Forbidden again | Migrate to new auth ?

[RobertWojtowicz]

Hi,
@abrander @davidkroell

Again there is a problem with authorization, maybe the solution is a new method of authorization? (OAuth):
petergardfjall/garminexport#104

The problem is already reported in 2 threads using bodycomposition (based on the garmin-connect library):
RobertWojtowicz/export2garmin#31
davidkroell/bodycomposition#19

BR,
Robert

[davidkroell]

They are using matin/garth which is written in python. I think we'll need a Golang port for that to fix authentication flow again.

@abrander are you willing to implement this?

[abrander]

This one is irritating. We're getting caught in Cloudflare's anti-bot system. I would really like to know if Garmin changed something to get rid of third-party API usage, if Cloudflare changed something, or if the "web department" at Garmin simply turned on bot-protection for the complete garmin.com-domain without considering the API endpoints. If Garmin is actively trying to deter third parties from using the API this will turn into a year-long whack-a-mole, which will be fun but time-consuming.

@davidkroell You're mentioning OAuth - fun fact: The initial version of this package (before publishing to Github) did, in fact, use oauth2, but I opted for automating the web-based flow before publishing. I'm not not willing to implement this again ;-)

I don't know the best way forward. OAuth1/2 is well-understood as a protocol. Still, I like that we have existed for almost five years without leaking Garmin secrets and being honest about who we are - and I would like to continue doing exactly that.

Another well-known Garmin API project makes the OAuth tokens available in Amazon S3 - maybe we can retrieve those at runtime? Then we don't actually publish them ourselves, but it would still work out of the box for end-users..?

I see some options:

• A1: Just steal the damn oath tokens from the app and hardcode.
• A2: Retrieve the tokens from another project at runtime.
• B1: Get better at imitating a browser and lie to Cloudflare (and Garmin).
• B2: Use a real browser using Selenium or similar.

Technically I think A1 and A2 are the easiest to implement.

[matin]

Garth maintainer here.

Some comments:

• the oauth1 token is valid for a year, which is a game changer for anyone with MFA
• I don't recommend hard-coding the keys. You mentioned one of the reasons. There's another reason as well. Garmin could update them

[RobertWojtowicz]

Hi @abrander

Any good news in solving this problem ?
Unfortunately alternate YAGCC client does not support ARMv6 (older RPi).
RobertWojtowicz/export2garmin#34

I'd like to return to the good bodycompositon solution created by @davidkroell

BR,
Robert

[RobertWojtowicz]

Hi, @abrander

I created a new version based on this solution, a very useful approach with tokens:
https://github.com/cyberjunky/python-garminconnect
https://github.com/RobertWojtowicz/miscale2garmin/blob/master/import_tokens.py
https://github.com/RobertWojtowicz/miscale2garmin/blob/master/export_garmin.py

BR,
Robert