search

zxol / airbnbapi

Unofficial airbnb.com REST API wrapper for node.js
MIT License
218 stars 52 forks source link

API v3 (GraphQL) #39

Open axos88 opened 4 years ago

axos88 commented 4 years ago

It seems the website started using the V3 of the API which seems to be a GraphQL API.

Has anyone tried accessing that API? Has anyone had success authenticating to it? If yes, then all our troubles around finding the correct formats, api endpoints go away, since graphql is more or less self-documenting.

KNTH01 commented 4 years ago

Do you have an example of the endpoint query?

axos88 commented 4 years ago

Seems like not everything is calling the new API yet. The /progress/ratings is though. Just take a look at your reviews and set your WDT to show XHR requests, and start paging.

Here's the request:

Request URL: https://www.airbnb.hu/api/v3?locale=hu&currency=HUF&operationName=ReviewOverviewQuery
Request Method: POST
Status Code: 200 
query ReviewOverviewQuery($input: porygonGetReviewsRequestInput!) {
  porygon {
    getReviews(request: $input) {
      reviews {
        id
        rating
        reviewer {
          hostName
          profilePicPath
          __typename
        }
        comments
        privateFeedback
        reservation {
          checkIn
          checkOut
          tierId
          confirmationCode
          listing {
            id
            name
            __typename
          }
          __typename
        }
        reviewHighlight {
          localizedTags
          highlightKey
          title
          __typename
        }
        __typename
      }
      ...CategoryReviewTagSections_plusReviewHighlights
      __typename
    }
    __typename
  }
}

fragment CategoryReviewTagSections_plusReviewHighlights on porygonGetReviewsResponse {
  reviews {
    plusReviewHighlights {
      reviewTagType
      reviewCategoryTag
      sections {
        negative {
          reviewTagTypes
          reviewCategoryTag
          __typename
        }
        positive {
          reviewCategoryTag
          reviewTagTypes
          __typename
        }
        __typename
      }
      __typename
    }
    __typename
  }
  __typename
}
"
variables: {input: {revieweeId: 13381212, listingId: null, offset: "4", limit: 4, rating: null, role: "guest"}}
axos88 commented 4 years ago

Ok followoup:

Seems like the _aat cookie contains the authentication token. Not sure how to obtain it, or how long it's valid for though. I just used dev tools to extract my own when poking the airbnb website. It's been valid the last couple of hours even though I closed the browser in the meantime.

Introspection is disabled on the server side, so we won't be able to extract all the possibilities, but the typenames are returned, so it should be possible to more-or-less figure out the fields for each based on the requests made by the web frontend.

curl 'https://www.airbnb.com/api/v3?locale=en&currency=HUF&operationName=ReviewOverviewQuerya' -H 'x-airbnb-api-key: d306zoyjsyarp7ifhu67rjxn52tv0t20'  -H 'content-type: application/json'   -H 'x-airbnb-graphql-platform: web'      -H 'Cookie: _aat=<SNIP>;' --data-binary $'{"operationName":"ReviewOverviewQuery","variables":{"input":{"revieweeId":<SNIP>,"listingId":null,"offset":"4","limit":4,"rating":null,"role":"guest"}},"query":"query ReviewOverviewQuery($input: porygonGetReviewsRequestInput\u0021) {\\n  porygon {\\n    getReviews(request: $input) {\\n      reviews {\\n        id\\n        rating\\n        reviewer {\\n          hostName\\n          profilePicPath\\n          __typename\\n        }\\n        comments\\n        privateFeedback\\n        reservation {\\n          checkIn\\n          checkOut\\n          tierId\\n          confirmationCode\\n          listing {\\n            id\\n            name\\n            __typename\\n          }\\n          __typename\\n        }\\n        reviewHighlight {\\n          localizedTags\\n          highlightKey\\n          title\\n          __typename\\n        }\\n        __typename\\n      }\\n      ...CategoryReviewTagSections_plusReviewHighlights\\n      __typename\\n    }\\n    __typename\\n  }\\n}\\n\\nfragment CategoryReviewTagSections_plusReviewHighlights on porygonGetReviewsResponse {\\n  reviews {\\n    plusReviewHighlights {\\n      reviewTagType\\n      reviewCategoryTag\\n      sections {\\n        negative {\\n          reviewTagTypes\\n          reviewCategoryTag\\n          __typename\\n        }\\n        positive {\\n          reviewCategoryTag\\n          reviewTagTypes\\n          __typename\\n        }\\n        __typename\\n      }\\n      __typename\\n    }\\n    __typename\\n  }\\n  __typename\\n}\\n"}' --compressed
axos88 commented 4 years ago

It's coming from the /authenticate request:

curl 'https://www.airbnb.hu/authenticate' -H 'authority: www.airbnb.hu' -H 'origin: https://www.airbnb.hu' -H 'x-csrf-token: <SNIP>' -H 'x-csrf-without-token: 1' -H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.79 Safari/537.36' -H 'x-airbnb-recaptcha-token:  <SNIP>' -H 'content-type: application/x-www-form-urlencoded; charset=UTF-8' -H 'accept: application/json, text/javascript, */*; q=0.01' -H 'cache-control: no-cache' -H 'x-requested-with: XMLHttpRequest' -H 'sec-fetch-site: same-origin' -H 'sec-fetch-mode: cors' -H 'referer: https://www.airbnb.hu/login' -H 'accept-encoding: gzip, deflate, br' -H 'accept-language: en-US,en;q=0.9,hu;q=0.8' -H 'cookie: <SNIP>' --data 'redirect_params=&email=<SNIP>&password=<SNIP>&from=email_login&airlock_id=&origin_url=https%3A%2F%2Fwww.airbnb.hu%2Flogin&page_controller_action_pair=' --compressed

It returns a set-cookie header with the value. The cookie is valid for 2 years, so maybe the token is valid too?

a-eid commented 4 years ago

@axos88 does the sites authenticate request return a token ? or does it setup a session ?

I wasn't able to figure this out.. I was able to automate the signin process but I wasn't able to get access to the token ?

axos88 commented 4 years ago

It turns out it is possible to use the apiv3 with the same oauth access token as the v2 and v1. Login to the site is not possible automate, in that one the captcha strong be. They really only want humans to sign in there. Not necessary either, as the other tokens work.

axos88 commented 4 years ago

IIRC just supply the x-airbnb-oauth-token header, just like in case of v2

kg69design commented 4 years ago

Does someone have a success to get results with API V3 ? I'm trying to get results from this query: https://www.airbnb.com/api/v3/ExploreSearch?locale=en&operationName=ExploreSearch...

but always have in response: "PERSISTED_QUERY_NOT_FOUND"

oiojin831 commented 4 years ago

Can anyone help me to try API V3 with Insomnia(or postman). I tried with my v2 token and it keeps saying that I have to login. and I tried with _aat but I am getting same result

Screen Shot 2020-09-23 at 5 01 36 PM Screen Shot 2020-09-23 at 5 01 22 PM

I replaced <_aat> with mine

I think I am missing something.

childnick commented 3 years ago

Is anyone able to query the v3 api? I can't get it to work... any help would be great.

masoodanwar85 commented 3 years ago

Can anyone help me to try API V3 with Insomnia(or postman). I tried with my v2 token and it keeps saying that I have to login. and I tried with _aat but I am getting same result

Screen Shot 2020-09-23 at 5 01 36 PM Screen Shot 2020-09-23 at 5 01 22 PM

I replaced <_aat> with mine I think I am missing something.

Change the URL from 'https://www.airbnb.co.kr/api/v3/' to 'https://api.airbnb.co.kr/v3/', and use x-airbnb-oauth-token in the header. This might help.

whatserface commented 10 months ago

I was trying to request as above, but for a while I was getting: {"success": false / and some other pair, I don't remember it now/}. Then suddenly airbnb started responding like: You can't access airbnb.com/api/v3, access denied.