Intercom: unlock function returns 404

[koichirose]

Is there an existing issue for this?

• I have searched the existing issues

Describe The Bug

Since a couple days ago, the unlock function is returning the following error:

HTTPError: Response code 404 (Not Found)
    at Request.<anonymous> (/usr/src/app/node_modules/got/dist/source/as-promise/index.js:118:42)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5) {
  code: 'ERR_NON_2XX_3XX_RESPONSE',
  timings: {
    start: 1696329795541,
    socket: 1696329795542,
    lookup: 1696329795545,
    connect: 1696329795563,
    secureConnect: 1696329795784,
    upload: 1696329795785,
    response: 1696329795958,
    end: 1696329795962,
    error: undefined,
    abort: undefined,
    phases: {
      wait: 1,
      dns: 3,
      tcp: 18,
      tls: 221,
      request: 1,
      firstByte: 173,
      download: 4,
      total: 421
    }
  }
}

I first noticed the problem when it logged me out for some reason (I was getting Error: Refresh token is not valid. Unable to authenticate with Ring servers.).
I performed the auth flow again, now I can successfully read the battery level with intercom.batteryLevel, but calling intercom.unlock() returns that 404.

I'm not sure how to discover the new URL, if it changed on Ring's side.

To Reproduce

No response

Expected behavior

It should unlock the door.

Relevant log output

No response

Screenshots

No response

Additional context

No response

OS

Linux (node:18-alpine docker image)

Node.js Version

v18.7.0

NPM Version

8.15.0

ring-client-api

12.0.1

Operating System

Linux (node:18-alpine docker image)

[tsightler]

So far there are no other reports of this issue. The fact that it occurred after an authentication issue makes me wonder if there is still some account specific behavior going on. The 404 can also happen when the account does not have permissions to perform an action on the device as the API simply returns 404 because that function is not available to the account (basically, the API hides the endpoint).

Are you using the primary Ring account, or is it a secondary/shared account being used? I know that Ring has been implementing changes with intercom around guest access so perhaps that has somehow changed this. However, the fact that there haven't been any other reports in either this project, or ring-mqtt, so far, makes me lean toward being account specific for now.

Unfortunately, I don't have an intercom and I'm pretty sure @dgreif doesn't have one either, so we rely on users being willing to share their device with us or investigating the API on their own.

[koichirose]

@tsightler thank you for your reply. I am using the main account. No issues with the official app.
I'll try again, maybe with a secondary account and report back

[koichirose]

@tsightler I tried with my secondary account, but still get 404.
Any suggestions on how to debug this?

[tsightler]

Can you unlock the device via the Ring web UI? If so, you can use developer tools to see what API call is being made to do this. Perhaps it has changed with all of the updates Ring is doing to Intercom access.

[koichirose]

I tried, but my Intercom does not appear in the web app. All I see on my dashboard is some kind of splash page with links to get the apps / request support. I have no other Ring devices.
I looked around online and it seems that Intercom is only available on the native apps.
Debugging those is not that easy, I'd have to setup a proxy and capture the requests I guess.
Unlocking from the app works fine.

[tsightler]

Yes, you have to setup MITM proxy (or some other traffic capture proxy) and install a custom version of the Ring app to disable certificate pinning. Easiest option, IMO, is to use Android Studio and an emulated device. I have this setup, but don't own an intercom. If you would be willing to add me as a shared user to your intercom I could investigate fairly quickly.

[koichirose]

Sure, I can give you access. Do you have a way not to unlock the door while testing though? I wouldn't want my door unlocked in the middle of the night. I'm GMT+2.
Do you have an email i can use?

Or I could use Android Studio, do I still need a custom apk?

[tsightler]

I can be aware of the time, but I'd have to unlock it at least a few times for sure. If it's just a minor change, maybe just once.

If you'd like to use Andriod Studio and investigate yourself, no problem, I can even provide the APK with the certificate pinning removed, or you can do it yourself. Feel free to reach out to me, my email address is the same as my Github username at gmail.

[koichirose]

Update: I managed to inspect the call from the emulated Ring app.

The URL looks the same to me.
The JSON payload from this library is missing the command_timeout, origin and issue_time parameters.
user_id is set to 0 while the app sends what I think is my user_id.

I tried replaying the request with curl and completely removed the user id.
I get the following response:

{"jsonrpc":"2.0","error":{"message":"Invalid params","data":"Missed \"user_id\"","code":-32602},"id":"2870ae5d-17e4-42c5-b05a-fc3bd4b0a372"}

But the door opens anyway.

I also tried with user_id: 0. The door opens and the response is:

{"jsonrpc":"2.0","id":"2870ae5d-17e4-42c5-b05a-fc3bd4b0a372","result":{"code":0}}

So I think I'm missing something else.
@tsightler see if this can help you...
I'll have a deeper look later on.

[tsightler]

Unfortunately, I don't see anything actionable here. Everything you posted is that same as what was discovered in the initial implementation and it seems to work as expected. I suppose you could try removing things like the command_timeout, origin, and issue_time parameters, and see if that creates the issue, but you are getting a 404 while I would expect that would simply generate an error response.

Based on this, I don't see anything wrong with the code and we still have not a single user of homebridge-ring, ring-mqtt or any other project that uses ring-client-api wit this issue so I have to believe it is somehow related to your specific setup.

I'm still willing to try to troubleshoot it if you can share the intercom, I'm happy to coordinate the time with you so it feels safe and the access is provided only for a limited time, but I'm not really sure what the problem could be.

[koichirose]

Update: today it just worked again. I didn't change anything on my side, so I guess it was something temporary related to my account.