Error 400 on /api/refresh API route

[mth-bou]

The API routes to connect and verify via the phone number work, but the route to refresh the token hasn't worked for 2 days. It looks like the BeReal API has been modified regarding token refresh.

I tested this directly on your toofake.lol app.

Message from my console :

Request headers :

The payload sent :

Response :

Do you think you can find out what's causing the problem? Thanks

[retoheusser]

I'm experiencing something similar, my refresh token seems to only work for a very short timeframe since two days. I will investigate a bit when I have time (which I don't currently 🤪 )

[retoheusser]

Looks like refreshing a refresh_token in the endpoint https://auth.bereal.com/token?grant_type=refresh_token only works for one hour now which corresponds to the lifetime of the firebase access token (https://securetoken.googleapis.com/v1/token?) that is needed to obtain a refresh token (https://auth.bereal.com/token?grant_type=firebase).

Seems that now the round-trip is needed to first refresh the firebase token on the googleapis endpoint and then get a BeReal token on the token endpoint with grant_type=firebase.

Did anyone else also have this issue / made this observation / can confirm this? 🤔

[NOctu1412]

Yeah I'm also having this issue. Btw can you tell me how are you investigating the issue, I'd like to help.

[retoheusser]

@NOctu1412 this is the token refresh part that still works and seems the way to go forward instead of directly refreshing a BeReal access token: https://github.com/s-alad/toofake/blob/main/client/pages/api/otp/fire/verify.ts#L55-L105 This means the Firebase refresh token needs to be stored instead of the BeReal refresh token and every time the BeReal access token becomes invalid (after 1 hr), a new BeReal access token must be obtained through the linked code (two requests, first get a Firebase access token using the Firebase refresh token and exchange that for a BeReal access token).

[NOctu1412]

@retoheusser Ok thanks I managed to replay all the requests so yeah I understand, I'll implement that locally and when I'll think it's stable I'll make a pull request I think.

[NOctu1412]

@retoheusser Also, while I'm doing that, do you know the endpoint to get the 3 pinned bereal of friends ?

[FH-DEV1]

GET to url "https://mobile.bereal.com/api/feeds/memories-v1/pinned-memories/for-user/${userId}" with your bearer token in headers

[NOctu1412]

@FH-DEV1 thanks, I just fixed the refresh issue, I was gonna push, I'll add that later. By the way, can I ask you how you are reversing the api ?

[FH-DEV1]

this article is a great guide https://bereal.fowled.dev/articles/intercept

[NOctu1412]

Perfect thanks !

[mth-bou]

Perfect thanks !

You can also take a look at this some unofficial doc : https://userbradley.github.io/BeReal/ (check that it's regularly updated)

Thanks for your update about this issue !

[s-alad]

Thanks guys ❤️

[NOctu1412]

@mth-bou @FH-DEV1 Do you know why some requests always respond me this: { statusCode: 400, errorKey: null, data: null, fields: null, timestamp: '2024-06-22T17:00:02.083Z', requestId: '0fdsfdsfdsfdsfdsf252dgdfgfdea' }

I managed one time to achieve one by replaying the exact same that http toolkit gave me but otherwise I can't manage to execute one of these request successfuly. For example I can't execute: https://mobile.bereal.com/api/search/profile?query=..., also the friend request one and some others...

All the other requests work nice.

[s-alad]

Question about your recent PR moving everything to Firebase as default, is Vonage not supported / working at all anymore?

[retoheusser]

I didn't look closely at the recent PR but I think the login has not been touched at all. It was only about refreshing a token when you're already logged in. I cannot really tell about the login, as this has never worked with my phone number using this client unfortunately. But when logging in via Vonage, does this also get you a Firebase token eventually, or not at all?

[NOctu1412]

@s-alad @retoheusser In fact I touched the login just a little bit to store the firebase refresh token and id token in the local storage, nothing more.

[NOctu1412]

For me Vonage has never worked (even 1 year ago) so idk.