search

redfern314 / southwest-search

Search, sort, and filter Southwest flights based on a number of parameters.
MIT License
13 stars 5 forks source link

Getting 403 error #5

Closed jason701802 closed 2 years ago

jason701802 commented 5 years ago

I'm getting 403 errors when I try this

redfern314 commented 5 years ago

Sorry, they keep breaking my hacked-together interface. I'll push a fix and let you know if / when it works again.

jipis commented 5 years ago

It seems they've added some magic sauce to the request headers, some of it pretty gnarly. I've confirmed that the cookie isn't necessary, but I haven't had enough time to play with the rest of them to figure out what's needed, what's not, and what might change and bork it all on a regular basis.

From a recent attempt, the full request headers as determined by chromium:

:authority: www.southwest.com
:method: POST
:path: /api/air-booking/v1/air-booking/page/air/booking/shopping
:scheme: https
accept: application/json, text/javascript, */*; q=0.01
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
authorization: null null
content-length: 343
content-type: application/json
cookie: s_fid=432A391A0E4C1490-2D8E21A3D618217F; rememberMe=3d4d645c4c015d505d1f; AccountBarCookie=136047121124116118123082127127124127047071123130121121057047121124116118123082127127124127080124113114047071123130121121057047110112112124130123129091110122114047071047087124123110129117110123047057047127127078112112124130123129091130122111114127047071047070070067068062069064063047057047121110128129078112129118131118129134047071047061062060061063060063061062070047057047129118114127047071047095110125118113045095114132110127113128045090114122111114127047057047133129118122114124130129047071047061062060063064060063061063070045061062071066062071063066047057047114133125118127114128047071123130121121057047133118125110113113127047071047067070059062065064059062064064059062065057045067070059062068065059065070059062064062057045063064059063063062059063064067059062065061057045063064059063062070059064067059062065070057045062068063059063070059062061069059063065047057047133113118116114128129047071047094091069096069069096063093067091061092091094070092070067070093094095061064093091064094091092064061066065094065061069065047057047112124122125110123134086113047071123130121121057047129118114127080124113114047071047091092091108082089086097082047057047125124118123129128047071047068057070067064047057047112129122083118127128129091110122114047071123130121121057047130128114127083130121121091110122114047071123130121121057047121124134110121129134047071129127130114138; check=true; AMCVS_65D316D751E563EC0A490D4C%40AdobeOrg=1; AMCV_65D316D751E563EC0A490D4C%40AdobeOrg=-1303530583%7CMCIDTS%7C18121%7CMCMID%7C81585334837607453770943899079199438136%7CMCAAMLH-1566178011%7C7%7CMCAAMB-1566178011%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1565580411s%7CNONE%7CMCAID%7CNONE%7CvVersion%7C3.3.0; mbox=session#28f2f5677ca64b878a862bede50e6670#1565575074; s_gpv_pn=BOOK%3AAIR%3APlan%20Trip%20Page; s_cc=true; RT="sl=1&ss=1565573210367&tt=6819&obo=0&bcn=%2F%2F173c5b05.akstat.io%2F&sh=1565573217282%3D1%3A0%3A6819&dm=southwest.com&si=0e148ec4-8b88-4302-a516-5414e6df6686&ld=1565573217283"; akavpau_prod_fullsite=1565573260~id=7d15a7636792f9ac115302a94550636f
ee30zvqlwf-a: CJplBq_uuwzh7i62G8s9ZSUx3BTsaYSAtcsTzdCJe6jrboU47ytB39W0rPYjaCzUIH8EU_bM8YR08-NbO16w60qsOu89ZKO6Jep18J=7XuYuM6NhtbXGMLsOknUHvRVSUajAMc5JkAWCOSpEe7YciP_Y5cW0wOdktCGiI1O=2RgQs9RlPoWB7tflRgR=7U=6IOlcU4HUn8xbebLmMMgafoiG0L5rxix0VqE8OP7JH=Uj8thw5VisP74WWPoxfMp5l0kvL=F5T67wXfc7yNVNIGnzpXAaN8=NSKFGKjfevN2QHpugt_lf9SngAdK8RNXRaXNJzKAhlUFq6JgYdV5zRCebj16IzEv7OpaeVx=MoAFPTuqTfvm-k3Hk1Rg5CACgMTL0Io3ynyTO4U4HQIZpBQWhR6U6vtMc96uACS4z9y1zU5MX5c3bhtOTAx_LuUOrsC7=3gd3e=UKIRxM8S18WK0WrY3qOBEHNfXijvW0A6EoeVLtSgLhnvCkYcI6I7XTRoPrvY25rBAZ26K=JIllNBuShEay-_aOfbh5M26oGHfL2BsgpH2Ypwj_PrrHGPhoqeE992hFfxiP7MkLFoJQ4C67b9KV5mVKAyQF=T-R9iN2XfS4MJsIfgXO4A=5TOHLRr_As=rx9L_wTHxk6IszT=xMGKenmM-Cu=VjdPTi=8mGXh3wj-n11XUfKoFr9YVrz=6WJa7mMeqYk5t=XmoiNv64v3oKSwz7jJ1kyxd65MQr86LKnoLJbsK9ostNcb=0LUslKKQYMymVyh7GS5eFi=ekYK=v=Xiql_dXKs-8QksHJNUXv=rA3WPVO=TyAMQiSmuf44iK9Y6Z0K8HqRM3UxzwXYVK-CWUISVffOvc7z7CGtuIvYXO5gL=wbAV5wi3037RUzH1H-ooXnKaZa0==PlA5zEMEcW5ZvrAv6GIBSCVOb5bIlxuUAbBrel_P6nXKyYC6lcQMbFEBZtwUalf=4rKhoTc0NyZik87GKzrFTERESiItPuNMTitxnyzNbQLpkyyWwCBoJKhn8y4-fSVEeTjOUuZ2CvdMLxUBlNNZewmvhpqNFo4gE3SbFnWb5f=g-LWAsi2QYRS2sHQIW=_-cMG2Hl8OHI3P5hb7089QPvjQtekxi-v6PWrgZXb5_n3xihxmYMwvmgQi6YK2P=71f5R40gXnr8SgRpAqoXzB4sA4XsYrhA4_yqo86kFuKx0FL-PgyC6s90VYnSjjKAys2=VCtdSgrfZyMoHn3=3hh2gu3VzFG_U108idLMZJkx11p2naz-_zBC8md1ahihqU2=kCoJ4fc270R1C3Czkl0YlmR789h_My-BQyFKZRCiHu6mXv9Pzp3i3stYJiNmcvGUVSEZtH5tTFiAx78rrYvEH73g4B15UOGCznfKwF8f82BzcaQ-Sc89XMj2f_4j9H5QllA1ZhTAC7-k4NSLOMiLFBMLjPUMiEXsLG-i5UHnycIwEhLtbwS3=UoKYOWIF0TgPydmEr7gSlRljKVr4zpkEeIJZs4_=PGgS0eB8IobTxNZCW4XEjiu=J8RT9P6BgWoMEmm=YOmCHNfbkvKXq9tJ6fRvlYGjWJ1hUhbKA8UFA1RelcTAKH6EJi8XPWUsZQy-RWpsURla1p0_gWanG8bH-zTaAc1JZ7cvM8bmr-Ow3hmETfi=RHjKp25kN6mPSvRHgo3Rjz6Rdb324tBIbN016sZwzVOS8ACboIVFqFf09_w4kaFalvbkz5H3MshplOOwO6SQIQhSWaswGadkQmbIJWO64dmg5ueYnr-3_oI73CC25mhakZp5QYEsfOeAZZ-uBsrz9T=i5SH7d_M0lNZKkRmveMYs2-47cs=PJC9jC--swqG8nZ1q70VWmbgY58gFm8p=5TBu_Ez5BEhrYZzAy660EIjaM=Q0F=gFs2V7ibEU66NcVh7uryzzVv361fW4SfvL_EEGs6gPfUqttKi=d6MbANkkvzJ5OduVgGK11Tcy-FrTcNpGypLLhofinb=wktE6bMM8L-oR26aXiCnPQ2XmL6MIsPMybZs4KVd1_5_xpvOipa-CvhFOkI3R5aH7gdu5UU7PM51J0dIXT0fH5yYxvAWUiQNoUur4afTT-wlZY-mJOn2lGqfMnP5e9kFmF0QFKr9cMpzjHXKg62RElCeVSaA27hQZ95f7qwU-_Taguy8Sv5BMw=4zjG_4OTbsFZp5PEh6R4W1tT73HRPAB-BcXiy01FJE=lv2tnHZHpU3Y0IC4MGqMJe2-4WMrHrNxpht6UzRs=IQaIa8oi87L=vFBkzClfTrK81fe58XYXW4ClV0Ae7e5lb-IJkXpXa=Is5RgQns6NEe0qO-Vr7J9fYHU7xwPw3Q-sdqEMh5d27KzMub2EaNwRQk0KGR8iMO8sIBAZzrpWPd1GbA1OJJV2JWUj2t4IposPMuxw2s9zR_PVRavPhwjsvwSnTZiIY5dNWKN_SAAIni7XuacT4p0ghWTBarEykM083kUFtL4NAuu0ord_gXLHaesN0sfHgXBzO1YUjlaT9VkjwKYgew6CUPT-4PSdpGrmE3tTKNZmKIduc9hRvdILYEWaZ2rkI21bJT02IywHAQ2umi03QI-L0tJfc5fa0UfrNk7F_gfdBECYXxG-mS8lzoXlJ9cWRwNw6ZvhXdBXA=RYvXpvFtKX1okHg7FyZF-ZWoOCrs62lR5PcxFh3a68_X_EbnlB13nIU4t=AXISs_EXoAPwtjRGkLvPhgUYh6ML5AUYqVca5k5CYSr90pRQEHN2PvY=Ot=q5T0JmcMMMNKtRQ-wqSZvumqy5gcY7ZUPXQeUdYTm6R=b3nRbnbql7njiaQkQGeiLaU8prOYL3g13c4kTdqZrQuhTHJxGr=wUC70K_r_pxokhClVb_XoXj5jM397AEzPnm0wlsWTiTVhTdaM7abd12=oKH2UIrGHhKA1ii4p-HE4=dfPqwZ8rpMj6tLyvka2m8ovu2zsVxt3J5wBV0s-IVnQ9vdf6f2A1OcgFU3=v5zl3jzNQ0NmOuHUQmcC141jBJ=NF91LwAZYuLRVdlJN9A5MaRx-7V71r9SaP1m-IjJAxVS0dlBkdhgpI6IsivC6_Fl_NtB21JRISdrO31VHx7=hguLu24bGTQd8UQ9iCZNk9FpBW=Kl=uAHKFXzTGHvJLBwE5xInaqlUW3BZmzYweCpEf9VrBxq-74kmNYT8l8x=4PK7iEAuCqWTPCYnPgPHR=JkcRT7jzgUwWemwSMzC4tUdMAHOWCXReu7ks3ZwXvuloPgTFaxwQ6upVGuohYIktxsMC-6JWhFqky_O-7igC4ydVPH=uyeJ0b7ugViosvytz-Sz-f_Ue910fk-5Guana2c_8HA1rebVY=mPLc9PYqGpSu0vsHBTdhkwtkMTu3cog0tOSMp-O1ePnG6KORZTwwhMjrIorkEMXsp89JBuMJR8VLxwfmd9_VcJah1O=vqVaZlT-CQdwGAnpHenlspTM3gJSQt=0gt4mozEE-OYpYZKaFoePQK=9qdZObNnQiLcCd75G40Sj=ppRYPx9PNU3by=v-7ty2WvWA3zcbuApxRTwGvyoZvOwcmPfiw=xe5dxPc_hj-Goqn9R7uSuABpJYYF==8ZBHo0R3zvzaWrLFSGtoEjpd959vqcBcFZh02Hp5uqxoQ2GOBeN9NNxOQJAvgCHr0S88RC7khP4cVl0X1BIa7-9Vr28goxs6Fny9xP35rA-S5rl08kUfyW=C--jPCEkv2VC-ds8MirAhSAGm7FBVcESNoc8PtCJKCizw_Z0XhzMQJ4mQ8gClN2fhrSO5QTf5ougamWdcTwHOccHBYIJZB-wqN-rojj8u_mUfHUSU9eOsw1AIXT6FsM3MxXa53i1ANL8mBNeEqALLu2yiovwQMCHfZxBIPFVjZhZZf6vRqNM3xNPwSYgmJG35oZdg_QK9mVJl_fuxwSWqyWPba-rvE1KTH4wsmtKtpQmvYhnJjS9NQOQ5mTAXjgNAXjs9rygAJodkXhnEkElPo2KwMWX-jNQWb5Sx2mdEcQWqzZ=ZryJYx9PTmS21PvWqB9-I9E19Vy8hySJT4qK5dYrC94nPHI-SdMm9viNv-wYc91y8kjo_TIOcXTHaG=vujjUxZV1qnHAxKYsTm6UjYnIitSFvKFxGkv47nn3YJqQb5RnoUL=q9QmFObb2JhGBAHZt5En3_k4TUv0jEf3LgNIZ1MAuYhS-KJSV7P4gfS_oGhwSF8UcVwq2dFcA-GAacRSlMAqjY94N7xL1=U1RZ1q1t1t2KoT3BBZTLUC=4ka5iiU_rilc8GEJ16I=TJTmEyjZc5YCu_uKN0VuHQqFrNZvu2_CijpST1RhhNP=8woJrxwBiEscQUwFuqQyWXGXSBJ1td3WWVXJbuw=GAtG3nHrmo5z3XNUkQY1Po5lUcJOSZJHpKU=JiEsr458izypjgLML1qb-9QR81VPRz6wEQGmycno3Hr1ivzAbZeVjz3zr0WVOCwWJlvyMgtsLZY8U_CrNQl-Z8g5t7=08E2k-ACdfQVlB2=xWcifpIY=XWsg2ce7zL7VIIKoeMSj95G_s88cGbtjssQA0l3iHcrc3G7=gBmzVzL1gRfIx2MEXlxypw=oL1rFgzPjp7UUaEbGF5g7zSQpGPY3h=3ecq_YjqOxnHZIzUz4CI1-rtnisPHd6rSHQBccT5tcJO66hL94jH-E7zgx_x4nXABm1QRkLT==SI7chS38kYRyy4bMvULZZJqmVbzkFPWjE9ZFR8SZW17z9oVqSL99-9QJOWC8S9jtBTmstmbY6z3sPHP-nsbZu5oo98L93xWsK9C2Mp3NlpkE0n1mqRbVypUAv0F_hs5CZtfBZa1QlBrT-jO6QdLC1auBTQxe1CkNBUmkGkzKMLr9vR=g9jbPd3FQOyl37-dyFzYtate5h=vjNJ1wmPCtEmRXFpQ6LEJi1R8AOqPQMdqJNiQ4-SSc7j6PYxLqpbivgH2JkYiUsnRr_ry8RgtzY6QVogjQW6OT6o=gf_mm3qaCkaOwhbTe-yjPRMxI7ZZSRzYQKKJGdEjeBbiRlizAXrr3VkBcflYFiIXEweaz-X6gWLSeIXhYH7j_EaV6ukXKWKAtbpoRuh35mvP2w4d85kUy8BXNQw27l0OQK93S6UafbnWfULxnUZ36uystjOJArKLARr0pU7KqgrJ2KCJ7U3zliv1Or9vPlEtrQnuTXKshvZmUXGzOLTbv89ixgXdFiSrt-PKnw2LIG2fbYTOKfyljSFwhzpksN89JSO5=L=zS7nAATmRtlvFdMBIhXkybwVEqPPZYvMX4YgwfeKecT46IGnqAuv2Gn-RXMwVbeLqF=dQpzZJf3tBTv0yPi1BOwMytZBpdCoy40QyQTvArfem943xGyH6zELapLIuOaRh0WZsol3h5lst5rhb8XSJBQCcN25e4qS3x0FRSndIM=9mrP0ja468znAC_hYewig44GXZVNaNjapsx8-AiP9piLK-2VIQbfl-5nxUWRg0PNFmtyxkp1g2FJQPscnih8isOdXzim2h4VSTLLOoYCG1Mu8tGsUKzjHNGAA_U5SqEeA_3in=miMs17TW-mr8hM0KepaG4-7nsnZwo6ZEY-P0CIVNNWtlo7wCZRfkwnJ=pvCRlVHdSRXuNGoNS3AsQhs0X1E0OyFPeVcn2FR66QZVC3YajqNdwJPjQii5P1ti0B9KXj60W9Y3VTNNqdL_rgIYFB1UwnrqGA3bYopleJGa0T2twcuBOr_gPsYbn3JvGFl1I3oeAKTVQPhO5qwCWdbUMltu32PFz2I9wJBZRLZ=AcG=Rv1f=Mm6x9gN51rbu45A8X1Kd6MiF8WRkWp=M7cFGi355-OMMIvar=mUOypNi8uEwseQ8BarmH2Ns--L193E82YeXBnvOpZ
ee30zvqlwf-b: -j78l8z
ee30zvqlwf-c: Awm8bINsAQAA1c5F6Y6y2iefOtloNQej-57NSa3XgoLKDnCfyc5C2oDTKsDxAWMrIQCucn01wH8AAEB3AAAAAA==
ee30zvqlwf-d: o_0
ee30zvqlwf-f: A2Zib4NsAQAACz0Q2le2MOZQVZo2G4lAjIJivoo6Y4Vua8FsD8wL8vCv3_x0AUWPhQ7Vdn01wH8AANyXAAAAAA==
ee30zvqlwf-z: p
origin: https://www.southwest.com
referer: https://www.southwest.com/air/booking/index.html
sec-fetch-mode: cors
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/76.0.3809.87 Chrome/76.0.3809.87 Safari/537.36
x-api-idtoken: null
x-api-key: l7xx944d175ea25f4b9c903a583ea82a1c4c
x-channel-id: southwest
x-user-experience-id: 4ce37c40-27ef-406d-a8e5-04b2190a6d5b
redfern314 commented 4 years ago

Did a little looking into this today. SW sure did make this tough to reverse-engineer. The following headers are required:

content-type (already accounted for)
ee30zvqlwf-a
ee30zvqlwf-b
ee30zvqlwf-c
ee30zvqlwf-d
ee30zvqlwf-f
ee30zvqlwf-z
user-agent (can be blank)
x-api-key (already accounted for)
dnt (not actually required, but may as well add)

As you noted, the "magic sauce" is the sticking point. It seems like these are recalculated on each page request via some JS that's loaded before this request is made. The script in question is at https://www.southwest.com/assets/app/scripts/swa-common.js, and consists of a bunch of obfuscated JS and lookup tables that presumably generate the 6 magic fields.

Field f seems to be given verbatim in swa-common.js - on the line that contains e.initCustomEvent (5675 for me after prettifying), it's the first element of the 4th argument. Field d does not appear to change for me between requests (o_0) Field z does not appear to change for me between requests (p)

The other 3 (fields a, b, c) are a mystery. I'll keep poking at this, but don't really expect to get anywhere fast.

Pushed 7a78a98 for a quick-fix... at least you can still use the script if you copy/paste the headers from your browser.