Login process has been changed

[DylanVanAssche]

The method used to get a Facebook token to login into Tinder doesn't work anymore.

https://www.facebook.com/dialog/oauth?client_id=464891386855067&redirect_uri=https://www.facebook.com/connect/login_success.html&scope=basic_info,email,public_profile,user_about_me,user_activities,user_birthday,user_education_history,user_friends,user_interests,user_likes,user_location,user_photos,user_relationship_details&response_type=token

Tinder blocked all the login clients except their own methods. I tried to proxy their traffic with Charles but Facebook uses CA cert validating which reject the Charles cert.

Has anyone a better idea to get a FB token?

[roperi]

I didn't have any problem getting it with Charles

[charliewolf]

@modulebaan how does tinderjs do it? that seems to still work.

[DylanVanAssche]

@charliewolf
They ask the user to provide the FB_token, they haven't a routine to get it.

@h-2-0
For some reason the Facebook login page rejects the Charles certificate on my phone. Web browsing works fine though.

[SirWhiteHat]

If it's any clue; around the same time I stopped being able to log in via the app on 4G, but could over wifi... cannot imagine how it could be related but it does correlate.

[roperi]

@modulebaan

I just tested and got the right token using Charles while login into tinder from my mobile. I didn't see any problem.

[Jackojc]

I seem to have the issue of the token expiring either after the time is up or I log out on the mobile app.

[DylanVanAssche]

@h-2-0
You can get it with Charles but if you want to build that in an app?
I used webview with oauth2 to get an auth token. That's blocked now by Tinder.

[SirWhiteHat]

@h-2-0 I can get a token using the above link and substituting fbconnect://success as the redirect_uri and looking at the response payload; can that be substituted into your method using webview? Would you be able to share?

[roperi]

@ SirWhiteHat

I am not familiar with webview. I use Charles Proxy to intercept traffic between my phone and Tinder to get the long duration FB_TOKEN.

@ Jackojc
Are you getting the short-term or long-term token? The link above gets you a FB token that last few hours. The one I'm getting last several days if not months.

[roperi]

@modulebaan

Is your app phone based? Because with Pynder (desktop based) I can login in without problems (although I'm not sure if the token is short or long term).

[SirWhiteHat]

Sorry @h-2-0 , I meant to address @modulebaan.

I can get a token using the above link when substituting fbconnect://success as the redirect_uri and looking at the response payload; can that be substituted into your method using webview? Would you be able to share?

[DylanVanAssche]

@SirWhiteHat

Can you give the full url you use ?

[SirWhiteHat]

@modulebaan

https://www.facebook.com/dialog/oauth?client_id=464891386855067&redirect_uri=fbconnect://success&scope=basic_info%2Cemail%2Cpublic_profile%2Cuser_about_me%2Cuser_activities%2Cuser_birthday%2Cuser_education_history%2Cuser_friends%2Cuser_interests%2Cuser_likes%2Cuser_location%2Cuser_photos%2Cuser_relationship_details&response_type=token&__mref=message

Token comes back after clicking "OK'. Haven't automated this bit (hoping that you might have with webview). I use this to get a token without having to set up a proxy etc.

[DylanVanAssche]

Nice! Yes I automate this by reading the URL everytime it changes and as soon the auth token is available I save it.

[SirWhiteHat]

@modulebaan Glad it worked for you. I don't follow; I don't think the token is returned as part of an URL with this link, does that mean that your automation method does not work here?

[flyfj]

care to explain more on how to get the token after clicking ok on the url page? @SirWhiteHat

[DylanVanAssche]

@SirWhiteHat After clicking OK the token is hidden in the url where you're redirected to.
My method works fine with this new URL :)

@flyfj
See your addressbar for the URL. Split the URl as a string and you're done in webview.

[enric1994]

It works @SirWhiteHat
What is the duration of the token? Any suggestion to auto refresh the token?

[DylanVanAssche]

duration is listed in seconds in the url 'expires in'
Long access token -> app secret needed

[DylanVanAssche]

At the moment I'm not at home but in my browser of my Jolla smatphone it works.

[enric1994]

Any guide or suggestion to get the app secret?

[DylanVanAssche]

I suggest you start with Charles proxy to see how the Tinder app the long token request

[SHABINTHEGREAT]

Just a shortened link to the URL above – in case, anyone wants to try it:
http://rs.gs/FBTK

[DylanVanAssche]

Just tested it at home in Firefox and it works great! Thank you all 👍

[SirWhiteHat]

So, I can do this by using the developer console and picking out the token from a hand-picked response after loading the above link and submitting the form; has anybody found a way to automate this from python? i.e. something that can be called if it fails to authenticate, that will return a new token as a string and use it to log in, transparently?

Doesn't have to be a non-expiring one as it can always poll for a new one! Thanks

[DylanVanAssche]

I did it with a webview but pure in Python I don't know how (emulating the browser would be an option)

[SirWhiteHat]

I'm struggling to get it to work with a webview. Please could you share a code snippet on this? :)

Sent from my iPhone

On 16 Aug 2016, at 22:56, Dylan Van Assche notifications@github.com wrote:

I did it with a webview but pure in Python I don't know how (emulating the browser would be an option)

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.

[DylanVanAssche]

Yes I can :) if you promise not to publish it public online.
If I publish it here then we have to find another way since they will block that one too. Give me your e-mail and I will send it also to you.

[Jackojc]

Yeah, Dude I completely understand if you don't want to make it public. Anyway, My email is "jackojc@gmail.com"

[SirWhiteHat]

Hi @modulebaan , you can get me at olliehawkerrandom@gmail.com

Thanks a lot! I've been stuck on this for a while.

[DylanVanAssche]

Check your e-mail guys ;)

[roperi]

@modulebaan
Please share the love to me too ;)

pynderista@hmamail.com

Thank you!

[DylanVanAssche]

Check your e-mail :p

[roperi]

Thanks so much, @modulebaan !

[charliewolf]

Not sure I agree that emailing this is the best method. @modulebaan People are using the same method you are using (including you) in publicly available apps. Tinder is no doubt well aware. I'd love if we could keep in the spirit of open source and make this work public. Thoughts?

[DylanVanAssche]

@charliewolf
I can post it here but it's written in QML (will do that later this day)
The trick is the following:

1. Load the URL (see above) in the webview
2. In my webview I get an error when I log in for the first time. Just click 'go back' and FB will give you a token in the URL.
3. Give the URL to Python and split it as a string to extract the token

[DylanVanAssche]

`import QtQuick 2.2
import QtWebKit 3.0
import QtWebKit.experimental 1.0
import Sailfish.Silica 1.0
import io.thp.pyotherside 1.3

Page {

property string fb_token: ''
property string fb_id: ''

PageHeader {
    id: header
    anchors.top: parent.top
    title: qsTr("Logging in...")
    visible: false
}

ViewPlaceholder {
    id: message
    anchors.centerIn: parent
    enabled: false
    text: qsTr("Connecting to Tinder servers...")
}

Button {
    id: retry
    anchors.top: message.bottom
    anchors.topMargin: Theme.paddingLarge
    anchors.horizontalCenter: parent.horizontalCenter
    visible: false
    text: qsTr("Retry")
    onClicked: python.call('api.loginTinder',[fb_id, fb_token], function(fb_token) {})
}


SilicaWebView {
    id: webView
    width: parent.width
    height: parent.height
    anchors
    {
        top: parent.top
        left: parent.left
        right: parent.right
        bottom: parent.bottom
    }
    focus: true
    url: "https://www.facebook.com/dialog/oauth?client_id=464891386855067&redirect_uri=fbconnect://success&scope=basic_info%2Cemail%2Cpublic_profile%2Cuser_about_me%2Cuser_activities%2Cuser_birthday%2Cuser_education_history%2Cuser_friends%2Cuser_interests%2Cuser_likes%2Cuser_location%2Cuser_photos%2Cuser_relationship_details&response_type=token&__mref=message"
    experimental.userAgent: "Mozilla/5.0 (X11; Linux i686) AppleWebKit/534.34 (KHTML, like Gecko) Qt/4.8.4 Safari/534.34"
    onNavigationRequested:
    {
        // When the URL has been changed, send it to Python to check if it contains an ACCESS TOKEN.
        console.log('Request URL from FACEBOOK: ' + request.url)
        python.call('api.loginFacebook',[request.url.toString()], function(url) {});
    }
}

Python {
    id: python
    Component.onCompleted:
    {
        // Add the Python path to PyOtherSide and import our module 'api'.
        addImportPath(Qt.resolvedUrl('.'));
        importModule('api', function() {});

        // When Python has succesfully extracted the login data we can login into Tinder.
        setHandler('loginFacebook', function(id, token)
        {
            if(token)
            {
                fb_token = token;
                fb_id = id;
                //console.log("Facebook ID: " + JSON.stringify(fb_id))
                console.log('[LOGIN] Facebook login OK')
                webView.visible = false;
                message.enabled = true;
                header.visible = true;
                python.call('api.loginTinder',[fb_id, fb_token], function(fb_id, fb_token) {});
                // call python login tinder
            }
            else
            {
                // When Python couldn't receive the USER-ID from the Facebook Graph API then we should try to login in again.
                console.log('[LOGIN] Facebook login FAILED')
            }
        });

        setHandler('loginTinder', function(token)
        {
            if(token)
            {
                console.log('[LOGIN] Tinder login OK')
                pageStack.completeAnimation()
                pageStack.replace(Qt.resolvedUrl('MainPage.qml'));
            }
            else
            {
                // When Python couldn't login into Tinder, show the user a message and a button to try again.
                console.log('[LOGIN] Tinder login FAILED')
                message.text = qsTr('Failed to login')
                message.hintText = qsTr("Try again later")
                retry.visible = true;
            }
        });
    }

    onError:
    {
        console.log('Python ERROR: ' + traceback);
        Clipboard.text = traceback
        pageStack.completeAnimation();
        pageStack.replace(Qt.resolvedUrl('ErrorPage.qml'));
    }

    //DEBUG
    /*onReceived:
    {
        console.log('Python MESSAGE: ' + JSON.stringify(data));
    }*/
}

}
`
This is the webview, the rest is just calling the FB graph API with Python and pass the tokens to the Tinder login (Pynder)

[roperi]

@modulebaan

Thanks for sharing the code. But to be honest, I don't understand it! :/ I just know Python :) Do you know a way to get the this from python (i.e. not from Webview)?

EDIT: What I would like to to is create a web app (say with Django) to be used by other users. Then I guess I would get the long duration token when they sign up into their Facebook. For the moment I'm getting my long durations tokens using Charles for my own personal use. Thanks!

[DylanVanAssche]

@h-2-0
I don't know how you can do that in Python.
I suggest you use the tool of our colleagues from tinderJS. They made a small tool that automatically extracts the token.
https://github.com/tinderjs

[enric1994]

I use selenium python and it works for me:
def getToken():
driver = webdriver.Firefox()
driver.get("https://www.facebook.com/dialog/oauth?client_id=464891386855067&redirect_uri=fbconnect://success&scope=basic_info%2Cemail%2Cpublic_profile%2Cuser_about_me%2Cuser_activities%2Cuser_birthday%2Cuser_education_history%2Cuser_friends%2Cuser_interests%2Cuser_likes%2Cuser_location%2Cuser_photos%2Cuser_relationship_details&response_type=token&__mref=message")
assert "Facebook" in driver.title
#user
user = driver.find_element_by_name("email")
user.clear()
user.send_keys("myEmail")
#pass
passw = driver.find_element_by_name("pass")
passw.clear()
passw.send_keys("myPass")
#ENTER
passw.send_keys(Keys.RETURN)
#back
driver.execute_script("window.history.go(-1)")
#ok
driver.find_element_by_xpath(".//[@id='platformDialogForm']/div[2]/button[2]").click()
#getURL
time.sleep(5)
url= driver.current_url
#parse
token = re.match( r'.=(.)&.',url)
driver.close()
return token.group(1)

Some problems you can have is that the version of Firefox don't work with selenium (try FF 45)

[roperi]

@modulebaan

Thanks! I'll definitively check that out

@enric1994

Oh, wow! That's great! Time to learn Selenium! Thanks!

[Jackojc]

@enric1994 Is there any Python 3 compatible version of selenium?

[DylanVanAssche]

I wanted to use selenium but it's not supported on mobile platforms like Sailfish OS which I use for my apps and as mobile OS on my smartphone.

[roperi]

@enric1994

But wait a minute..It seems the selenium script requires the FB credentials. So how could this possible work for me to get the token from a visitor to my webapp? I wouldn't dare to ask them to fill out a form to submit their Facebook username and email. Or am I missing something?

[roperi]

@Jackojc

The whole point of using Charles is to get the long term token. If you are getting the token from it twice a day it means you are getting the short term one. The one I got from Charles hasn't expired in more than 3 months.

[roperi]

@enric1994

Hi! I tried your code but I'm getting this error...

selenium.common.exceptions.InvalidSelectorException: Message: The given selector .//[@id='platformDialogForm']/div[2]/button[2] is either invalid or does not result in a WebElement. The following error occurred:
InvalidSelectorError: Unable to locate an element with the xpath expression .//[@id='platformDialogForm']/div[2]/button[2] because of the following error:
SyntaxError: The expression is not a legal expression.

[DylanVanAssche]

I'm interested in the long token, @h-2-0 how does those requests look like?

[roperi]

@enric1994

To make it work I changed this:
driver.find_element_by_xpath(".//[@id='platformDialogForm']/div[2]/button[2]").click()

...to this:
driver.find_element_by_xpath(".//*[@id='platformDialogForm']/div[2]/button[2]").click()

@modulebaan
I get the long term tokens via Charles for my own accounts. It seems like they last 'forever'.

However I haven't found an quick and efficient way to get the short term token using Python on behalf of others accessing my client for desktop (unless they are insane enough to provide me with their FB credentials). I'm probably missing something/doing something wrong because there are several desktop and mobile clients out there.

[DylanVanAssche]

Can you provide where (urls/...) you have retrieved the long access token @h-2-0 I haven't found it yet with Charles with my accounts...

[roperi]

@modulebaan ,

Sure. I will outline my process using an Android phone and Debian Linux in case someone else needs it. .
1. Install Charles proxy
sudo apt-get update
sudo apt-get install charles-proxy

2. Open Charles Proxy
Proxy > Proxy Settings > Enable Transparent HTTP proxying > HTTP Proxy Port: 8888
Proxy > SSL Proxying Settings > Add > *.443

3. Go to your mobile's WiFi options and press the current network connection for 2 seconds to access its proxy settings
Modify Network > Manual proxy > Proxy: [Local Ip Address] > Port: 8888

4. Open Phone's browser and go to...
https://charlesproxy.com/getssl

5. Open and login into Tinder from mobile

6. Back in Charles Proxy look for 'auth' inside https://api.gotinder.com to get your LONG TERM Facebook token. To see it click on the Contents tab on the right panel (next to the Overview one).
"facebook_token": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

[roperi]

@modulebaan

Ops! I screw up the step order. I edited my previous post to fix it. Hope it helps!

[DylanVanAssche]

@h-2-0
Thanks! I will take a look at it :)

[DylanVanAssche]

@h-2-0
A long live FB token is impossible to generate when you use a webview to authenticate since you need also the app_secret to generate a long live one from a short live one. But Tinder uses the FB Android SDK which automatically gets a long live one (so they don't use the app_secret).

What would work is to emulate the requests that the FB Android SDK makes to get a long live one.

[roperi]

@modulebaan

What would work is to emulate the requests that the FB Android SDK makes to get a long live one.

Hmmm...Didn't you mean to emulate Tinder requests to FB? But anyway, how difficult is to create an emulator? How can I start building one? Any pointers, ideas? It looks like some serious hacking job. My mind boggles. I am still trying to understand 😖

[DylanVanAssche]

@h-2-0
The login process of Tinder is the following:

1. Show FB Oauth login
2. Retrieve a FB token and ID
3. Retrieve with those credentials via Tinder a Tinder token.

The Tinder token expires in 1-2 days while the FB token from a webview expieres in 1-2 hours. You can get a long token if you knew the Tinder app-secret which is unknown.
If you can get a long FB token you can request a Tinder token everytime without expiring (you renew it everytime).
But Tinder doesn't use the FB webview Oauth but the FB Android SDK login which always gets a long token, if we can emulate the requests from the FB SDK for Android to FB servers we can get a long token like Tinder.
I can't decrypt them with Charles for some reason while the other requests to other servers are visible in Charles.

[zvelencei]

Hi there!

Using desktop pyhon 2.7 and pynder 0.0.12

get token from calling the url http://rs.gs/FBTK and search the token id in the source code.

Run the code:

import pynder

FBID=""
FBTOKEN=""

session = pynder.Session(FBID, FBTOKEN)
session.matches()

GET always the following error:

Traceback (most recent call last):
File "C:/Python27/api.py", line 6, in
session = pynder.Session(FBID, FBTOKEN)
File "C:\Python27\lib\site-packages\pynder\session.py", line 13, in init
self._api.auth(facebook_id, facebook_token)
File "C:\Python27\lib\site-packages\pynder\api.py", line 27, in auth
raise errors.RequestError("Couldn't authenticate")
RequestError: Couldn't authenticate

[fishtanker]

Use Fiddler to get the FB_ID and Auth_Token, but getting this error ?

FBID = '...'
FBTOKEN = '...'
session = pynder.Session(FBID, FBTOKEN)
users = session.nearby_users()
"SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:645)"