Audi: rotate qmauth and add assertion headers for IDK token exchange

[andig]

Fix #30280

Audi token exchange at /auth/v1/idk/oidc/token started returning {"error":"invalid assertion headers"} because both the qmauth credentials and the expected assertion-header set rotated upstream. Values mirrored from arjenvrh/audi_connect_ha and TA2k/ioBroker.vw-connect, both currently active and in agreement.

• Rotate qmClientId to 01da27b0 and the corresponding HMAC secret
• Send User-Agent, Accept-Charset, x-platform, x-android-package-name, x-assertion: 0 on Exchange and Refresh so refresh doesn't regress an hour after login

[sourcery-ai]

Hey - I've found 1 issue

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location path="vehicle/vag/idkproxy/endpoint.go" line_range="78-86" />
<code_context>
 	var res vag.Token

 	req, err := request.New(http.MethodPost, Config.TokenURL, strings.NewReader(data.Encode()), map[string]string{
-		"Content-Type": request.FormContent,
-		"Accept":       request.JSONContent,
-		"x-qmauth":     qmauthNow(),
+		"Content-Type":           request.FormContent,
+		"Accept":                 request.JSONContent,
+		"Accept-Charset":         "utf-8",
+		"User-Agent":             userAgent,
+		"x-qmauth":               qmauthNow(),
+		"x-platform":             "android",
+		"x-android-package-name": "de.myaudi.mobile.assistant",
+		"x-assertion":            "0",
 	})
 	if err == nil {
</code_context>
<issue_to_address>
**suggestion:** Header set is duplicated between Exchange and Refresh; consider factoring into a helper

The header map here closely matches the one in `Refresh`. Please extract a shared helper (e.g. `qmHeaders() map[string]string`) or shared constant so both flows use the same header set and stay in sync when requirements change.

Suggested implementation:

```golang
	qmSecret   = "1ab69925ac179aaa4e83abe671a9476d176418b85bd706f1436ca15be647989c"
	qmClientId = "01da27b0"
	userAgent  = "Android/4.31.0 (Build 800341641.root project 'myaudi_android'.ext.buildTime) Android/13"
)

func qmHeaders(qmAuth string) map[string]string {
	return map[string]string{
		"Content-Type":           request.FormContent,
		"Accept":                 request.JSONContent,
		"Accept-Charset":         "utf-8",
		"User-Agent":             userAgent,
		"x-qmauth":               qmAuth,
		"x-platform":             "android",
		"x-android-package-name": "de.myaudi.mobile.assistant",
		"x-assertion":            "0",
	}
}

```

```golang
	req, err := request.New(http.MethodPost, Config.TokenURL, strings.NewReader(data.Encode()), qmHeaders(qmauthNow()))

```

```golang
	req, err := request.New(http.MethodPost, Config.TokenURL, strings.NewReader(data.Encode()), qmHeaders(qmauthNow()))

```

I only see partial code. Anywhere else in `vehicle/vag/idkproxy/endpoint.go` (or related files) that constructs a `map[string]string` with this same header set (for the Exchange and Refresh flows) should be updated to call `qmHeaders(qmauthNow())` (or `qmHeaders(qmauth(ts))` if a timestamped value is used) instead of duplicating the header map literal. This keeps both flows in sync when headers change.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}