hc-login fails with HTTP 403 even though credentials are correct - Githubissues

osresearch / hcpy

Python tool to talk to Home Connect appliances over the local network (no cloud required)

273 stars 32 forks source link

hc-login fails with HTTP 403 even though credentials are correct #8

Closed trilader closed 2 years ago

trilader commented 2 years ago

I've added a print statement after the "Did not get a redirect" message to print both the status code as well as the response text and headers:

{
  "error": "access_denied",
  "error_description": "login session expired"
}
{'Date': 'Sun, 06 Mar 2022 22:26:07 GMT', 'Content-Type': 'application/json', 'Content-Length': '78', 'Connection': 'keep-alive', 'access-control-allow-origin': '*', 'access-control-allow-methods': 'GET,POST,OPTIONS,PUT,DELETE', 'access-control-allow-credentials': 'true', 'access-control-allow-headers': 'Authorization,Content-Type,Accept,Cache-Control,Last-Event-ID,If-Modified-Since,X-Requested-With,X-Events-Facade,User-Agent', 'referrer-policy': 'origin', 'x-frame-options': 'sameorigin', 'x-content-type-options': 'nosniff', 'x-xss-protection': '1; mode=block', 'api-gateway-service': 'api-gateway', 'hc-env': 'EU-PRD', 'x-vcap-request-id': '1a9e8b59-a350-4e59-5ed9-5abbc74d3b98'}

Do you have any idea on how to debug this/what I can check? Logging in with the same credentials on my phone works and the app is usable there.

osresearch commented 2 years ago

What country are you in? There might be some hardcoded EU region URLs.

trilader commented 2 years ago

I'm located in Germany.

osresearch commented 2 years ago

I've confirmed that this is happening to me, too. The login page is now returning:

{
  "error": "access_denied",
  "error_description": "login session expired"
}

osresearch commented 2 years ago

There is a new login flow that has a separate step to select the login method. I'll update hc-login to use the new correct URL.

trilader commented 2 years ago

Ah. I didn't know it was different before. I've tried to have a go at this myself and I'm halfway there with setting up an Android emulator with mitmproxy. I still need to patch the app w.r.t. certificate pinning (apktool really took its time unpacking the app).

As you have a working setup I'll likely pause my setup efforts (I only have a little free time left for this today and I am busy tomorrow evening) and have a look on Wednesday if more figuring out is needed.

osresearch commented 2 years ago

Adding redirect_target=icore seems to have fixed it for me. Please let me know if this also fixed it for you!

trilader commented 2 years ago

hc-login works now and (after a quick and dirty MQTT hostname change) and config.json edit (my hostnames are all lower case) hc2mqtt prints that it published messages

osresearch commented 2 years ago

Glad to hear it worked!

DNS resolved host names should be case insensitive, so you shouldn't have to edit them. My local network (using dnsmasq for dhcp and dns) does it correctly, but of course that is no guarantee for every network. And I've heard that some embedded mDNS implementations are using strcmp() instead of strcasecmp(), which makes them accidentally case sensitive.

The mqtt config needs to be separated out, I created https://github.com/osresearch/hcpy/issues/6 to remind me to get around to it.