403 Client Error from https://auth-prod.api.wyze.com/user/login

[iamwoz]

After months of DWB being rock solid I'm now getting this error message from Cloudfront. No changes at all my end.

I restarted the docker container and now I get this error message every time (logs attached). I don't have 2FA enabled. Have tried enabling it and using TOTP (no change). Have also tried https://developer-api-console.wyze.com/#/apikey/view to generate an API key for my account but get a "Get API Key Error" when I login and a "Create API Key Error" when I click the create button.

Logs attached - you'll see references to DWB 2.2.0 and maybe other versions - this is me rolling back releases but the error message is identical every time.

wyze-bridge_logs (5).txt

UPDATE

Just checked out my debug.log and found the first instance of this issue at 2023/06/24 21:07:04 NZT

[iamwoz]

I'm not sure how reliable these "is it down?" sites are for these types of URL's, but it might not just be me. Anyone else having this issue?

https://www.isitdownrightnow.com/auth-prod.api.wyze.com.html

[mrlt8]

Hmm. seems to be working for me.

Might be getting rate limited for some reason? Are you running any other third-party wyze clients that might be hammering their servers?

You could try running this command to see the x-ratelimit-remaining from cloudflare:

curl -I https://auth-prod.api.wyze.com/user/login

[iamwoz]

Nope only running DWB and a single instance of the iOS app.

Curl doesn't return much info:

[mrlt8]

Hmm any chance you're on a VPN or have a datacenter IP?

Just tried to do a couple of curls with some random spots around the world with a commercial VPN and a few from a data center and it seems like wyze is blocking ALL of those IPs. I also tried some residential VPNs and those worked as expected, so they're probably just blocking all non-residential IPs?

[iamwoz]

No VPN, same static IP that I've used for a couple of years. I have been using NextDNS for a couple years as well. Will try disabling it and testing.

[jjcustomz]

I am having the same error. I am running my IOT devices and cameras through a VPN however. Temporarily turning off my VPN allows the wyze bridge to start normally. When I turn my VPN back on, it looks like as long as I use the local cache and don't toggle "Pull Fresh Data From Wyze API" on, my cameras will connect, although very slow to update.

Looks like mrlt8 is correct in my case and they seem to be blocking my VPN IP

[mrlt8]

Datapoint:

login via https://auth.wyze.com/login seems to work with a VPN, however, this endpoint requires captcha.

The refresh token endpoint (https://api.wyzecam.com/app/user/refresh_token) also seems to work with a VPN, so one the initial login is completed, refreshing the token should continue to work.

[iamwoz]

OK so removing NextDNS has no effect. I've checked my static IP against all the spam/malware type directories I can find and its clean everywhere.

No VPN at my end either.

Traceroute from me to auth-prod.api.wyze.com

[christ]

Hmm any chance you're on a VPN or have a datacenter IP?

Just tried to do a couple of curls with some random spots around the world with a commercial VPN and a few from a data center and it seems like wyze is blocking ALL of those IPs. I also tried some residential VPNs and those worked as expected, so they're probably just blocking all non-residential IPs?

Same troubleshooting for me. I'm running in a datacenter and it's blocked. I run the same config at home and it works fine.

[iamwoz]

Just tried the curl from my Linode (Akamai) VPS in Australia and get the same response. Wonder if Wyze has made a change that somehow has my static IP bunded in with datacentres. Anyone know a route / method to contact Wyze and get some more information? I'm reluctant to attempt the normal support channels.

[mrlt8]

I'm still looking into the https://auth.wyze.com/oauth endpoint which doesn't seem to be blocked, but it's a little annoying since it doesn't give a refresh token...

Really hope this whole issue is just a temporary hiccup and not permanent.

Same troubleshooting for me. I'm running in a datacenter and it's blocked. I run the same config at home and it works fine.

You should be able to map and copy the .pickle files from /tokens/ on your local container to your cloud instance.

[iamwoz]

I've emailed security@wyze.com and have already had a response - they are checking my static IP against Cloudfront to see if they are banning it.

[iamwoz]

Progress

[iamwoz]

This is very strange because I'm not blacklisted anywhere else.

Blacklist results


[iamwoz]

Just heard back from Wyze security team - my IP is no longer blacklisted by Cloudfront.

Really great responsive support from Wyze on this.

[mrlt8]

Awesome! I'm still getting a 403 when using a VPN, so they must have manually whitelisted your IP.

[mrlt8]

If anyone is still having this issue, I added an option to manually set your ACCESS_TOKEN or REFRESH_TOKEN as an ENV option.

[thedavidporter]

I was using a windscribe VPN. Once I turned that off then I was able to use the bridge without any 403 errors.

[mrlt8]

@thedavidporter You can turn your vpn back on once you're authenticated. They only seem to block VPNs on the authentication server https://auth-prod.api.wyze.com which is only used for the first authentication request. All other domains seem unaffected right now.

You could also add the domain to a split tunnel if you needed to do a fresh authentication or switch accounts.

[alienjon]

This is occurring for me as of 7/29/23. I had added a camera a couple of weeks ago and one of my old cameras seemed to stop working, but when I tried to restart I got a server 500 error at the 5000 port. When I try to reinstall the container I get the following (including the above error):

[WyzeBridge] 🔍 Could not find local cache for 'cameras'
[WyzeBridge] ☁️ Fetching 'cameras' from the Wyze API...
[WyzeBridge] 🔍 Could not find local cache for 'auth'
[WyzeBridge] ☁️ Fetching 'auth' from the Wyze API...
[WyzeBridge] ⚠️ 403 Client Error: Forbidden for url: https://auth-prod.api.wyze.com/user/login
[2023-07-30 03:22:53,142] ERROR in app: Exception on / [GET]
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/flask/app.py", line 2528, in wsgi_app
    response = self.full_dispatch_request()
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/flask/app.py", line 1825, in full_dispatch_request
    rv = self.handle_user_exception(e)
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/flask/app.py", line 1823, in full_dispatch_request
    rv = self.dispatch_request()
         ^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/flask/app.py", line 1799, in dispatch_request
    return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/flask_httpauth.py", line 172, in decorated
    return self.ensure_sync(f)(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/frontend.py", line 65, in index
    cam_data=web_ui.all_cams(wb.streams, wb.api.total_cams, host),
                                         ^^^^^^^^^^^^^^^^^
  File "/app/wyzebridge/wyze_api.py", line 90, in total_cams
    return 0 if self.mfa_req else len(self.get_cameras())
                                  ^^^^^^^^^^^^^^^^^^^^^^^
TypeError: object of type 'NoneType' has no len()
[WyzeBridge] 192.168.1.149 - - [30/Jul/2023 03:22:53] "GET / HTTP/1.1" 500 -

I don't run a VPN and disabled the MFA to test, and still get the error. Prior to removing/readding wyze-bridge 1-2 of my 3 cameras worked well. Now none of them are seen by homeassistant (but are seen just fine in the wyze app).

[mrlt8]

@alienjon looks like you're running an older version of the bridge. You need to be on v2.3+ of the bridge as Wyze has made breaking changes to the auth endpoint

[alienjon]

Gotcha. Thanks. I was apparently having a problem with the script I ran to update the container (hadn't changed from 'docker-compose' to 'docker compose'). I still seem to be having a streaming issue, but that'll be a whole separate item if I can't figure it out. Thanks :-)

[chrisbergeron]

I'm getting the same error:

wyze-bridge  | 2023/08/11 20:03:30 [WyzeBridge] 403 Client Error: Forbidden for url: https://auth-prod.api.wyze.com/user/login

It's been running fine until I restarted the container today. When I curl POST the endpoint with my email and pw (encoded), I get an access token in the json payload.

When I curl the headers from it, I get this from Cloudflare:

curl -I https://auth-prod.api.wyze.com/user/login

HTTP/1.1 403 Forbidden
Content-Type: application/json; charset=utf-8
Content-Length: 87
Connection: keep-alive
Server: awselb/2.0
Date: Fri, 11 Aug 2023 22:19:47 GMT
X-Cache: Error from cloudfront
Via: 1.1 faa43279a53f7a194aba33a9a9e24078.cloudfront.net (CloudFront)
X-Amz-Cf-Pop: MIA3-C4
X-Amz-Cf-Id: 12NwCCatr1hCLKtrucatedDU3Ha52cVlIsjOc3Q2w==

My docker-compose.yml has latest tag:

version: '2.4'
services:
    wyze-bridge:
        container_name: wyze-bridge
        restart: unless-stopped
        image: mrlt8/wyze-bridge:latest

but when I start the container, it says:

STARTING DOCKER-WYZE-BRIDGE v1.11.1

[Menz01]

Hello. i restarted my container today and i can no longer access rthe web page or my cameras. i am seeing this in the logs:

[WyzeBridge] Press CTRL+C to quit
[WyzeBridge] ⚠️ 403 Client Error: Forbidden for url: https://auth-prod.api.wyze.com/user/login
[WyzeBridge] {"URL":"https://support.wyze.com/hc/en-us/articles/16129834216731-Creating-an-API-Key"}
[WyzeBridge] 🔍 Could not find local cache for 'user'
[WyzeBridge] ☁️ Fetching 'user' from the Wyze API...
[WyzeBridge] 🔍 Could not find local cache for 'auth'
[WyzeBridge] ☁️ Fetching 'auth' from the Wyze API...
[WyzeBridge] ⚠️ 403 Client Error: Forbidden for url: https://auth-prod.api.wyze.com/user/login
[WyzeBridge] {"URL":"https://support.wyze.com/hc/en-us/articles/16129834216731-Creating-an-API-Key"}
[WyzeBridge] 🔍 Could not find local cache for 'cameras'
[WyzeBridge] ☁️ Fetching 'cameras' from the Wyze API...
[WyzeBridge] 🔍 Could not find local cache for 'auth'
[WyzeBridge] ☁️ Fetching 'auth' from the Wyze API...
[WyzeBridge] ⚠️ 403 Client Error: Forbidden for url: https://auth-prod.api.wyze.com/user/login
[WyzeBridge] {"URL":"https://support.wyze.com/hc/en-us/articles/16129834216731-Creating-an-API-Key"}
[WyzeBridge] Stopping 0 streams
[WyzeBridge] Stopping MediaMTX...
[WyzeBridge] 👋 goodbye!

i tried to access https://auth.wyze.com/ and i see this when i logon

[mrlt8]

@Menz01 you need to update your container to v2.3.x or newer.

[Menz01]

@mrlt8 I have the latest tag on the container. I even blew it away and rebuilt it

[Menz01]

@mrlt8 ok so i blew it away again and instead of the tag "latest" i used 2.3.17 and it is running now. i have a couple of questions now:

1) should i make the tag "latest" again and rebuild or leave it? 2) can the image pull be prefaced with ghcr.io/mrlt8/wyze-bridge:latest cause i was told that would make it not pull from docker hub where i tend to get rate limited

[mrlt8]

It's up to you, but you'll usually need to run something like:

docker-compose pull 
or 
docker compose pull 

before restarting the container to actually grab the latest image.