Sapisidhash & Clients6 endpoints

[llvmx]

I see there are some API calls for which the sapisidhash is being used. If I am not mistaken, you can bypass quota limits and other restrictions by using this type of auth method. Now I would like to know if some other API endpoints, which are hosted on clients6 or on googleapis don't work with sapisidhash, because they return INVALID_ARGUMENT with no hint as to why this error appears (even those with no parameters). I have used official API keys to generate the hash in the same way as in this project. It works with oauth, but not with sapisid. Perhaps someone does have resources on this matter? Maybe I am missing certain cookies for the request.

@mxrch Since you worked on this and used it for the Calendar and People requests, I would appreciate it if you could share your knowledge.

[mxrch]

Hi ! This auth method doesn't specifically bypass any quota limit / restrictions, the only thing is that some APIs / endpoints require this type of auth (with SAPISIDHASH + cookies), meanwhile other require only cookies, or only oauth2. That's why I have set this parameter on APIs classes : https://github.com/mxrch/GHunt/blob/a158d7aee1d3745d9588e3c7bf68833ef0c4f526/ghunt/apis/peoplepa.py#L28

[llvmx]

Thanks for the response. Guess it's true there are still limits since google is limiting per user on their internal projects. However, I was confused why Sapisidhash is used for the calendar/people API, because oauth would have worked out as well I think.

[mxrch]

Because oauth2 is more relevant in mobile apps. You first register a device (your phone), then generate a master token and keep on the device. And with this master token you generate oauth2 tokens for all the apps you want.

The SAPISIDHASH is more appropriate for a browser because it's only a variation of the SAPISID cookie, and these cookies are variable inside the *.google.com scope, so you don't have to do the oauth2 flow for each Google service you're navigating to.