Add support for 2FA

[Locutus73]

Arlo just introduced 2 factor authentication. Old authentication API still works for accounts with 2FA disabled, but enabling 2FA would be a great security improvement.

Thank you in advance. Regards.

[jensrossbach]

Also Arlo states that everyone has to change to 2FA until end of the year, so this is even more important.

[rogatec]

There are plenty discussions in the arlo forum about 2FA is a bad idea (in this content). I don't think that they will force everyone (account) to use 2FA.

• the current open arlo forum discussion

Also in a python implementation they are discussing about how to implement a 2FA, but still seems to be a lot of work to do.

[8bitDesigner]

Okay, so I went down the rabbit hole on this, and I think it's possible, but unlikely to be usable for Homebridge. So, the way the Arlo OAuth dance works is this:

1. POST https://ocapi-app.arlo.com/api/auth with a JSON payload containing the username and password of the user you're logging in ({"email":"EMAIL","password":btoa("PASSWORD")}
2. Arlo responds with a login payload, with a User ID, a field indicated whether or not we're logged in, and a session token.
3. From here out, we set the Authorization header as the Base64 encoded token
4. If the user isn't logged in, we GET https://ocapi-app.arlo.com/api/getFactors to get a list of 2FA methods the user has set up
5. POST https://ocapi-app.arlo.com/api/startAuth with a 2FA method ID, and user ID, which should send the use a 2FA request. We'll also get back a factorAuthCode.
6. Now, we simply need to POST https://ocapi-app.arlo.com/api/finishAuth with the factorAuthCode, and the one time password that was emailed or texted to our user.
7. The API should respond with a new token and an expiry time.

And this is where we get sad. Tokens are only valid for 2 weeks, it looks like. We'd have to go through this process pretty frequently, which would be hell to manage in Homebridge.