# Get access and refresh tokens
Before we can query the API, we must go through the OAuth authorization process

In [39]:
import base64
import json

import requests


# Absolute or relative path to secrets file with FitBit app client ID and client secret
SECRETS_FILE = ".env"
API = "https://api.fitbit.com/oauth2/token"

In [2]:
def load_secrets():
    """Read in secrets from file - includes client ID and client secret"""
    with open(".env", "r") as fhand:
        return json.loads(fhand.read())

In [3]:
secrets = load_secrets()

In [4]:
# This is the app ID - not a secret
secrets["client_id"]

'22B5Y4'

To begin with, open a web browser, log in to fitbit.com, then navigate to the following address. NB this includes the client ID and redirect URI as parameters, as well as a long expiration time:

https://www.fitbit.com/oauth2/authorize?response_type=code&client_id=22B5Y4&redirect_uri=https%3A%2F%2Fgithub.com%2Fnorrishd%2Ffitbit-run-viz&scope=activity%20profile&expires_in=31536000

In the browser tab that opens, grant permission to the app, then you will be redirected to the GitHub repo for this project.

Copy and paste the code in the redirect URL after you've clicked the "allow" button. Example: https://github.com/norrishd/fitbit-run-viz?code=5j44584764j5317894353d3ba2386cbd520aecaa#_=_

the code you need to paste from that example is `5j44584764j5317894353d3ba2386cbd520aecaa`. I.e. don't include the “#_=_”.

We will now POST a request to get an access token and refresh token.

In [23]:
CODE = "1859f0e906eea5b92d76935473e3199d53f7a233"

The Authorization header must be set to Basic followed by a space, then the Base64 encoded string of your application's client id and secret concatenated with a colon. For example, the Base64 encoded string, Y2xpZW50X2lkOmNsaWVudCBzZWNyZXQ=, is decoded as "client_id:client secret".

In [28]:
def get_authorization_header(secrets):
    """Base64-encode the client ID and client secret as required by the FitBit API"""
    return "Basic " + base64.b64encode((secrets["client_id"] + ":" + secrets["client_secret"]).encode("utf-8")).decode()

In [29]:
def get_access_token(code, secrets):
    """Request access and refresh token from FitBit API endpoint"""
    params = {
        "clientId": "22B5Y4",
        "grant_type": "authorization_code",
        "redirect_uri": "https://github.com/norrishd/fitbit-run-viz",
        "code": code,
        "expires_in": 28800  # 8 hours
    }

    headers = {
        "Content-Type": "application/x-www-form-urlencoded",
        "Authorization": get_authorization_header(secrets)
    }
    
    return requests.post(API, params=params, headers=headers)

In [24]:
response = get_access_token(CODE, secrets)

In [25]:
def parse_response(res):
    """Inspect the FitBit API reponse for success or not"""
    if res.status_code == 200:
        json_res = res.json()
        print(json.dumps(json_res, indent=2))
    elif res.status_code == 400:
        # Bad request - code could be invalid or expired. Repeat steps above for a new code
        print(res.status_code)
        print(res.reason)
        for err in res.json()["errors"]:
            print(err["errorType"], ":", err["message"])
    else:
        print(res.status_code)
        print(json.dumps(json_res, indent=2))

In [48]:
parse_response(response)

{
  "access_token": "eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiIyMkI1WTQiLCJzdWIiOiI2RFBRVlYiLCJpc3MiOiJGaXRiaXQiLCJ0eXAiOiJhY2Nlc3NfdG9rZW4iLCJzY29wZXMiOiJybG9jIHJhY3QgcnBybyIsImV4cCI6MTU3MDYzMTMyNCwiaWF0IjoxNTcwNjAyNTI0fQ.A2ZJa5WXvYg8fBw9OOuytAw9Lm1ck2wzSrCMlFpsYfA",
  "expires_in": 28800,
  "refresh_token": "e7e13133fc2894b2af94c2f4916a2179616bf58c85fc415cebe8107274b2d5eb",
  "scope": "location profile activity",
  "token_type": "Bearer",
  "user_id": "6DPQVV"
}


If all went well, let's update the secrets object and values on file

In [34]:
def update_secrets(access_token, refresh_token):
    """Create a secrets file with client id & secret, access and refresh tokens"""
    secrets = load_secrets()
    secrets["access_token"] = access_token
    secrets["refresh_token"] = refresh_token

    with open(".env", "w") as fhand:
        fhand.write(json.dumps(secrets))

    return secrets

In [37]:
if response.status_code == 200:
    secrets = update_secrets(response.json()["access_token"],
                   response.json()["refresh_token"]
                  )
else:
    raise ValueError("Status code failed, something needs fixing")

In [49]:
secrets

{'client_id': '22B5Y4',
 'client_secret': 'be70e055524e828b7725cfb2252fc7a6',
 'access_token': 'eyJhbGciOiJIUzI1NiJ9.eyJhdWQiOiIyMkI1WTQiLCJzdWIiOiI2RFBRVlYiLCJpc3MiOiJGaXRiaXQiLCJ0eXAiOiJhY2Nlc3NfdG9rZW4iLCJzY29wZXMiOiJybG9jIHJhY3QgcnBybyIsImV4cCI6MTU3MDYzMTMyNCwiaWF0IjoxNTcwNjAyNTI0fQ.A2ZJa5WXvYg8fBw9OOuytAw9Lm1ck2wzSrCMlFpsYfA',
 'refresh_token': 'e7e13133fc2894b2af94c2f4916a2179616bf58c85fc415cebe8107274b2d5eb'}

You can also check the status of any token

In [50]:
def refresh_token(secrets):
    API = "https://api.fitbit.com/oauth2/token"

    params = {
        "grant_type": "refresh_token",
        "refresh_token": secrets["refresh_token"]
    }

    headers = {
        "Content-Type": "application/x-www-form-urlencoded",
        "Authorization": get_authorization_header(secrets)
    }

    return requests.post(API, params=params, headers=headers)

In [53]:
# refresh_res = refresh_token(secrets)

# TODO retrieve "access_toke" and "refresh_token" from response and update secrets