s-alad
commented
1 year ago Does it just say 403, or is there any other message? And what country is your number from
Open luca-bs opened 1 year ago
s-alad
commented
1 year ago Does it just say 403, or is there any other message? And what country is your number from
luca-bs
commented
1 year ago Just 403, from my local server. I'm from Italy
s-alad
commented
1 year ago Does posting on the toofake.vercel.app website work for you?
Also what image formats are you uploading, I think only png & jpg are supported by my code
luca-bs
commented
1 year ago I am using jpg images, I don't try the online website sorry. I can see my friends posts. I just can't post my photos
s-alad
commented
1 year ago So there might be a couple issues, the images you are posting might already have been posted, that issue happened to me once. Or you may have already posted today.
I remember having a similar issue on local dev with a 403 response and it went away after a couple hours. Try using a different device maybe or using the hosted site.
If you could give more specifics on the 403 error message I could maybe help more
hubertoschusch
commented
1 year ago Did you try to upload one today @s-alad, does it work for you?
hubertoschusch
commented
1 year ago It worked until today, i also get this error, did they do something to their API maybe?
s-alad
commented
1 year ago I tried uploading today and it errors out for me too. Looks like it broke or the server IP is flagged. I'll try to fix
hubertoschusch
commented
1 year ago It seems like bereal now uses google signed urls instead of firebase authorization. They use 3 steps to upload an instant realmoji 1: GET google signed url 2: PUT image into google storage and 3: PUT reaction onto post.
luca-bs
commented
1 year ago How did you find it? Any idea on how could we solve?
hubertoschusch
commented
1 year ago Just run through the whole app again with mitm proxy and get all the new URLs :(.
s-alad
commented
1 year ago It seems like bereal now uses google signed urls instead of firebase authorization. They use 3 steps to upload an instant realmoji 1: GET google signed url 2: PUT image into google storage and 3: PUT reaction onto post.
Is that just for realmojis, or also posts
Claude999999999
commented
1 year ago Weirdly, when I call the api with https://mobile.bereal.com/api/feeds/friends with the authorization token given by the website in the headers, it doesn't work so maybe something changed there too. The website get my list of friends and comments, but cannot post comments, bereal or realmojis
hubertoschusch
commented
1 year ago It seems like bereal now uses google signed urls instead of firebase authorization. They use 3 steps to upload an instant realmoji 1: GET google signed url 2: PUT image into google storage and 3: PUT reaction onto post.
Is that just for realmojis, or also posts
I think it's the same for posts too but i am not too sure
s-alad
commented
1 year ago Weirdly, when I call the api with https://mobile.bereal.com/api/feeds/friends with the authorization token given by the website in the headers, it doesn't work so maybe something changed there too. The website get my list of friends and comments, but cannot post comments, bereal or realmojis
theres a chance they changed their api. I based most of it off this project but theres no reported issues there
felixlehoang
commented
1 year ago This github https://github.com/userbradley/beReal has the endpoints. I combed through with mitm and still see firebase being use.
hubertoschusch
commented
1 year ago strange, i didn't get any firebase urls and i already got it to work with the new google signed urls
felixlehoang
commented
1 year ago strange, i didn't get any firebase urls and i already got it to work with the new google signed urls
How did you get it to work with google signed urls? Im trying to do it but Bereal use certificate pinning
hubertoschusch
commented
1 year ago No i mean i can send requests with the new google signed urls that "replaced" the firebase urls. Certificate pinning doesn't have anything to do with it.
felixlehoang
commented
1 year ago No i mean i can send requests with the new google signed urls that "replaced" the firebase urls. Certificate pinning doesn't have anything to do with it.
Could you share the google signed urls? Also how did you do the POST request without authorization code and stuffs?
hubertoschusch
commented
1 year ago First step for uploading something is to get the google signed url: GET https://mobile.bereal.com/api/content/posts|realmojis|(profilepicture*)}/upload-url?mimeType=image%2Fwebp headers
2nd step is to now put the file into the google storage via the google signed url we received: PUT YourGoogleSignedUrl headers:
And if you want to use the picture you uploaded for example putting an instant reaction: PUT https://mobile.bereal.com/api/content/realmojis/instant?postId=IdOfPost&postUserId=IdOfUser headers:
body: { media: { bucket: storage.bere.al, path: PathYouGetFrom2ndStep, width: 500, height: 500 } }
felixlehoang
commented
1 year ago First step for uploading something is to get the google signed url: GET https://mobile.bereal.com/api/content/posts|realmojis|(profilepicture*)}/upload-url?mimeType=image%2Fwebp headers
authorization: Bearer YourToken
accept-encoding: gzip
user-agent: "okhttp/4.10.0",
if-none-match: 'W/"507-M16WxEgA1LffRgMAGSRIlonfNV8"'
idk the url for profile pictures atm
2nd step is to now put the file into the google storage via the google signed url we received: PUT YourGoogleSignedUrl headers:
- cache-control: public,max-age=2592000
- x-goog-content-length-range: 1024,1048576
- content-type: image/webp body: WEBP
And if you want to use the picture you uploaded for example putting an instant reaction: PUT https://mobile.bereal.com/api/content/realmojis/instant?postId=IdOfPost&postUserId=IdOfUser headers:
- authorization: Bearer YourToken
- content-type: application/json
body: { media: { bucket: storage.bere.al, path: PathYouGetFrom2ndStep, width: 500, height: 500 } }
Hey, thank you so much for the instructions, I am new to this so I don't know much. If you could, could you instruct me how to obtain the authorization bearer token? I tried to comb through with mitm proxy but couldn't find it in any header :(
Also do you have the endpoint for post instead of real emoji?
s-alad
commented
1 year ago First step for uploading something is to get the google signed url: GET https://mobile.bereal.com/api/content/posts|realmojis|(profilepicture*)}/upload-url?mimeType=image%2Fwebp headers
* authorization: Bearer YourToken * accept-encoding: gzip * user-agent: "okhttp/4.10.0", * if-none-match: 'W/"507-M16WxEgA1LffRgMAGSRIlonfNV8"' * idk the url for profile pictures atm2nd step is to now put the file into the google storage via the google signed url we received: PUT YourGoogleSignedUrl headers:
* cache-control: public,max-age=2592000 * x-goog-content-length-range: 1024,1048576 * content-type: image/webp body: WEBPAnd if you want to use the picture you uploaded for example putting an instant reaction: PUT https://mobile.bereal.com/api/content/realmojis/instant?postId=IdOfPost&postUserId=IdOfUser headers:
* authorization: Bearer YourToken * content-type: application/jsonbody: { media: { bucket: storage.bere.al, path: PathYouGetFrom2ndStep, width: 500, height: 500 } }
Could you share the code snippet you used to make these requests?
hubertoschusch
commented
1 year ago First step for uploading something is to get the google signed url: GET https://mobile.bereal.com/api/content/posts|realmojis|(profilepicture*)}/upload-url?mimeType=image%2Fwebp headers
- authorization: Bearer YourToken
- accept-encoding: gzip
- user-agent: "okhttp/4.10.0",
- if-none-match: 'W/"507-M16WxEgA1LffRgMAGSRIlonfNV8"'
- idk the url for profile pictures atm
2nd step is to now put the file into the google storage via the google signed url we received: PUT YourGoogleSignedUrl headers:
- cache-control: public,max-age=2592000
- x-goog-content-length-range: 1024,1048576
- content-type: image/webp body: WEBP
And if you want to use the picture you uploaded for example putting an instant reaction: PUT https://mobile.bereal.com/api/content/realmojis/instant?postId=IdOfPost&postUserId=IdOfUser headers:
- authorization: Bearer YourToken
- content-type: application/json
body: { media: { bucket: storage.bere.al, path: PathYouGetFrom2ndStep, width: 500, height: 500 } }
Hey, thank you so much for the instructions, I am new to this so I don't know much. If you could, could you instruct me how to obtain the authorization bearer token? I tried to comb through with mitm proxy but couldn't find it in any header :(
Also do you have the endpoint for post instead of real emoji?
It should show in one of the request headers if you are using a mitm proxy, did you get rid of certificate pinning already? Otherwise bereal won't trust your proxy and won't send the requests.
Ye for posts i am not 100% sure yet but it's the same as i wrote above GET https://mobile.bereal.com/api/content/posts/upload-url?mimeType=image%2Fwebp for google signed url for 1st step and 2nd step is the same, nothing changes. For finally posting a post url: POST https://mobile.bereal.com/api/content/post
header:
body:
secondary and primary height and width is fixed with height being 2000 and width 1500, I didn't play around with these values so idk if you can change them
hubertoschusch
commented
1 year ago https://codefile.io/f/sATXPlIv9trm3Ss69vPK Feel free to give me a better place to post the code cuz everyone can edit this one 😂
felixlehoang
commented
1 year ago @hubertoschusch did you get rid of certificate pinning with SSL Kill Switch for jailbroken ios?
hubertoschusch
commented
1 year ago I used rooted virtual android with magisk and SSL unpinning module
felixlehoang
commented
1 year ago I used rooted virtual android with magisk and SSL unpinning module
what SSL unpinning module/tools did you use? Also are you using MITM proxy or BurpSuite for proxy?
hubertoschusch
commented
1 year ago i am using pcapdroid with mitm proxy and i used lsposed with this ssl unpinning module: https://github.com/Xposed-Modules-Repo/io.github.tehcneko.sslunpinning/releases/tag/1-1.0.0
felixlehoang
commented
1 year ago i am using pcapdroid with mitm proxy and i used lsposed with this ssl unpinning module: https://github.com/Xposed-Modules-Repo/io.github.tehcneko.sslunpinning/releases/tag/1-1.0.0
Hey, is things still work for you? I had been trying this past week but I couldn’t get it to work. I unpinning the certificate with the same module but BeReal just refuse to work. I don’t know where to extract the authorization key at all. I just don’t know where you find the Bearer Token
hubertoschusch
commented
1 year ago i am using pcapdroid with mitm proxy and i used lsposed with this ssl unpinning module: https://github.com/Xposed-Modules-Repo/io.github.tehcneko.sslunpinning/releases/tag/1-1.0.0
Hey, is things still work for you? I had been trying this past week but I couldn’t get it to work. I unpinning the certificate with the same module but BeReal just refuse to work. I don’t know where to extract the authorization key at all. I just don’t know where you find the Bearer Token
Yes it is still working for me, could you tell me the steps you are doing?
s-alad
commented
1 year ago hubert can you check if posting works on my version of the app? i made the changes based on your code
When I try to post I receive 403 error, how can I solve?