search

cowinapi / developer.cowin

This group is created to facilitate technical and integration discussions related to cowin platform. API related contents can be obtained at API setu portal https://apisetu.gov.in/public/marketplace/api/cowin
115 stars 30 forks source link

Caching available slot data is defeating the purpose of public APIs. #273

Open MayankSaxena1988 opened 3 years ago

MayankSaxena1988 commented 3 years ago

Is there any token based authentication available where certain connections can fetch the available slots in real time ?

Mitalee commented 3 years ago

completely agree. no point in having this delay when all slots go out in under 2-5 minutes.

bhabani-sankar-dev commented 3 years ago

The Protected APIs supposed to give that data in real time, but its not cleared by Cowin on how to use that as it requires API Key for authentication.

kichappa commented 3 years ago

The Protected APIs supposed to give that data in real time, but its not cleared by Cowin on how to use that as it requires API Key for authentication.

Well, you could look at the XHR tab on developer tools to see how CoWin uses it. Basically, you get a token as you authenticate with an OTP. You attach this token as a header Bearer \<token\> while accessing a protected API.

bhabani-sankar-dev commented 3 years ago

Thanks for the reply @kichappa . But I have done, what you have suggested. The whole process starts with generate OTP and I will get an taken on confirm OTP. To use generate OTP, I also have to use API key in the header as "x-api-key". In the website they have mentioned the value for this but only for Test Server. My questions are... 1) In test server, even if I use the token, which I get as part of response in confirm OTP, I am still getting Unauthenticated Access 2) Is there a way to use the Protected APIs ? Thanks in advance.

kichappa commented 3 years ago

@bhabani-sankar-dev. Sorry, I hadn't noticed that in their documentation. Nevertheless, after looking at the XHR tab, I the following conclusions.

However, I was not able to find out any way to generate these keys by ourselves. A randomly generated key that matched the prefix and "suffix" always gave me an error:

import requests, secrets
secret="U2FsdGVkX1/K10bXSsDZI+l05XTwv2Hbo7+jbsk7AY{}DnJPuwHUKOC5A==".format(secrets.token_urlsafe(23))
URL="https://cdn-api.co-vin.in/api/v2/auth/generateMobileOTP"
response = requests.post(URL, json={
    "mobile": "9876543210",
    "secret": secret
}, headers={
    "accept": "application/json",
    "Accept-Language": "en_US",
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
    })
print(response.json())

The response always was,

{
    "errorCode":"USRAUT0022", 
    "error":"Invalid Secret Key"
}

As a workaround, using one of the keys used by the Self Registration Portal,

import requests
secret="U2FsdGVkX1+TPSV7/E3PENx8ObiaQ9mIov/NO0Ry1mt5O8Awl1Ix+kX68wcBDbBTODj4Ejy3KkeW3n8ZqYhlqA=="
URL="https://cdn-api.co-vin.in/api/v2/auth/generateMobileOTP"
response = requests.post(URL, json={
    "mobile": "9876543210",
    "secret": secret
}, headers={
    "accept": "application/json",
    "Accept-Language": "en_US",
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
    })

print(response.json())

This gave a useful outcome, 

{
    'txnId': 'e04036ef-9ef6-4d27-8329-7362a39dd7fd'
}

Hopefully, this helps.

Update

The secret is generated by a client side js file as follows.

user_name: "b5cab167-7977-4df1-8027-a63aa144f04e"
keys = "CoWIN@$#&*(!@%^&"
secret = CryptoJS.AES.encrypt(user_name, keys).toString()
crackedpotato007 commented 3 years ago

@bhabani-sankar-dev. Sorry, I hadn't noticed that in their documentation. Nevertheless, after looking at the XHR tab, I the following conclusions.

  • The website randomly generates a secret.
  • Fortunately, these secret keys are reusable.

However, I was not able to find out any way to generate these keys by ourselves. A randomly generated key that matched the prefix and "suffix" always gave me an error:

import requests, secrets
secret="U2FsdGVkX1/K10bXSsDZI+l05XTwv2Hbo7+jbsk7AY{}DnJPuwHUKOC5A==".format(secrets.token_urlsafe(23))
URL="https://cdn-api.co-vin.in/api/v2/auth/generateMobileOTP"
response = requests.post(URL, json={
    "mobile": "9876543210",
    "secret": secret
}, headers={
    "accept": "application/json",
    "Accept-Language": "en_US",
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
    })
print(response.json())

The response always was,

{
    "errorCode":"USRAUT0022", 
    "error":"Invalid Secret Key"
}

As a workaround, using one of the keys used by the Self Registration Portal,

import requests
secret="U2FsdGVkX1+TPSV7/E3PENx8ObiaQ9mIov/NO0Ry1mt5O8Awl1Ix+kX68wcBDbBTODj4Ejy3KkeW3n8ZqYhlqA=="
URL="https://cdn-api.co-vin.in/api/v2/auth/generateMobileOTP"
response = requests.post(URL, json={
    "mobile": "9876543210",
    "secret": secret
}, headers={
    "accept": "application/json",
    "Accept-Language": "en_US",
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
    })

print(response.json())

This gave a useful outcome,

{
    'txnId': 'e04036ef-9ef6-4d27-8329-7362a39dd7fd'
}

Hopefully, this helps.

Update

The token is generated by a client side js file as follows.

user_name: "b5cab167-7977-4df1-8027-a63aa144f04e"
keys = "CoWIN@$#&*(!@%^&"
token = CryptoJS.AES.encrypt(e, this.keys).toString()

u passed secret as body t=in ur post req how to make get req tho?

crackedpotato007 commented 3 years ago

@bhabani-sankar-dev. Sorry, I hadn't noticed that in their documentation. Nevertheless, after looking at the XHR tab, I the following conclusions.

  • The website randomly generates a secret.
  • Fortunately, these secret keys are reusable.

However, I was not able to find out any way to generate these keys by ourselves. A randomly generated key that matched the prefix and "suffix" always gave me an error:

import requests, secrets
secret="U2FsdGVkX1/K10bXSsDZI+l05XTwv2Hbo7+jbsk7AY{}DnJPuwHUKOC5A==".format(secrets.token_urlsafe(23))
URL="https://cdn-api.co-vin.in/api/v2/auth/generateMobileOTP"
response = requests.post(URL, json={
    "mobile": "9876543210",
    "secret": secret
}, headers={
    "accept": "application/json",
    "Accept-Language": "en_US",
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
    })
print(response.json())

The response always was,

{
    "errorCode":"USRAUT0022", 
    "error":"Invalid Secret Key"
}

As a workaround, using one of the keys used by the Self Registration Portal,

import requests
secret="U2FsdGVkX1+TPSV7/E3PENx8ObiaQ9mIov/NO0Ry1mt5O8Awl1Ix+kX68wcBDbBTODj4Ejy3KkeW3n8ZqYhlqA=="
URL="https://cdn-api.co-vin.in/api/v2/auth/generateMobileOTP"
response = requests.post(URL, json={
    "mobile": "9876543210",
    "secret": secret
}, headers={
    "accept": "application/json",
    "Accept-Language": "en_US",
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
    })

print(response.json())

This gave a useful outcome,

{
    'txnId': 'e04036ef-9ef6-4d27-8329-7362a39dd7fd'
}

Hopefully, this helps.

Update

The token is generated by a client side js file as follows.

user_name: "b5cab167-7977-4df1-8027-a63aa144f04e"
keys = "CoWIN@$#&*(!@%^&"
token = CryptoJS.AES.encrypt(e, this.keys).toString()

I am getting unauthenticated access on schedule endpoint but can gen otp wierd, do u have a discord?

kichappa commented 3 years ago

I am getting unauthenticated access on schedule endpoint but can generate OTP.

@arnav7633 briefly describe your process as my code seems working for me. Are you passing the bearer_token while doing a schedule POST?

crackedpotato007 commented 3 years ago

efly describe your process as my code seems working for me. Are you passing

OK so i can send the otp but not use other endpoints like adding benefeciaries scheduling etc, this one doesnt work - https://sourceb.in/sUCZdKCNUX; this does https://sourceb.in/fqrJB9fOkN; Please eveoid the useless stuff its just me testing out stuff

crackedpotato007 commented 3 years ago

I am getting unauthenticated access on schedule endpoint but can generate OTP.

@arnav7633 briefly describe your process as my code seems working for me. Are you passing the bearer_token while doing a schedule POST?

no passing the secret

crackedpotato007 commented 3 years ago

I am getting unauthenticated access on schedule endpoint but can generate OTP.

@arnav7633 briefly describe your process as my code seems working for me. Are you passing the bearer_token while doing a schedule POST?

I think all the other api's dont work with secret they only use token as wrong secret doesnt give wrong secret

crackedpotato007 commented 3 years ago

As we can see the token is generate by 2 things e and this.keys ik the val of keys but idk what is e token = CryptoJS.AES.encrypt(e, this.keys).toString()

kichappa commented 3 years ago

@arnav7633

What is e?

My bad, I blatantly copy-pasted their code. I have modified my comment to make it more relevant.

Not passing the secret.

Well, you have to pass the bearer-token in your request headers as follows.

headers: {
      "authorization": "Bearer ${bearer_token}",
      accept: "application/json",
      "Accept-Language": "en_US",
      "User-Agent":
        "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36",
    },

The bearer_token is the token that you receive in the response to validateMobileOtp.

crackedpotato007 commented 3 years ago

I thought we don't need the otp thing after we have the secret, If we are able to find the value of e I don't think we will need api key

On Sun, 23 May 2021, 5:08 pm Kishore S. Shenoy, @.***> wrote:

@arnav7633 https://github.com/arnav7633

What is e?

My bad, I blatantly copy-pasted their code. I have modified my comment to make it more relevant.

Not passing the secret.

Well, you have to pass the bearer-token in your request headers as follows.

headers: { "authorization": "Bearer ${bearer_token}", accept: "application/json", "Accept-Language": "en_US", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36", },

The bearer_token is the token that you receive in the response to validateMobileOtp.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cowinapi/developer.cowin/issues/273#issuecomment-846548773, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQKJ2T73LB2PGJXHIG32BNTTPDSMTANCNFSM45DYLROQ .

kichappa commented 3 years ago

I thought we don't need the otp thing after we have the secret, If we are able to find the value of e I don't think we will need api key.

No. The secret is just to generateMobileOTP.

crackedpotato007 commented 3 years ago

Ah damn, btw if any android app maker wanna help u can make an app which detects otp messages and forwards it to lets say a express server to automate the otp thing

On Sun, 23 May 2021, 5:15 pm Kishore S. Shenoy, @.***> wrote:

I thought we don't need the otp thing after we have the secret, If we are able to find the value of e I don't think we will need api key.

No. The secret is just to generateMobileOTP.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cowinapi/developer.cowin/issues/273#issuecomment-846549549, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQKJ2TY4EPXHUYTDPBXULQDTPDTEZANCNFSM45DYLROQ .

kichappa commented 3 years ago

@arnav7633 telegram-sms

akhiljay commented 3 years ago

what;s the JS file that you are looking into to find the username and the secret?

nikhilms1995 commented 3 years ago

@kichappa Do you mind elaborating how you managed to use telegram-sms to automate OTP generation and logging in using that OTP?

crackedpotato007 commented 3 years ago

I didnt I had to custom make a app as telegram doesn't allow bots to see other messages sent by bots

On Wed, 26 May 2021, 1:17 am Nikhil M S, @.***> wrote:

@kichappa https://github.com/kichappa Do you mind elaborating how you managed to use telegram-sms to automate OTP generation and logging in using that OTP?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cowinapi/developer.cowin/issues/273#issuecomment-848212932, or unsubscribe https://github.com/notifications/unsubscribe-auth/AQKJ2T37YHIVPSHNEBVOOH3TPP5GFANCNFSM45DYLROQ .