search

jfarmer08 / homebridge-wyze-smart-home

Wyze Smart Home plugin for Homebridge.
MIT License
93 stars 14 forks source link

Hello from Wyze and question related to Wyze Login Api #215

Closed xcz011 closed 4 months ago

xcz011 commented 4 months ago

Describe The Bug:

Hello! This is @xcz011 from the Wyze Engineer team and also a HomeBridge Wyze Plugin user as well. Thanks for all building this!!

Yesterday, I noticed my HomeBridge integration is not working and checked the latest release note. Then I connected the dot with what we did and what caused https://github.com/jfarmer08/homebridge-wyze-smart-home/issues/208. also thank all for the quick fix for this in https://github.com/jfarmer08/wyze-api/pull/3.

I want to share a little what we saw from Wyze side and hope that explain what we did and why we did:

What we saw in Wyze internal Metrics Around 2/1/2024 at 11 PM PST, we notice a 20x traffic spike to the developer login endpoint.

Screenshot 2024-02-05 at 11 38 35 PM

It triggered P0 alarm internally and we thought we were being attacked by hackers using a bot farm. We quickly identified what was common from all the requests was the header which all requests had the same one, and we decided to block that header to make sure we temporarily blocked the hacking activity and triggered internal security processes.

After I read through the thread and PR, I feel most likely the traffic came from here. But I still have two things I want to check here:

I will keep digging and hopefully, we can find the root cause so we can remove this temporary blocker which not force anyone to upgrade to the latest version.

Thanks again for building this awesome integration.

github-actions[bot] commented 4 months ago

Message that will be displayed on users' first issue

jfarmer08 commented 4 months ago

@xcz011 Thank you for reaching out. The last thing I want is to cause any issues with the Wyze eco system and or cause the integration to not work anymore.

Can you confirm that all the request are using the same user agent? I find it odd that every system tried to login repeatedly, unless the refresh token was no longer valid. And we try to refresh the token every 48 hours, unless someone is using the Nodejs Wrapper outside of this integration. If there is anything I can do to help or change please let me know.

old: userAgent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1 Safari/605.1.15"

new: userAgent: "unofficial-wyze-api/1.0",

jfarmer08 commented 4 months ago

Other integrations user agent would be similar to the below.

'User-Agent': 'myapp', "user-agent": f"wyze-sdk-{version.version}",

xcz011 commented 4 months ago

yes, we are seeing all the requests come from Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1 Safari/605.1.15 on 2/1.

Last night, I tried to unblock this header, and this api's traffic spiked up fast. That is why I feel maybe we could take a look retry logic.

Thanks

xcz011 commented 4 months ago

I shared the same goal with the community here to support this project running smoothly and not impacting the Wyze ecosystem.

I will try my best here to help and sorry for this temporary blocking which may cause inconvenience to HomeBridge Wyze users.

jfarmer08 commented 4 months ago

I will look at the retry logic. I am sure that can be improved.

jfarmer08 commented 4 months ago

@carTloyal123 if you have time maybe you can look more into this.

carTloyal123 commented 4 months ago

I am happy to assist in looking into it. I haven't looked too deep into the wyze-api but this would be a good reason to. I think this one could be a team effort so I am assuming both of us will be looking and reporting here as needed @jfarmer08 time permitting

jfarmer08 commented 4 months ago

I am happy to assist in looking into it. I haven't looked too deep into the wyze-api but this would be a good reason to. I think this one could be a team effort so I am assuming both of us will be looking and reporting here as needed @jfarmer08 time permitting

Since this is api related I have created a ticket https://github.com/jfarmer08/wyze-api/issues/6. We will keep track there. Also @hgoscenski will add input and help

jfarmer08 commented 4 months ago

@xcz011 where all users passwords reset or just a subset of customers? Maybe just users using this user agent?

xcz011 commented 4 months ago

@xcz011 where are all user's passwords reset or just a subset of customers? Maybe just users using this user agent?

I believe must be a small subset of users, I will check with our security team what triggered this reset and report back here.

jfarmer08 commented 4 months ago

@xcz011 v0.5.42 should help with the issues seen

xcz011 commented 4 months ago

Thanks! @jfarmer08 Do you mind if I have a quick announcement on the Wyze forum to suggest everyone upgrade their plugin to the latest version?

jfarmer08 commented 4 months ago

That sounds good to me.

Thanks Allen :)

On Fri, Feb 9, 2024 at 4:25 PM Chuanzhu Xu @.***> wrote:

Thanks! @jfarmer08 https://github.com/jfarmer08 Do you mind if I have a quick announcement on the Wyze forum to suggest everyone upgrade their plugin to the latest version?

— Reply to this email directly, view it on GitHub https://github.com/jfarmer08/homebridge-wyze-smart-home/issues/215#issuecomment-1936683929, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEKHFB5L76STJEL5VF52WPDYS2O4FAVCNFSM6AAAAABC3QOATCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMZWGY4DGOJSHE . You are receiving this because you were mentioned.Message ID: @.***>