Tesla WAF

[uhthomas]

Hi!

So, it looks like Tesla has updated their WAF again. After some experimenting, I've managed to get something working.

https://github.com/uhthomas/tesla/compare/f00d0e07a2b61907751647920f5b7c1f8197c07a..1caf33b692d9258ef27505b335ee3aa8869c1e8d

The changes are:

• Include an Accept with */*
• Include an Accept-Encoding with gzip, deflate, br
  This is paired with a custom round tripper which is capable of decoding gzip responses.
• Randomize the User-Agent header every 6 hours
  The user agent can't always be random, as logging in is expected to keep the same user agent for the entire flow.

[andig]

Similar issues all around, see teslamate-org/teslamate#1412 and teslamate-org/teslamate@9fee2b5 for a fix. I was wondering if the Useragent is really required or if it shouldn‘t be enough to use the same UA as the official app?

[andig]

@uhthomas according to https://golang.org/pkg/net/http/ it should be possible to set accept-encoding: gzip without the need to add a custom transport (check docs on DisableCompression). That would play more nicely with users providing their own client.

[andig]

I can confirm that the changes are working. The transport is needed to inject the user agent into the login process and not only afterwards.

@uhthomas I'd be happy to integrate this with #43, or do you want to take a stab?

[uhthomas]

I think the Go HTTP client will send the Accept-Encoding: gzip header by default, but I had to specify the other fields for it to work.

There are some more complications, it looks like the clients are heavily rate-limited. Whether it's by IP, token or what, I don't know.

The graph shows points in time for where the exporter was able to get through, and where it wasn't. The error becomes

  | 2021-03-11 10:37:40 | 2021/03/11 10:37:40 list vehicles: do: Get "https://owner-api.teslamotors.com/api/1/vehicles": oauth2: cannot fetch token: 403 Forbidden
  | 2021-03-11 10:37:40 | Response: <HTML><HEAD>
  | 2021-03-11 10:37:40 | <TITLE>Access Denied</TITLE>
  | 2021-03-11 10:37:40 | </HEAD><BODY>
  | 2021-03-11 10:37:40 | <H1>Access Denied</H1>
  | 2021-03-11 10:37:40 |  
  | 2021-03-11 10:37:40 | You don't have permission to access "http&#58;&#47;&#47;auth&#46;tesla&#46;com&#47;oauth2&#47;v3&#47;token" on this server.<P>
  | 2021-03-11 10:37:40 | Reference&#32;&#35;18&#46;5d2b1102&#46;1615459060&#46;61779f9
  | 2021-03-11 10:37:40 | </BODY>
  | 2021-03-11 10:37:40 | </HTML>

[andig]

Cannot fetch token sounds as if its actually logging in at that time. That should only happen very rarely?

[uhthomas]

It happens quite often - these OAuth2 tokens only live for a short while.

[andig]

@uhthomas should I merge your changes with #43?

[andig]

Closed in #43