-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Authentication failed #38
Comments
This started for me as well. Removed and reinstalled but cannot get past the credentials screen. |
Most probably Sensi backend changed the verification, this has happened before #28. |
+1 for having this issue pop up today. |
Same here, I got the auth request, tried my password, and then removed and reinstalled but cannot get past the credentials screen. |
Same for me... |
Issue started today for me as well. |
Same here..... |
Same issue for me too |
same. |
There is a new header required:
It changes with every login based on MITMPROXY and Android app. So far I don't know yet how exactly it is calculated.... |
I had filtered to traffic with Sensi only, haha.
It seems like the first one gets static data (mostly) and the response to mrr contains the header we need for rct. Maybe someone finds docu for that API? SEEMS to be Google Reccaptcha V3 (maybe) |
Add me to the pile 😁 |
I am having this issue as well |
I am also having this issue. |
+1 |
+1 same issue |
I really don't think any more +1 comments are really helping the issue. This is going to happen for EVERYONE! |
The way I understand reCAPTCHA is the app talks to captcha server using an app specific key. The server returns a token based on bot identification and tells the backend server. This token is then passed to the backend server during authentication. I am suspecting the I have been looking at the decompiled app and have not been able to find any key so far. I will keep digging. https://cloud.google.com/recaptcha-enterprise/docs/instrument-android-apps |
Key needed:
This is from Android app... |
I can create a fake POST to mri endpoint. It contains a few values needed for mrr endpoint. |
+1 - but don't understand how to fix it. |
The integration through homekit still works, but doesn't have as many options. |
+1 how can I fix the issue? |
@troyboy27 @omarquis This cannot be addressed without code changes. The authentication at Sensi end has changed. |
I am also investigating the Will report when I know more...
|
You get that as part of the auth process. You generally get the token and a refresh token. Once the token expires you exchange the refresh token for a new pair. That step requires the recaptcha as well. BUT, Google has libraries that take care of that on Android, not sure if Sensi had to implement sth for iOS or if there is a library or even a different process... That is how I found out about the recaptcha process... |
Ok thanks, I got the I did see the recaptcha as well., but I could not follow the output. I will have another try at it and report back later. Thanks for the tips! |
I'll take some of what I said back... once you have the refresh tokoen you do not need recaptcha anymore! |
I tried that and it is failing... how did you tell HA to use it? I tried to enter it into the box that asks for auth.... |
https://manager.sensicomfort.com/ It's the same site someone would use if they paid for there subscription to access there thermostats from there site. username/password is the same on both app and website. |
That's what I thought... Are you paying? I assume there is no functionality if you don't pay, right?
…________________________________
From: Pheelix ***@***.***>
Sent: Tuesday, March 12, 2024 7:45:17 AM
To: iprak/sensi ***@***.***>
Cc: Stephan Leuschner ***@***.***>; Comment ***@***.***>
Subject: Re: [iprak/sensi] Authentication failed (Issue #38)
https://manager.sensicomfort.com/
It's the same site someone would use if they paid for there subscription to access there thermostats from there site.
—
Reply to this email directly, view it on GitHub<#38 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAIUMSQE6UXRTQB3EOT4OYLYX3TEZAVCNFSM6AAAAABEHWELPSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOJRGQ3DINJQHA>.
You are receiving this because you commented.Message ID: ***@***.***>
|
nope, not paying, so no functionality. But i figured it was worth a shot to see if it would help at all. Tho atm I am using the Homekit method in HA to control my Sensi Touch. But would be nice to see this up and running again. |
It's definitely a good idea... Guess someone needs to pay to see what the actual API calls are and then test it with someone that's not paying to see if it works.
…________________________________
From: Pheelix ***@***.***>
Sent: Tuesday, March 12, 2024 7:48:45 AM
To: iprak/sensi ***@***.***>
Cc: Stephan Leuschner ***@***.***>; Comment ***@***.***>
Subject: Re: [iprak/sensi] Authentication failed (Issue #38)
nope, not paying, so no functionality. But i figured it was worth a shot to see if it would help at all. Tho atm I am using the Homekit method in HA to control my Sensi Touch. But would be nice to see this up and running again.
—
Reply to this email directly, view it on GitHub<#38 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAIUMSS5VJO4XZSUOQCIARTYX3TR3AVCNFSM6AAAAABEHWELPSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOJRGQ3DSOBRG4>.
You are receiving this because you commented.Message ID: ***@***.***>
|
site says first month is free, cancel any time. so I guess it could be tested without having to pay for it. Just remember to cancel before the first month ends. |
Actually, I don't think that is even needed. Just looked at the traffic.... @macwriter you already have modified sources... I think it would be super easy for you to check if the response tokens work. @Pheelix you might have solved the mystery for us... @iprak The website also uses recaptcha but it is fully browser based. I ASSUME that python can emulate a webbrowser in a way that you load the login page and let it do it's thing to take care of the recaptcha? |
I can confirm, the tokens work! Changed auth.py around line 67
Error in HA goes away after a restart... I guess if @iprak can simulate the browser login then we are back in action! I guess worst case solution would be to have the user login to the website and copy the refresh token and have that as an external config value that we have to paste. I guess other add-ons do the same where the user needs to create an account with company X and provide some keys manually. I guess my manual fix will stop working as soon as my current token expires since I hard-coded the refresh token and it only works once. But if we can feed the initial refresh_token and than the addon keeps managing it like in the past it should work long term. @Pheelix amazing catch! |
@iprak I just looked at the code and noticed that it seems like you never really use the |
Python cannot emulate reCaptcha, some library attempt to do that but they either implement v2 or are paid. reCaptcha involves a rotating sort of token which is generated by reCaptcha library. Sensi uses the latest google reCaptcha. In web, this The ideal way to address would be to change the initial authentication itself. This is how authentication is implemented for 3rd party verification e.g. https://sensiapi.io/authorize In my experimentation, extracting token from web and passing to Python did not work. There might be additional headers/cookies. Yes, you are right about refresh_token. I just login in again; I could not confirm when refreshing would be adequate. |
You refresh when the page rejects the auth token. So instead of login again, you refresh.
Can Python emulate a webbrowser? If so, it would be easy to load the login page, fill in user/pwd and grab the tokens.
Not sure why you said using the extracted token in python does not work? See my prior comment.. it DOES work 100%!
But you need more than the token! There are 2 other values that change. Both are in my code snippet (client_id and client_secret).
|
I see two possible solutions here: A: Change the setup flow to ask the user for a B: Have python emulate a webwroser and login to https://manager.sensicomfort.com/ using username/pwd and then grab the This hardcoded snippet DOES work until the token expires (hard coded refresh_token works only once. auth.py around line 68ish
|
I was just about to suggest using selenium and chrome webdriver for the browser interactions. I know the workload can be containerized, as well. But honestly, I feel like @stleusc's first suggested solution is far straighter forward. |
The tokens are JWT. Paste them at jwt.io to see their contents. The expiration date for my refresh_token is way out into 2034, but it does report as an Invalid Signature. Stleusc, how does yours report? |
@akseidel learned something new today about JWT :-) Yes, the refresh_token is valid for 10 years. Which is the idea behind it. The access_token is short lived, the refresh_token is long lived. HOWEVER, you generally can only use it ONCE to convert to a new access_token. You have 10 years to do that, but can do it only one time. I guess what I stated above depends on the implementation. In other words, if we get a refresh_token in the reponse, I would update to that one (also gives 10 more years). If there is none in the response, keep the old one. From https://www.oauth.com/oauth2-servers/access-tokens/refreshing-access-tokens/
Regading signature: Signature Verified |
The access token reports invalid sig, the refresh token valid sig. |
Yes, works for me with the updated information (
|
You all are amazing! I'm hoping someone can help someone with mid-level
programming knowledge. lol
Thanks again for all of you digging into this for those of us who can't.
…On Tue, Mar 12, 2024 at 11:27 AM Joe King ***@***.***> wrote:
Actually, I don't think that is even needed. Just looked at the
traffic.... The response looks VERY similar to the app and contains the
required tokens.
@macwriter <https://github.com/macwriter> you already have modified
sources... I think it would be super easy for you to check if the response
tokens work. Simply log into https://manager.sensicomfort.com/ and look
at the traffic to grab the token from the oauth call. I have a good feeling
about this!
@Pheelix <https://github.com/Pheelix> you might have solved the mystery
for us...
@iprak <https://github.com/iprak> The website also uses recaptcha but it
is fully browser based. I ASSUME that python can emulate a webbrowser in a
way that you load the login page and let it do it's thing to take care of
the recaptcha?
Yes, works for me with the updated information (client_id,
client_secret,refresh_token). Great job finding this!
def test(client_id,client_secret,refresh_token):
params=()
data = {
"client_id": client_id,
"client_secret": client_secret,
"grant_type": "refresh_token",
"refresh_token": refresh_token
}
headers = {
"accept": "*/*",
"accept-language": "en-US,en;q=0.9",
"content-type": "application/x-www-form-urlencoded; charset=utf-8",
}
_response = requests.post("https://oauth.sensiapi.io/token", params=params, data=data, headers=headers)
print(_response)
print(_response.json().keys())
test(**options_from_Sensi_Manager)
<Response [200]>
dict_keys(['access_token', 'refresh_token', 'token_type', 'expires_in', 'password_reset', 'eula_accepted', 'offers', 'alerts', 'user_id'])
—
Reply to this email directly, view it on GitHub
<#38 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACHE2LPFWJ34JS7BAJNXZFDYX4UI7AVCNFSM6AAAAABEHWELPSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSOJSGA3TAOJYGI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
I think we have all we need to get this working again.... |
Ironically, this could be foiled by recaptcha! lol |
@bperry11 using something like an Android WebView would work since that is basically the component used to build browser apps. Of course Python would be different... |
Sorry for late response, this integration usually only gets my attention on weekends. When I wrote this extension, my aim was to provide an easy to setup integration with the ultimate goal to have it be integrated in Core release. While solution "A" makes it work, I do not think it is the right approach. It certainly puts the extension out of non-developers or folks just using mobile device. I do not think browser emulation is possible in Python without using something like Selenium which makes it a quite heavy integration. This also might not work well not work in the constraints of HomeAssistant. There are 3rd party subscription based libraries for solving reCaptcha but that again might nor work since reCaptcha is tied to the site. Sensi does have external integration support e.g. Whoosh Air, SmartThings and electricity providers. I personally have Sensi integrated via the last 2 paths. My hope is that Sensi's external integration could be used to pass back the authentication information via webhook. But I don't know enough yet about the implementation. https://sensiapi.io/authorize however is the site for establishing external integration. I understand that this issue is a headache for many. I do not think this integration is subtainable due to the additional restrictions imposed at Sensi end. I will try to get refresh_token based authentication out soon but I won't be making any more updates to this extension unless I can establish the authentication to be more standard. |
While 'A' is not ideal, there are certainly many other integrations that are more complicated. Eg https://www.home-assistant.io/integrations/smartthings/ or https://www.home-assistant.io/integrations/alexa.smart_home/ That being said, thank you for your continued support. I hope you change your mind and keep supporting this great integration! |
Those two do have some setup but those are using established public facing workflows. Launching DevTools is at a different level. One can link Sensi from SmartThings app which establishes authentication via https://sensiapi.io/authorize and this gives me hope that such a possibility might be there. The initial call does pass in a different token and a callback, if that is not locked down then the callback could be HomeAssistant webhook (same as SmartThings) to receive the token. |
It was Homebridge, but I had to do very similar process to integrate Google Nest. Login, open devtool, grab the cookie / or token, and paste into homebridge. At least for the time being, it wouldn't be too big of a deal IMO. Either way, thanks for your work on this! |
I tried to do what's shown in this comment but it still wasn't working. I'm guessing the refresh_token I was using was wrong. What exactly does it look like? |
Mine's a 333 characters of upper and lowercase letters, digits, and symbols. Did you also get the client_secret? You'll need to put that in the auth.py file as well. Find and change the following in the
|
Thanks @bperry11, I was copying the wrong refresh_token but I got it figured out now. Cheers mate |
The token can expire. 1.3.2 has better support for renewing the token when data load indicates expiration. |
I have been using this Sensi integration for a few weeks. Today I had a notification that the authorization for the Sensi integration was expired. I went to the Integrations page in Home Assistant and clicked "Re-configure" for the Sensi integeration.
A modal box with no text and just a "sleepy eyeball" appeared. I entered my Sensi account password. Authentication failed. I went to the mobile app on my phone and changed the password. I was able to log into the mobile app with the new password. I used the new password in the Sensi integration and again, authentication failed.
The text was updated successfully, but these errors were encountered: