MyQ fails with 403 forbidden error after recent cloud changes

[Nairou]

The problem

This is the first time the MyQ integration has given me any trouble, and it started shortly after I opened the garage door today. I closed it 30 minutes later, but Home Assistant never received that notification.

This is what I see repeating in the log:

2023-09-08 10:47:32.661 ERROR (MainThread) [homeassistant.components.myq] Error fetching myq devices data: Error requesting data from https://devices.myq-cloud.com/api/v5.2/Accounts/86f16316-3d74-4c7c-af7b-2d137be0693d/Devices: 403 - Forbidden

What version of Home Assistant Core has the issue?

core-2023.9.0

What was the last working version of Home Assistant Core?

No response

What type of installation are you running?

Home Assistant Container

Integration causing the issue

MyQ

Link to integration documentation on our website

https://www.home-assistant.io/integrations/myq/

Diagnostics information

No response

Example YAML snippet

No response

Anything in the logs that might be useful for us?

No response

Additional information

No response

[ceddy441]

Perhaps check the useragent sent by postman. They may have implemented blocking of the user agent or of the SSL signature.

This happened a few years ago and a fix was implemented. https://community.home-assistant.io/t/myq-not-working-again/193086/139

[bluestar888]

Getting the same error. Subscribing for updates.

2023-09-08 13:42:04.911 ERROR (MainThread) [pymyq.api] Authentication failed: Error requesting data from https://partner-identity.myq-cloud.com/connect/authorize: 403 - Forbidden

[yjamal01]

Same issue here, roll back did not fix so as others have stated does not to appear to be an update issue.

Logger: pymyq.api Source: components/myq/init.py:42 First occurred: 16:41:11 (12 occurrences) Last logged: 16:56:03

Authentication failed: Error requesting data from https://partner-identity.myq-cloud.com/connect/authorize: 403 - Forbidden

[sph-floatingpoint]

From the link shared by @ceddy441 (https://community.home-assistant.io/t/myq-not-working-again/193086/139) :

This will restore full functionality to myQ without requiring individual users to edit the User Agent string in their python implementation. This should solve the issue until Chamberlain comes up with some other cheesy way to prevent people from legitimately using the API. Here’s hoping that will take a long, long time.

That was December 2020... almost 3 years...

[ceddy441]

From the link shared by @ceddy441 (https://community.home-assistant.io/t/myq-not-working-again/193086/139) :

This will restore full functionality to myQ without requiring individual users to edit the User Agent string in their python implementation. This should solve the issue until Chamberlain comes up with some other cheesy way to prevent people from legitimately using the API. Here’s hoping that will take a long, long time.

That was December 2020... almost 3 years...

Understood. But three years ago Chamberlain blocked our useragent. A temp fix was to manually modify and create your own useragent https://community.home-assistant.io/t/myq-not-working-again/193086/113. Later on a fix was created in hopes that it would last long term.

If MyQ works outside of HA on the same network, we should look at the useragent as history has a way of repeating itself.

[brg468]

@ceddy441 is right.

This is what HA is passing as a user agent. My guess is they have blocked that. Changing the user agent to simply "PyMyq" got it working for me. Sounds like we need to override the HA-supplied user agent

{'User-Agent': 'HomeAssistant/2023.9.0.dev0 aiohttp/3.8.5 Python/3.11'}

[rsissons]

@ceddy441 is right.

This is what HA is passing as a user agent. My guess is they have blocked that. Changing the user agent to simply "PyMyq" got it working for me. Sounds like we need to override the HA-supplied user agent

{'User-Agent': 'HomeAssistant/2023.9.0.dev0 aiohttp/3.8.5 Python/3.11'}

Where do you change that at?

[ceddy441]

@devs - If possible can we expose the user agent as a variable in the GUI? This way end-users can populate it themselves reducing the risk of Chamberlain blocking by regex.

My skillset is in network design, or I would attempt myself.

[rgnet5]

Something may have just changed on the MyQ API side. Been having similar issues with HomeBridge that started at the same time as the HA issue. Logs confirm the error. My HomeBridge just successfully connected and logged into the API at 5:15pm ET.

[rsissons]

Something may have just changed on the MyQ API side. Been having similar issues with HomeBridge that started at the same time as the HA issue. Logs confirm the error. My HomeBridge just successfully connected and logged into the API at 5:15pm ET.

Could be. My wyze integration stopped working and wyze is having issues according to downdetector.

[brendandixon]

@ceddy441 is (again) correct: We should expose the UA as a configuration variable (initially filled with a dynamic string). As long as the API exists and the strings remain pattern-free (e.g., not all UUIDs), it will work fine.

[RockMonkey]

They are probably using the cloudflare waf to block the user string..If it was dynamic what would it be? It may get flagged as bot traffic and get blocked other places like Akamai, Imperva etc. I'm guessing the block is in my q's own policy.

Perhaps a standard browser user agent string for my q only if possible. Or a user string my q expects to see so the traffic is under the radar.

---

From: brendandixon @.> Sent: Friday, September 8, 2023 5:54:45 PM To: home-assistant/core @.> Cc: David Boyden @.>; Comment @.> Subject: Re: [home-assistant/core] MyQ: 403 forbidden (Issue #99947)

@ceddy441https://github.com/ceddy441 is (again) correct: We should expose the UA as a configuration variable (initially filled with a dynamic string). As long as the API exists and the strings remain pattern-free (e.g., not all UUIDs), it will work fine.

— Reply to this email directly, view it on GitHubhttps://github.com/home-assistant/core/issues/99947#issuecomment-1712266348, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AH2MCFCQ35MNOE65Z3RYIY3XZOH2BANCNFSM6AAAAAA4QV5STU. You are receiving this because you commented.Message ID: @.***>

[simplelnx]

Getting the same error. Subscribing for updates.

[brendandixon]

@RockMonkey Hmm, good point. But, isn't that what this fix is https://github.com/arraylabs/pymyq/pull/54

[brendandixon]

Sorry to be a n00b here, but I see no way to disable Protection Mode on SSH. I'm running HassOS (fully managed install) on a headless Intel box. Where would I look?

(This refers to the "fix" from the prior report. Will that approach still work -- that is, invoke/exec sed through docker to change the string?)

[brg468]

I don't think the fix from several years ago will work, the path is no longer correct and neither is the string its trying to replace.

[mattvirlee]

I see the same as @brg468 -- my Python path is not the same but more importantly, the User-Agent construction doesn't appear in the api.py file that I can find.

[gsh4rm4]

They are probably using the cloudflare waf to block the user string..If it was dynamic what would it be? It may get flagged as bot traffic and get blocked other places like Akamai, Imperva etc. I'm guessing the block is in my q's own policy. Perhaps a standard browser user agent string for my q only if possible. Or a user string my q expects to see so the traffic is under the radar. …

Best option will be to replicate their mobile app's User Agent in HA.

[bigmak40]

As stated above, the User Agent configuration appears different and the old workaround will not work.

I did poke around some and found that in pymyq/request.py that it performs a lookup for a USER_AGENT file to set some randomness in the user agent string.

https://github.com/arraylabs/pymyq/blob/master/pymyq/request.py Line 57 url = "https://raw.githubusercontent.com/arraylabs/pymyq/master/.USER_AGENT"

That file has not been updated in 2 years and reads #RANDOM:5. The code then generates a random string of that length in request.py line 95.

I edited my request.py to point at a different file to try different lengths of randomness; this did not work unfortunately.

• docker exec -it homeassistant bash
• cd /usr/local/lib/python3.11/site-packages/pymyq/
• cp request.py request_bup.py
• vi request.py
  • Changed line 57 to read url = https://raw.githubusercontent.com/bigmak40/projects/main/.USER_AGENT

I tried #RANDOM:6 and #RANDOM:8 with no luck.

[lygris]

As stated above, the User Agent configuration appears different and the old workaround will not work.

I did poke around some and found that in pymyq/request.py that it performs a lookup for a USER_AGENT file to set some randomness in the user agent string.

https://github.com/arraylabs/pymyq/blob/master/pymyq/request.py Line 57 url = "https://raw.githubusercontent.com/arraylabs/pymyq/master/.USER_AGENT"

That file has not been updated in 2 years and reads #RANDOM:5. The code then generates a random string of that length in request.py line 95.

I edited my request.py to point at a different file to try different lengths of randomness; this did not work unfortunately.

• docker exec -it homeassistant bash
• cd /usr/local/lib/python3.11/site-packages/pymyq/
• cp request.py request_bup.py

• vi request.py

  • Changed line 57 to read url = https://raw.githubusercontent.com/bigmak40/projects/main/.USER_AGENT

I tried #RANDOM:6 and #RANDOM:8 with no luck.

Change line 34 to self._useragent = None to self._useragent = str("***something here***")

obviously replace the part in stars

[a-bianucci]

As stated above, the User Agent configuration appears different and the old workaround will not work. I did poke around some and found that in pymyq/request.py that it performs a lookup for a USER_AGENT file to set some randomness in the user agent string. https://github.com/arraylabs/pymyq/blob/master/pymyq/request.py Line 57 url = "https://raw.githubusercontent.com/arraylabs/pymyq/master/.USER_AGENT" That file has not been updated in 2 years and reads #RANDOM:5. The code then generates a random string of that length in request.py line 95. I edited my request.py to point at a different file to try different lengths of randomness; this did not work unfortunately.

• docker exec -it homeassistant bash
• cd /usr/local/lib/python3.11/site-packages/pymyq/
• cp request.py request_bup.py

• vi request.py

  • Changed line 57 to read url = https://raw.githubusercontent.com/bigmak40/projects/main/.USER_AGENT

I tried #RANDOM:6 and #RANDOM:8 with no luck.

Change line 34 to self._useragent = None to self._useragent = str("***something here***")

obviously replace the part in stars

I just put in self._useragent = str("AMBHassio") and with out the ***

And it don’t work.

[simplelnx]

Just tried with self._useragent = str("JFKEJ") Started working now after restarting Home Assistant

Thanks @lygris

[gridlockjoe]

Is anyone experiencing this that hasn't upgraded to 2023.9 yet? Quick look at the code, there weren't any significant changes in this release.

Experiencing this on 2023.8.4.

[brendandixon]

Looking over the code in https://github.com/arraylabs/pymyq/blob/master/pymyq/request.py, here's what I suggest:

-- I do not see a clean way to initialize the UA string at class creation -- The default code pulls the UA string from Github via the .USER_AGENT file (egads!) -- The code interprets the string, if it begins with "#RANDOM" they generate a random string of said length -- Otherwise, they use the string as is

The best fix is to add a async def _set_useragent method that allows HA to set the UA string. Once it's set, it will get used by all code. The setter needs to fulfill conditions of this clause:

if ( self._useragent is not None and self._last_useragent_update is not None and self._last_useragent_update + USER_AGENT_REFRESH > datetime.utcnow() ):

Sadly -- for reasons unknown -- they update the UA once an hour. This implies that HA should invoke the setter before every call to keep it fresh.

Very odd code in my mind.

[bigmak40]

Thanks @lygris, that did work.

• docker exec -it homeassistant bash
• cd /usr/local/lib/python3.11/site-packages/pymyq/
• cp request.py request_bup.py
• vi request.py
• i to enter insert mode
• Modify line 34
  • Was self._useragent = None
  • Is self._useragent = str("anytexthere")
• Esc key to exit insert mode
• :w + enter to write the changes
• :x + enter to exit VI
• Restart Home Assistant

[brendandixon]

Looking over the code in https://github.com/arraylabs/pymyq/blob/master/pymyq/request.py, here's what I suggest:

-- I do not see a clean way to initialize the UA string at class creation -- The default code pulls the UA string from Github via the .USER_AGENT file (egads!) -- The code interprets the string, if it begins with "#RANDOM" they generate a random string of said length -- Otherwise, they use the string as is

The best fix is to add a async def _set_useragent method that allows HA to set the UA string. Once it's set, it will get used by all code. The setter needs to fulfill conditions of this clause:

if ( self._useragent is not None and self._last_useragent_update is not None and self._last_useragent_update + USER_AGENT_REFRESH > datetime.utcnow() ):

Sadly -- for reasons unknown -- they update the UA once an hour. This implies that HA should invoke the setter before every call to keep it fresh.

Very odd code in my mind.

Better still, the setter should accept a value for self._last_useragent_update. HA could then set it to infinite and be done with it. :)

[Mr-Smi1es]

Home Assistant 2023.9.0 Supervisor 2023.08.3 Operating System 10.5 Frontend 20230906.1 - latest

Ditto with everyone else. I am getting error code 403 forbidden after the latest update.

I removed and added integration, thinking it'll fix it but....NOPE lol

[rsissons]

I don't see this in my ha on a pi3 core/supervisor install. Where would I find it? usr/local/lib/python3.11/site-packages/pymyq

On Fri, Sep 8, 2023, 6:02 PM bigmak40 @.***> wrote:

Thanks @lygris https://github.com/lygris, that did work.

• docker exec -it homeassistant bash
• cd /usr/local/lib/python3.11/site-packages/pymyq/
• cp request.py request_bup.py
• vi request.py
• i to enter insert mode
• Modify line 34 -- Was self._useragent = None -- Is 'self.useragent = str("anytexthere")`
• Esc key to exit insert mode
• :w + enter to write the changes
• :x + enter to exit VI
• Restart Home Assistant

— Reply to this email directly, view it on GitHub https://github.com/home-assistant/core/issues/99947#issuecomment-1712369141, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEOOM44K4AJJLTNVCNVB6ETXZO54DANCNFSM6AAAAAA4QV5STU . You are receiving this because you commented.Message ID: @.***>

[simplelnx]

@rsissons your python version might be different..

try usr/local/lib/python*/site-packages/pymyq

[brendandixon]

Thanks @lygris, that did work.

• docker exec -it homeassistant bash
• cd /usr/local/lib/python3.11/site-packages/pymyq/
• cp request.py request_bup.py
• vi request.py
• i to enter insert mode

• Modify line 34

  • Was self._useragent = None
  • Is self._useragent = str("anytexthere")
• Esc key to exit insert mode
• :w + enter to write the changes
• :x + enter to exit VI
• Restart Home Assistant

Is there a way to do this using HassOS?

[stroodl3bug]

Thanks @lygris, that did work.

• docker exec -it homeassistant bash
• cd /usr/local/lib/python3.11/site-packages/pymyq/
• cp request.py request_bup.py
• vi request.py
• i to enter insert mode

• Modify line 34

  • Was self._useragent = None
  • Is self._useragent = str("anytexthere")
• Esc key to exit insert mode
• :w + enter to write the changes
• :x + enter to exit VI
• Restart Home Assistant

Is there a way to do this using HassOS?

if you're using the ssh addon (Advanced SSH & Web Terminal) , you have to disable "protection mode" and restart the addon. Then follow the steps above

Just tried it and fixed for me (for the time being)

[rsissons]

@rsissons your python version might be different..

try usr/local/lib/python*/site-packages/pymyq

I don't have that directory. I don't see a python directory there. I am using the HA integration for MyQ.

[bigmak40]

@rsissons your python version might be different.. try usr/local/lib/python*/site-packages/pymyq

I don't have that directory. I don't see a python directory there. I am using the HA integration for MyQ.

Are you using Advanced SSH & Web Terminal with protection mode disabled?

[bigmak40]

Also, just a note: If you're using a different terminal app like Terminal & SSH, you have to stop that add on before you start Advanced SSH & Web Terminal. If you don't, the second app will just fail to start with no description of why. The problem is that they both bind to port 22 and you can't have both running at the same time.

[rsissons]

I am using WINSCP and show hidden directories. For some reason I can't start Terminal&SSH in HA even though I stopped the other app. I can navigate and see all the files just fine. I am on HassOS. Maybe I'm just dense.

[webmogul1]

Thanks @lygris, that did work.

• docker exec -it homeassistant bash
• cd /usr/local/lib/python3.11/site-packages/pymyq/
• cp request.py request_bup.py
• vi request.py
• i to enter insert mode

• Modify line 34

  • Was self._useragent = None
  • Is self._useragent = str("anytexthere")
• Esc key to exit insert mode
• :w + enter to write the changes
• :x + enter to exit VI
• Restart Home Assistant

For those using a LXC in proxmox the request.py file is in: ./srv/homeassistant/lib/python3.11/site-packages/pymyq/

[bdb12]

Hi all

I am by no means a cody kinda guy. With this seeming to work will an update to the integration come out with this fix please?

[bigmak40]

Hi all

I am by no means a cody kinda guy. With this seeming to work will an update to the integration come out with this fix please?

The issue is technically in the package that Home Assistant uses. The work to address this should be done there and then it would get incorporated at this level.

It's really not that hard to make this fix. I typed up directions above.

[bigmak40]

I am using WINSCP and show hidden directories. For some reason I can't start Terminal&SSH in HA even though I stopped the other app. I can navigate and see all the files just fine. I am on HassOS. Maybe I'm just dense.

Are you able to run the docker exec command? That is the key.

[jbhorner]

I'm really tempted to use WireShark on my firewall to monitor the transactions between the MyQ app on my phone and the servers to which it "talks." It would provide a definitive answer of what they do between their API and their App.

[jbhorner]

I am using the "Advanced SSH & Web Terminal" add-on in Home Assistant. I disabled "protection mode" in that, and then launched the web UI from that add-on. I completed the steps as noted above. I didn't need to SSH in or anything like that--all through Home Assistant.

[buskeyl]

Well at least it's not me. I am having the problem as well. Was having a very similar issue on the SmartThings side with the BrBeard integration there.

[richm08]

Well at least it's not me. I am having the problem as well. Was having a very similar issue on the SmartThings side with the BrBeard integration there.

I just migrated my garage door over to HA yesterday because of the BrBeard issues. Well, it worked great for a day. Lol

[buskeyl]

So where would this file be on a Home Assistant Yellow?

[broncobuddha]

Been wrestling with this all day. Worked this morning. Seems like it went down at the same time for everyone so it should somewhat easy to find for those investigating. I'm in agreement with most that this is most likely on MyQ and not HA.

[bdb12]

Hi all I am by no means a cody kinda guy. With this seeming to work will an update to the integration come out with this fix please?

The issue is technically in the package that Home Assistant uses. The work to address this should be done there and then it would get incorporated at this level.

It's really not that hard to make this fix. I typed up directions above.

Thanks that worked!!! Yes I managed to get that working. Am I likely to need to redo this do you think?

[Nevets77x]

Thanks @lygris, that did work.

• docker exec -it homeassistant bash
• cd /usr/local/lib/python3.11/site-packages/pymyq/
• cp request.py request_bup.py
• vi request.py
• i to enter insert mode

• Modify line 34

  • Was self._useragent = None
  • Is self._useragent = str("anytexthere")
• Esc key to exit insert mode
• :w + enter to write the changes
• :x + enter to exit VI
• Restart Home Assistant

Is there a way to do this using HassOS?

This worked for me!!

I am using: Home Assistant 2023.9.1 Supervisor 2023.08.3 Operating System 10.5

I had to install the Advanced SSH & Web Terminal add-on, which required some troubleshooting on it's own (bad gateway error, fix was to set a password in the config tab).

Once I got that running and disabled protection mode, I followed the steps above to browse and edit the request.py file. A quick restart later and everything came back online.

Thanks everyone, great community here!

[jadec712]

I am using WINSCP and show hidden directories. For some reason I can't start Terminal&SSH in HA even though I stopped the other app. I can navigate and see all the files just fine. I am on HassOS. Maybe I'm just dense.

Are you able to run the docker exec command? That is the key.

Where should I be running the docker exec command? The SSH Terminal and the HA terminal through vmware console both don't seem to recognize it.

Edit: Figured it out. I needed the Advanced SSH/Web Terminal add on, not the basic one. Got it working now. Thank you!

[skynet01]

@bdb12 Yes, you will have to re-apply the fix anytime you update Home Assistant until a fix for this is in the change log :)

[thetravellor]

Same error

Thanks @lygris, that did work.

• docker exec -it homeassistant bash
• cd /usr/local/lib/python3.11/site-packages/pymyq/
• cp request.py request_bup.py
• vi request.py
• i to enter insert mode

• Modify line 34

  • Was self._useragent = None
  • Is self._useragent = str("anytexthere")
• Esc key to exit insert mode
• :w + enter to write the changes
• :x + enter to exit VI
• Restart Home Assistant

This works for me