Open thisfro opened 7 months ago
This is great. I want to add, that the Authorization: Bearer [token] will probably also be necessary. I assume the call doesn't work if you leave that out.
I'm having issues with PCAPDroid on my phone (because it keeps crashing the Migros App), so this is really appreciated.
Ah yes, the bearer token is most certainly necessary
Migros App
I tried accessing the API with public data of the website, but was not able to get all the necessary cookies. I realized that the app will need to send all of the required cookies to function, thus decrypted the requests.
I used \<REDACTED> to indicate values that I omitted due to privacy reasons.
Dig into the apps logs
Using PCAPdroid I was able to decrypt the apps requests and payloads.
Retrieve a receipt
Using
GET https://mobile-app.migros.ch/app/products/receipts/<REDACTED> HTTP/2.0
with headersI was able to retrieve the reciept
List of reciepts
To get a list of reciepts we can use
https://mobile-app.migros.ch/order/receipts/list/2024-01-01
to getCookies
The
app-login-id
seems to be the most important cookie. I'm not sure if this alone might be enough to access at least some data. It is noteworthy that this cookie is very short lived (couple of minutes). There are other cookies necessary to renew it every so often. This makes the whole approach very cumbersome and not usable for any real-world use for now. If we can figure out the renewal process, it might be a easy way to access the API.