Request forbidden (403) despite correct credentials

[Chew]

This is a rather unique scenario that I can't seem to figure out.

I keep getting a Request forbidden despite the credentials being 100% correct. There is no MFA enabled.

I tried packet sniffing. The email and password are correct.

I tried enabling debug mode to see. The password and email (and API Key) match what was shown in my packet sniffing.

I tried performing the request manually in postman using only the x-api-key header and the payload from the packet sniffing. It works fine.

I tried using CURL on the Homebridge server. It works fine.

curl --location --request POST 'https://auth-prod.api.wyze.com/user/login' \
--header 'x-api-key: WMXHYf79Nr5gIlt3r0r7p9Tcw5bvs6BB4U8O8nGJ' \
--header 'Content-Type: application/json' \
--data-raw '{
    "email": "account email",
    "password": "md5 3 times (why, wyze?) password"
}'

Why is it specifically not working through Homebridge? Any advice or tips would be greatly appreciated.

I messed around with the config but in most cases, it doesn't seem to be affecting anything:

{
    "name": "Wyze",
    "username": "account email",
    "password": "account password",
    "refreshInterval": 10000,
    "platform": "WyzeConnectedHome",
    "authApiKey": "WMXHYf79Nr5gIlt3r0r7p9Tcw5bvs6BB4U8O8nGJ",
    "appVersion": "2.19.24",
    "phoneId": "my phone ID via packet sniffing"
}

Debug output:

[5/6/2021, 5:40:15 AM] [Wyze] Refreshing devices...
[5/6/2021, 5:40:15 AM] [Wyze] Performing request: user/login
[5/6/2021, 5:40:15 AM] [Wyze] Request config: {"method":"POST","url":"user/login","data":{"email":"account email","password":"account password"},"baseURL":"https://auth-prod.api.wyze.com","headers":{"x-api-key":"WMXHYf79Nr5gIlt3r0r7p9Tcw5bvs6BB4U8O8nGJ"}}
[5/6/2021, 5:40:16 AM] [Wyze] Request failed: Error: Request failed with status code 403
[5/6/2021, 5:40:16 AM] [Wyze] Response (Forbidden): {"description":"Request forbidden."}
[5/6/2021, 5:40:16 AM] [Wyze] Error getting devices: Error: Request failed with status code 403

The email and password found in the request config are identical to my prior instances of packet sniffing and manual testing.

I've not had this issue with any other plugins.

[ndejong5]

Yeah unfortunately I don’t have that option on Hoobs or at least I don’t know how to.

[MikeThomas123456]

Need someone with necessary permissions to merge this fork and should be all good!

[ndejong5]

Bummer, doesn’t seem like that is going to happen anytime soon. :(

[Bom342]

Must you stick with Hoobs?

[ndejong5]

@Bom342 I don’t have to but I have everything else setup on it right now. Going to be more of a pain to switch to something else.

[iguillen]

Try this: https://github.com/hoobs-org/HOOBS/issues/586

[ndejong5]

@iguillen I tried this but I am on Hoobs 4 and I think things have changed. :(

[ndejong5]

@MikeThomas123456 someone at hoobs told me it has to be a scoped plugin for me to be able to install it. No idea what that means. He said the fork would have to be published as a scoped release.

[cheme75]

Fwiw, I’m pretty much a noob at this, but I deleted the original wyze plugin, then searched from the hooks plugin page, saw the -op plugin, installed it, put in my login creds, restarted service and bingo. Back to working as expected. I guess most instructions assume installing plugin in homebridge the manual way which overwrites the old files with the newer. But it seems hoobs had to have the old plug deleted first. Anyway, it works. Greatly appreciate this fix! Now to figure out how to get my docker wyze bridge cams into hoobs!