add protobuf-based v3 sms auth script

[jimtje]

Added a quick script to enable v3 sms auth to get the token. Just run python sms_auth_v3.py after installing the new requirements either by pip install -r requirements.txt or simply installing the betterproto package.

[mati0090]

Probably, all .proto files, except authgateway.proto can be removed. Seems that generic Google Protobuf types was extracted during disassemble process.

[sutble]

Hey, awesome work with this! Do you know why there's an extra step involving email authentication? On the tinder app this step isnt required. Also I noticed that the tinder text message is different than the one received from the app? Let me know if there's any additional work that needs to be done on this, would gladly jump in and help.

[jimtje]

I don't actually know if it pops up every time for everyone, for testing I created a throwaway account with a Google voice number and disposable email and I suspected that the email verification wouldn't pop up if I had used a real email. The text message I receive on Google Voice actually is the same from the app and the script, but differs from the web-ui, probably because it's tied to the build/version that's hardcoded into the headers right now because there wasn't a way to dynamically get the latest available version. Tinder pushes out a new build every week or two but it doesn't seem immediately necessary to keep up as long as it still logs in.

I think since the most immediate problem was that not having the auth token meant no programmatic access at all to their API at least that aspect is all good until it breaks. I think the more interesting stuff that's visible in the app's code but not online (or at least not accessible to me) looks like some sort of websocket and protobuf-based chat system that allows the creation of rooms, kicking of users, and use of video (Tinder-Zoom hybrid?) When that feature is fleshed out and available it would probably be the next thing to be added, but no idea as to if or when that's going to be a thing yet.

[nikitaKravchenko]

@fbessez, this is a good pull request, looks like.
Just curious, are you going to merge it to master branch?

[0xhiroki]

Has anyone been able to use the apis? I was able to fetch the token through sms_auth_v3.py, but I keep getting the following error when using "get_recs_v2" api:

{'meta': {'status': 401}, 'error': {'message': 'SESSION_INVALID', 'code': 40101}}

I pasted the token from running sms_auth_v3.py into config.py.

[jimtje]

There are a bunch of headers that seems required with making actual api calls now, and the client needs to be able to keep consistent "app-session-time-elapsed" and "user-session-time-elapsed" in the correct order it seems. So I think going forward it may simply be necessary to flesh things out by building more or less the entire api client out. In that case it probably would make more sense for me to either fork the project entirely or build something a bit more structured from scratch.

I also have a few other projects on my plate right now, and with those, a few deadlines lurking. I'll try my best to figure out something that is both maintainable and easy to work with but no guarantees on timelines. The auth flow I put in has some rudimentary app session spoofing built in if anyone wants to just extend it out from there in terms of headers but I have no idea whether that's actually sufficient since it's not keeping a real tally of time and it just randomly generates some possible numbers for the slot.

[pawelfluder]

Hi I was using code from your pull-request and it was working very well.
But now I have good request response:
{'validatePhoneOtpState': {'phone': '+48..[myPhoneNumerHere]', 'otpLength': 6, 'smsSent': True}}

but no sms is send. Any idea what can be wrong?
Anything changed in tinder api since last month?
Do I need to update sth to make this work again?

[jimtje]

Hi I was using code from your pull-request and it was working very well. But now I have good request response: {'validatePhoneOtpState': {'phone': '+48..[myPhoneNumerHere]', 'otpLength': 6, 'smsSent': True}}

but no sms is send. Any idea what can be wrong? Anything changed in tinder api since last month? Do I need to update sth to make this work again?

Hey there. The last version from the Play Store (in the US at least) is dated December 5. I would be pretty surprised if they changed anything about the api in the interim. Can you login from a phone? Have you successfully logged in since Dec. 5? Or is it a problem that came up before then?

I'm stuck in quarantine overseas right now in a country that isn't served by Tinder and also, blocks Google wholesale so I can't check my Google Voice to test the sms part anyway, even if I rig up something that can hit their api endpoint, and without going too much into it I don't really know when I'll be able to test but it'll be a few weeks at least and likely 1-2 months. I got my hands on the latest apk and it doesn't look like the login/auth part changed much, mostly things got moved around but the endpoint seems the same and as does the .proto files associated with the 2fa auth gateway. That doesn't mean that they didn't change anything, but it's nothing obvious in the code.

If anything, it could just be that the server no longer accepts headers indicating that the client is a version of Tinder from almost 2 years ago, and so I'll update the headers and hope for the best. Let me know if that helps. I'll push a commit at some point next day or two to get the latest version numbers and all that in place. However, do try to log in the normal way if you can to eliminate backend changes they've done that we can't see or do anything about. Also, I have no idea if they put out different apks (usually for legal purposes) and have different backends set up in non-US jurisdictions, so maybe it's worth trying with a different account to see if that works. At the very least it will narrow down the potential problems by process of elimination.

[THEWEZERNOW]

Hey @jimtje, can you push an update for the headers, please?

[Scylla2020]

I believe they are also checking header order now. Always works for me in this order:

headers = {
    'user-agent': "Tinder Android Version 14.9.0", 
    'os-version': "29",
    'app-version': "4467", 
    'platform': "android", 
    'platform-variant': "Google-Play", 
    'x-supported-image-formats': "webp",
    'accept-language': "en-US",
    'tinder-version': "14.9.0", 
    'Store-Variant': 'Play-Store',
    'persistent-device-id': deviceid,
    'content-type': "application/x-protobuf",
    'Host': 'api.gotinder.com',
    'connection': "close",
    'accept-encoding': "gzip", 
}

[gelodefaultbrain]

Hi! it seems that it works but I can't receive the SMS OTP? can we work on this? I think this is on the right track cause I see that tinder has changed their way of the API indeed , with v3

[gelodefaultbrain]

Hi I was using code from your pull-request and it was working very well. But now I have good request response: {'validatePhoneOtpState': {'phone': '+48..[myPhoneNumerHere]', 'otpLength': 6, 'smsSent': True}}
but no sms is send. Any idea what can be wrong? Anything changed in tinder api since last month? Do I need to update sth to make this work again?

Hey there. The last version from the Play Store (in the US at least) is dated December 5. I would be pretty surprised if they changed anything about the api in the interim. Can you login from a phone? Have you successfully logged in since Dec. 5? Or is it a problem that came up before then?

I'm stuck in quarantine overseas right now in a country that isn't served by Tinder and also, blocks Google wholesale so I can't check my Google Voice to test the sms part anyway, even if I rig up something that can hit their api endpoint, and without going too much into it I don't really know when I'll be able to test but it'll be a few weeks at least and likely 1-2 months. I got my hands on the latest apk and it doesn't look like the login/auth part changed much, mostly things got moved around but the endpoint seems the same and as does the .proto files associated with the 2fa auth gateway. That doesn't mean that they didn't change anything, but it's nothing obvious in the code.

If anything, it could just be that the server no longer accepts headers indicating that the client is a version of Tinder from almost 2 years ago, and so I'll update the headers and hope for the best. Let me know if that helps. I'll push a commit at some point next day or two to get the latest version numbers and all that in place. However, do try to log in the normal way if you can to eliminate backend changes they've done that we can't see or do anything about. Also, I have no idea if they put out different apks (usually for legal purposes) and have different backends set up in non-US jurisdictions, so maybe it's worth trying with a different account to see if that works. At the very least it will narrow down the potential problems by process of elimination.

Hi @jimtje , any updates so far, hope you're doing okay.

[gelodefaultbrain]

UPDATE!
This headers worked for me, thanks to this comment it gave me clues. Now one thing I noticed is , NEVER EVER TRY TO SPAM upon trying to get SMS OTP, tinder seems to be very strict

        headers = {
            'user-agent': "Tinder Android Version 12.6.0", 
            'os-version': "25",
            'app-version': "4023", 
            'platform': "android", 
            'platform-variant': "Google-Play", 
            'x-supported-image-formats': "webp",
            'accept-language': "en-US",
            'tinder-version': "12.6.0", 
            'store-Variant': 'Play-Store',
            'persistent-device-id': self.deviceid,
            'content-type': "application/x-protobuf",
            'host': 'api.gotinder.com',
            'connection': "close",
            'accept-encoding': "gzip,deflate, br",

             'install-id': self.installid,
             'app-session-id': self.appsessionid,
             'funnel-session-id': self.funnelid,
             'app-session-time-elapsed': format(seconds, ".3f")
        }

[gelodefaultbrain]

Hi! I just encountered this

urllib3.connectionpool:_make_request:2023-11-15 16:27:45,992:DEBUG:https://api.gotinder.com:443 "POST /v3/auth/login HTTP/1.1" 403 153
Application_Logger:__submit_email_otp_code:2023-11-15 16:27:45,994:DEBUG:submit_email_otp_response: {'error': {'code': 40307, 'message': 'APPEAL_BAN', 'banReason': {'banAppeal': {'challengeType': 'arkose', 'challengeToken': '7ec728b7-d1e3-4edf-972a-3f0facf64293', 'refreshToken': 'eyJhbGciOiJIUzI1NiJ9.MTkwOTcyNzcyNDg.0BItH781Xc201saXLHzzVuFPs1zqrrIIyqGuc3HihUA'}}}}
Application_Logger:__submit_email_otp_code:2023-11-15 16:27:45,994:DEBUG:Success submitting Email OTP code.
Application_Logger:__submit_email_otp_code:2023-11-15 16:27:45,995:ERROR:Error submitting Email OTP code: 'loginResult'
urllib3.connectionpool:_get_conn:2023-11-15 16:28:46,644:DEBUG:Resetting dropped connection: api.gotinder.com
urllib3.connectionpool:_make_request:2023-11-15 16:28:46,889:DEBUG:https://api.gotinder.com:443 "POST /v3/auth/login HTTP/1.1" 403 153
Application_Logger:__submit_email_otp_code:2023-11-15 16:28:46,891:DEBUG:submit_email_otp_response: {'error': {'code': 40307, 'message': 'APPEAL_BAN', 'banReason': {'banAppeal': {'challengeType': 'arkose', 'challengeToken': 'd9b7ee8d-841c-4626-97a9-27ef2e0cc73f', 'refreshToken': 'eyJhbGciOiJIUzI1NiJ9.MTkwOTcyNzcyNDg.0BItH781Xc201saXLHzzVuFPs1zqrrIIyqGuc3HihUA'}}}}
Application_Logger:__submit_email_otp_code:2023-11-15 16:28:46,891:DEBUG:Success submitting Email OTP code.
Application_Logger:__submit_email_otp_code:2023-11-15 16:28:46,891:ERROR:Error submitting Email OTP code: 'loginResult'

I think it''s somehow related to captchas? any way to bypass it?