hanscappelle / my-luminus-integration

A Home Assistant integration for the My Luminus mobile API
MIT License
2 stars 1 forks source link

Authentication workflow not working #35

Open Gfeuillen opened 9 months ago

Gfeuillen commented 9 months ago

System Health details

Logs from HA

homeassistant | 2024-02-20 13:26:42.915 DEBUG (MainThread) [custom_components.my_luminus_integration] received error is 404, message='Not Found', url=URL('https://mo bileapi.luminus.be/token') homeassistant | 2024-02-20 13:26:42.919 ERROR (MainThread) [custom_components.my_luminus_integration] Error fetching information

Checklist

Describe the issue

The token endpoint in the auth flow produces a 404

https://mobileapi.luminus.be/token

Reproduction steps

  1. Install the integration
  2. Try to log in

Debug logs

`homeassistant  | 2024-02-20 13:26:42.915 DEBUG (MainThread) [custom_components.my_luminus_integration] received error is 404, message='Not Found', url=URL('https://mo
bileapi.luminus.be/token')                                                                                                                                            
homeassistant  | 2024-02-20 13:26:42.919 ERROR (MainThread) [custom_components.my_luminus_integration] Error fetching information  `

Diagnostics dump

No response

hanscappelle commented 9 months ago

Indeed they changed the logon procedure. I'll have to check in code what needs to be updated. Thanks for reporting

hanscappelle commented 9 months ago

So they completely changed logon. Now they redirect to a website where you perform the logon and then the app is opened again via deeplink. I'll need more time to look into reversing this.

hanscappelle commented 9 months ago

The original implementation would use this api, for example to retrieve status

https://mobileapi.luminus.be/api/v11/GetApplicationStatus

Those are still in place so I guess fetching details will still work once logon is fixed. Logon is now using:

https://login.luminus.be/u/login/identifier?state=SOME_HASH&ui_locales=nl

rendering a login form: Screenshot_20240302_074656

Eventually redirecting to a password loging screen with

https://login.luminus.be/u/login/password?state=SOME_HASH&ui_locales=nl

Actual login is done with this request

https://login.luminus.be/u/login/password?state=SOME_HASH&ui_locales=nl

with url encoded input params

state=SOME_HASH
username=YOUR_USERNAME(email)
password=YOUR_PASSWORD
action=default

Response is a redirect to

https://login.luminus.be/authorize/resume?state=DIFFERENT_HASH

That in return responds with a deeplink back to the app

be.luminus.bsp.auth0://login.luminus.be/android/be.luminus.bsp/callback?code=ANOTHER_HASH&state=DIFFERENT_STATE_HASH

Also a call found to

https://login.luminus.be/oauth/token

Next calls we're back in the app, all these calls have an Authorization Bearer header

https://mobileapi.luminus.be/api/v11/GetApplicationStatus
https://mobileapi.luminus.be/api/v11/ExecutePostLoginActions
https://mobileapi.luminus.be/api/v11/GetAccountOverview