Integration does not work when email OTP is enabled on myAir account

[Dorval1]

Version of the custom_component

VERSION = "0.0.0-dev" in the const.py file
Version 0.1.4 from the HACS info page

Configuration

no config could be done

Describe the bug

i install resmed_myair from HACS, reboot HA, try to install component, put my credentials and got an "Unknown error occurred"
i've also created a Har file, if it can help

Debug log

Logger: aiohttp.server
Source: custom_components/resmed_myair/client/legacy_client.py:92
Integration: ResMed myAir (documentation, issues)
First occurred: 14:47:35 (1 occurrences)
Last logged: 14:47:35

Error handling request
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/aiohttp/web_protocol.py", line 435, in _handle_request
resp = await request_handler(request)
File "/usr/local/lib/python3.9/site-packages/aiohttp/web_app.py", line 504, in _handle
resp = await handler(request)
File "/usr/local/lib/python3.9/site-packages/aiohttp/web_middlewares.py", line 117, in impl
return await handler(request)
File "/usr/src/homeassistant/homeassistant/components/http/security_filter.py", line 60, in security_filter_middleware
return await handler(request)
File "/usr/src/homeassistant/homeassistant/components/http/forwarded.py", line 98, in forwarded_middleware
return await handler(request)
File "/usr/src/homeassistant/homeassistant/components/http/request_context.py", line 28, in request_context_middleware
return await handler(request)
File "/usr/src/homeassistant/homeassistant/components/http/ban.py", line 79, in ban_middleware
return await handler(request)
File "/usr/src/homeassistant/homeassistant/components/http/auth.py", line 219, in auth_middleware
return await handler(request)
File "/usr/src/homeassistant/homeassistant/components/http/view.py", line 137, in handle
result = await result
File "/usr/src/homeassistant/homeassistant/components/config/config_entries.py", line 164, in post
return await super().post(request, flow_id)
File "/usr/src/homeassistant/homeassistant/components/http/data_validator.py", line 62, in wrapper
result = await method(view, request, *args, **kwargs)
File "/usr/src/homeassistant/homeassistant/helpers/data_entry_flow.py", line 111, in post
result = await self._flow_mgr.async_configure(flow_id, data)
File "/usr/src/homeassistant/homeassistant/data_entry_flow.py", line 252, in async_configure
result = await self._async_handle_step(flow, cur_step["step_id"], user_input)
File "/usr/src/homeassistant/homeassistant/data_entry_flow.py", line 325, in _async_handle_step
result: FlowResult = await getattr(flow, method)(user_input)
File "/config/custom_components/resmed_myair/config_flow.py", line 51, in async_step_user
device: MyAirDevice = await get_device(
File "/config/custom_components/resmed_myair/config_flow.py", line 31, in get_device
device = await client.get_user_device_data()
File "/config/custom_components/resmed_myair/client/legacy_client.py", line 92, in get_user_device_data
equipment[1].renderContents().decode("utf8").split(" ", 1)
IndexError: list index out of range
home-assistant.log

[prestomation]

Thanks for the bug report. I will need the HAR file to further debug this. Could you attach it here?

[prestomation]

Thanks Dorval! We spoke via email last night but to summarize here:

This account has 2-factor auth enabled via an OTP which the integration does not currently support. I have updated the title to reflect this.

Workaround:

• Disable OTP on the account. It's not clear this is possible

Next Step:

• The integration setup procedure will need to be updated to support the flow of accepting the OTP

[prestomation]

Adding some notes for myself:

Based upon the har files, sending the OTP is pretty straightforward.

The problem is that we need to also trust the browser, otherwise the user would have to get a new code on every refresh which is obviously not feasible(this is every 30 min).

When selecting 'trust this browser', the browser somehow gets a TOTP seed that is saved to local storage, and this is used to generate OTPs for each subsequent login. I can't figure out where this secret comes from. This is the next step.

In the mean time, I've added some messaging with #17 that tells the user when OTP is needed and directs them to this bug report

[poweredgenl]

i tried to look to disable the OTP somewhere in the portal but thats not possible i think ... would be great for me as well to have a workaround/implementation on the OTP part in this integration... im not a programmer / dev ... but happy to volunteer testing / give feedback etc.

[Dorval1]

The workaround was to recreate my profile in another country, i went from France to Belgium.
No OTP there, plugin working as soon as the next day (to have some data in the profile)

[poweredgenl]

so what you did is remove your account - and then just say " im from belgium " in my case my profile is from the netherlands ... so i have to pick that option perhaps too then ?

[Dorval1]

i delete my original account, as i couldn't change region, nor have my device on 2 account
then i recreate a new one, with my device, on an no-otp country
i know there is more than belgium, i've tested czeck republic and ireland too
maybe there is a better country (language?) for you
you just have to create blank account (no device required), and check if otp is required upon first connection before deleting them

[poweredgenl]

ah interesting - good idea - will pick belgium then as it has a dutch interface too - but english is more then OK as well! thanks - good tips!

[RienduPre]

I have the same issue here in the Netherlands too. Deleting my account means I loose all history I assume?

[Dorval1]

yep, clean start, and the integration will need some data to find your device, meaning you'll have to sleep over to reinstall it

[RienduPre]

I recreated my account to a none 2-factor country, but still got an error when adding the component

See log entry below

`Deze fout is ontstaan door een aangepaste integratie.

Logger: aiohttp.server
Source: custom_components/resmed_myair/client/legacy_client.py:85
Integration: ResMed myAir (documentation, issues)
First occurred: 13:46:28 (1 occurrences)
Last logged: 13:46:28

Error handling request
Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/aiohttp/web_protocol.py", line 435, in _handle_request
resp = await request_handler(request)
File "/usr/local/lib/python3.9/site-packages/aiohttp/web_app.py", line 504, in _handle
resp = await handler(request)
File "/usr/local/lib/python3.9/site-packages/aiohttp/web_middlewares.py", line 117, in impl
return await handler(request)
File "/usr/src/homeassistant/homeassistant/components/http/security_filter.py", line 60, in security_filter_middleware
return await handler(request)
File "/usr/src/homeassistant/homeassistant/components/http/forwarded.py", line 98, in forwarded_middleware
return await handler(request)
File "/usr/src/homeassistant/homeassistant/components/http/request_context.py", line 28, in request_context_middleware
return await handler(request)
File "/usr/src/homeassistant/homeassistant/components/http/ban.py", line 79, in ban_middleware
return await handler(request)
File "/usr/src/homeassistant/homeassistant/components/http/auth.py", line 219, in auth_middleware
return await handler(request)
File "/usr/src/homeassistant/homeassistant/components/http/view.py", line 137, in handle
result = await result
File "/usr/src/homeassistant/homeassistant/components/config/config_entries.py", line 164, in post
return await super().post(request, flow_id)
File "/usr/src/homeassistant/homeassistant/components/http/data_validator.py", line 62, in wrapper
result = await method(view, request, *args, **kwargs)
File "/usr/src/homeassistant/homeassistant/helpers/data_entry_flow.py", line 111, in post
result = await self._flow_mgr.async_configure(flow_id, data)
File "/usr/src/homeassistant/homeassistant/data_entry_flow.py", line 252, in async_configure
result = await self._async_handle_step(flow, cur_step["step_id"], user_input)
File "/usr/src/homeassistant/homeassistant/data_entry_flow.py", line 325, in _async_handle_step
result: FlowResult = await getattr(flow, method)(user_input)
File "/config/custom_components/resmed_myair/config_flow.py", line 52, in async_step_user
device: MyAirDevice = await get_device(
File "/config/custom_components/resmed_myair/config_flow.py", line 31, in get_device
await client.connect()
File "/config/custom_components/resmed_myair/client/legacy_client.py", line 85, in connect
authn_json = await authn_res.json()
File "/usr/local/lib/python3.9/site-packages/aiohttp/client_reqrep.py", line 1103, in json
raise ContentTypeError(
aiohttp.client_exceptions.ContentTypeError: 0, message='Attempt to decode JSON with unexpected mimetype: application/xml', url=URL('https://myair.resmed.eu/authenticationids/externalwebservices/restotprequestselect.php')

`

[jpkokkonen]

I tested this also in Finland. Home Asissantan can't log in using my access. Also Finnish MyAir page is using 2-factor auth for logging.

[xfader2018]

There is no workaround since 2FA is enabled by default?

[prestomation]

@xfader2018 Unfortunately the workaround is to move your device to a new account in a region where ResMed does not enforce 2FA. So far there are reports that 2FA is enforced in France,NL, and Finland.

Where are you located? You've posted here before, does that mean that 2FA was enabled in your country?

[xfader2018]

Hi @prestomation, I'm located in NL. Can I move my device to another country without any consequences?

[prestomation]

I have not personally done it.

But others above have. It is starting over with myAir so myAir will not have your history. If you have a healthcare provider who looks at your data I have no idea how that will work out either.

[poweredgenl]

@prestomation as i predict more and more countries implement 2FA - would you be open to implement auth via 2FA as well? perhaps with a manual step in between? As i cannot program/dev - im volunteering for testing.

[prestomation]

@poweredgenl I have zero issues with 2fa support, I just haven't found the time to reverse engineer it fully to support it in the plugin. As you say it looks they are adding it in more countries so I should take a look at this again

[randriksen]

Norway also forces 2fa

[GuruPG]

Is there any update on this.
I just got my machine today, I'm in the UK but happy to try setting up account in a different country.
I tried USA but it said my serial number wasn't supported in USA.
Does anyone know of any EU country that still doesn't enforce 2FA?

[prestomation]

Unfortunately my CDMA CPAP no longer connects to myAir so I'm unable to continue development on this integration. I'm happy to turn over ownership of this integration to anyone interested.

[GuruPG]

Unfortunately my CDMA CPAP no longer connects to myAir so I'm unable to continue development on this integration. I'm happy to turn over ownership of this integration to anyone interested.

Hello @prestomation
That's very kind, unfortunately I'm completely useless when it comes to things like code and programing.
I understand you no longer have a connecting machine so it it would be difficult to test and working solution would be of no benefit to yourself.
If however you would be able to assist in getting this working I'm more then happy to give you complete access to anything you need from my end and would also be more then happy to share my ResMed account login and password to enable you to test and try to get this working. I haven't yet setup my ResMed account as there has been an issue with my email.
Perhaps I could set it up wit a new Gmail address, you could have access to the email account for testing enabling you easy access to OTA codes etc.
Once completed I would delete the account and setup my own personal one.
I'm happy to lose my data for the greater good of getting this working for everyone.

[horstca]

Are there any news? I just found this integration just now. I am located in Germany where 2FA is forced.