no-store, must-revalidate, no-cache, max-age=0
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
Date: Thu, 26 Oct 2023 09:03:18 GMT
Server: overkiz

[bjorn085]

The JSESSIONID will expirate. This is not the token. You have to use the JSESSIONID to call immediately the generate a token, and to activate it. This token normally never expires, and you don't have the need to keep and reuse JSESSIONID.

[flhoest]

This is exactly what I described and do in my function mentioned above ... https://github.com/Somfy-Developer/Somfy-TaHoma-Developer-Mode/issues/114#issuecomment-1772774166

[MikeyMan83]

ent-Type: application/json User-Agent: PostmanRuntime/7.33.0 Accept: / Cache-Control: no-cache Postman-Token: bc7e5210-953d-456b-820c-e0eee2779f8d Host: ha101-1.overkiz.com Accept-Encoding: gzip, deflate, br Connection: keep-alive

So just take that out of the standard API when creating?

tick box is off though.

[bjorn085]

Sorry but I don't understand your problem indeed.

Let's sum up again. You call https://github.com/Somfy-Developer/Somfy-TaHoma-Developer-Mode#login to get a JSESSIONID. For the moment there seems to be an error on the JSESSIONID, see https://github.com/Somfy-Developer/Somfy-TaHoma-Developer-Mode/issues/113 so just remove the "E1~" from response you get and paste it in your generate a token as you seem to do. So no, don't uncheck cookie box.

In answer to this request, you get a token in the body Activate it by putting in body of POST request https://github.com/Somfy-Developer/Somfy-TaHoma-Developer-Mode#generate-a-token

This token, once activated, can be use in local calls to your thaoma and never expires.

[MikeyMan83]

So; based on the hints here, i tried to create and activate a token without the E1~ prefix. This was again working for a while, although this morning i got an 'error undefined'. Created a new one, and it was also working. Not the same error as before, but also not what i was hoping for yet

[bjorn085]

Hi, can you explain when and how you get an "error undefined" ? When doing what, which API, called how?

And you say when creating a new token, you don't get this error anymore ?

Again, I don't think its a matter of token expiration, token never expires.

[androTS]

Hi, i'm also struggleing with this "token scenario". I'm using POSTMAN and reach the point when I POST the request with the generated token, the response is 400 :( I also removed this prefix value "E2" in session ID to generated token as was mentioned in previous posts.... The result i get is error... What am I doing wrong?

<!doctype html>

HTTP Status 400 – Bad Request

Regards Andro