mfa:customer_send_challenge:challenge_required

[chrishubert]

Hello!

Thanks for sharing the Swagger! I'm trying to use it as well for personal finance 👍 I receive a 403 Forbidden once I submit the OTP code:

{
    "data": null,
    "success": false,
    "errors": [
        {
            "code": "mfa:customer_send_challenge:challenge_required",
            "message": "You are forbidden",
            "message_title": "Forbidden",
            "details": {
                "challenge_token": "34e87bf1-XXXX-XXXX-XXXX-b0efc3fadef6",
                "require_all": true,
                "recovery_methods": [
                    "email"
                ],
                "ranked_mfa": [
                    {
                        "name": "GoPay Pin 2FA",
                        "enabled": true,
                        "title": "Enter GoPay PIN",
                        "subtitle": "Enter GoPay PIN"
                    },
                    {
                        "name": "App Pin 2FA",
                        "enabled": false,
                        "title": "Enter App PIN",
                        "subtitle": "Enter App PIN"
                    },
                    {
                        "name": "Email 2FA",
                        "enabled": true,
                        "title": "Get code on email",
                        "subtitle": "Get code on email"
                    },
                    {
                        "name": "In-app 2FA",
                        "enabled": true,
                        "title": "Use old phone",
                        "subtitle": "Use old phone"
                    }
                ],
                "challenges": [
                    {
                        "name": "GoPay Pin 2FA",
                        "place_holder_text": "Please enter your Gopay Pin for 2fa",
                        "gopay_challenge_id": "0d16cce1-XXXX-XXXX-XXXX-a63fad9aea14",
                        "app_pin_challenge_id": "00000000-0000-0000-0000-000000000000"
                    }
                ]
            }
        }
    ]
}

Could you please share the endpoint to pass this step?

[mychaelgo]

@chrishubert are you turn on the 2 layer protection? Can you share what function you used to get the response like that?

[chrishubert]

@mychaelgo I got this from POST /goid/token And the option "Account Safety" -> "Two-Layer protection" is disabled in the Go-Jek app

I tried logout from the app, without success neither

[mychaelgo]

@chrishubert

can you try?

POST https://customer.gopayapi.com/api/v1/users/pin/tokens

data

{
    "challenge_id": "[YOUR gopay_challenge_id from goid token ]",
    "client_id": "[RANDOM STRING]-MFAGOJEK",
    "pin": "[YOUR 6 digits PIN]"
}

they changed the flow 😞

[chrishubert]

@mychaelgo I tried multiple random strings for the client_id part without success Thanks for your help by the way! I tried to MITM the app without success yet. 😅

[mychaelgo]

i just try this flow yesterday & can't replicate it again 🤔 , i still can login without mfa

[chrishubert]

@mychaelgo I managed to pass the step by using a random HEXA String for x-uniqueid & x-session-id Headers

x-uniqueid: EEEEEEEE
x-session-id: EEEEEEEE

(Looks like I was using another session that was somehow flagged on their side) 🎉 Thanks for the help!

[pppokeran]

@mychaelgo I managed to pass the step by using a random HEXA String for x-uniqueid & x-session-id Headers

x-uniqueid: EEEEEEEE
x-session-id: EEEEEEEE

(Looks like I was using another session that was somehow flagged on their side) 🎉 Thanks for the help!

Hi @chrishubert , would you mind to share how do you manage to pass the mfa ?

What I have done :

• uniqueid and session-id always randomly generated and they are uuid v4.
• I also tried to post to POST https://customer.gopayapi.com/api/v1/users/pin/tokens with the mentioned data, but the result is "No Route matching".
• I tried to post to the goid/token but the response is goid:error:missing_field

What I found : some accounts are required and not required the challenge token, every account is 2fa disabled.

hope get some information from you or @mychaelgo . Thank you.

[chrishubert]

@pppokeran make sure you keep consistent x-uniqueid & x-session-id across requests. Keep it associated with phone number across multiple sessions I ended up using the phone number itself for both headers and I went through without hitting the MFA

[pppokeran]

Thank you for your response, @chrishubert.

When an account connected, yes I kept them x-uniqueid and x-session-id associated with the account. But this MFA thing happened, same with your case, when getting access token and can not pass.

Every time I can not pass, I generate new x-uniqueid and x-session-id and I made it is different between previous generated ids (which every generated I record them) but still can not pass.

[chrishubert]

@pppokeran, have you tried using phone_number value as content for x-uniqueid and x-session-id? As well, confirm that "Account Safety" -> "Two-Layer protection" is turned off for the given account.

[pppokeran]

@chrishubert 🙏 putting phone_number in header or in generated x-uniqueid ? Have not tried them yet. Yes, I have made sure the "Two Layer protection" is turned off.

[chrishubert]

@chrishubert 🙏 putting phone_number in header or in generated x-uniqueid ? Have not tried them yet. Yes, I have made sure the "Two Layer protection" is turned off.

@pppokeran I mean for the headers, you can use:

x-uniqueid: 81288888888
x-session-id: 81288888888

Where 81288888888 is the user phone number

[pppokeran]

Thanks @chrishubert for the response. I have tried and still not resolve this 2FA things.

I also tried decode the APK, and really appreciate @mychaelgo to have this API works. It is a headache or I can not decode properly (I used dex2jar).

and then I am trying the get access token with GoIdVerifyMFAOtpRequest with data GoIdVerifyMfaOtpRequestData from decoding the apk,

$payload = [
  'client_id'     => self::clientId,
  'client_secret' => self::clientSecret,
  'data'          => [
  'challenge_token' => $challenge_token,
  'challenges' => [
      [
          "name" => "GoPay Pin 2FA",
          "value" => $pin,
      ]
  ],
  ],
  'grant_type'    => 'challenge',
  'scope'         => [],
];

the result is Invalid JWT Token then I assume maybe there is a way to get the token.

• I have tried this https://github.com/mychaelgo/gojek/issues/20#issuecomment-1454930379 but the result "The request could not be satisfied."

then, I found `TokenizePinRequest" inside the apk and can not get this class work. 😀

That's it. If both of you know how to get the token, it would be great. I'll get back after found something. 🙇