MFA: Unexpected end of JSON input when submitting MFA code via json post

[alandtse]

TLDR: Check your headers. Autogenerating headers fixed my issue.

I ran into an interesting problem that was infuriating to resolve so I thought I'd share it here. I am building a python auth capture proxy library based on aiohttp that basically is intended to allow credential interception of any oauth page. It is intended to help fix the tesla integration at Home Assistant because frankly I hate fixing screen scraping implementations particularly if they require Javascript processing on the client side.

The error message arises when you do the post to https://auth.tesla.com/oauth2/v3/authorize/mfa/verify with the MFA code which replicates this call from Tesla's MFA page.

        ajax("POST", "/oauth2/v3/authorize/mfa/verify", {
          transaction_id: "CZyGV5EN",
          factor_id: factor.id,
          passcode: passcode
        }, function (err, response, statusCode) {
          button.disabled = false;

          spinnerStop();

          //console.log(err);
          //console.log("VERIFY RESPONSE", statusCode);
          //console.log(JSON.stringify(response, null, 2));

          if (err) {
            console.log("Unhandled error");
            console.error(err);
            return;
          }

Any submission of the code whether malformed or not would result in:

{
   "error":{
      "code":400,
      "reason":"SyntaxError",
      "message":"Unexpected end of JSON input",
      "referenceID":"da23fb4090534ec099f04a0e43079396-1613126416029"
   }
}

The fix was letting aiohttp just autogenerate new headers with the post request. In the example code below when I commented out the headers parameter, I was able to submit the MFA code and succeed with the login. When I had the headers, I would get:

                elif json_data:
                    resp = await getattr(self.session, method)(
                        site,
                        json=json_data,
                        headers=headers,
                        # apparently headers aren't needed for Tesla case?
                    )

I don't understand why this works, as the same headers worked for every other interaction except for the post json. But since it works repeatedly. I'll go with it. Here's the headers if anyone wants to experiment to figure out the minimum.

Good (autogenerated by aiohttp):

{
    "Accept": "*/*",
    "Accept-Encoding": "gzip, deflate",
    "Content-Length": "105",
    "Content-Type": "application/json",
    "Cookie": "TS6e0b27e6027=08ce580718ab2000...; tesla-auth.sid=s%3A9JoFZC...",
    "Host": "auth.tesla.com",
    "User-Agent": "Python/3.8 aiohttp/3.7.3"
}

Bad (generated by browser with replacements):

{
   "Host":"auth.tesla.com",
   "X-Forwarded-Scheme":"https",
   "X-Forwarded-Proto":"https",
   "X-Forwarded-For":"192.168.1.1",
   "X-Real-IP":"192.168.1.1",
   "Content-Length":"100",
   "sec-ch-ua":"\"Chromium\";v=\"88\", \"Google Chrome\";v=\"88\", \";Not A Brand\";v=\"99\"",
   "Accept":"application/json",
   "dnt":"1",
   "X-Requested-With":"com.teslamotors.tesla",
   "sec-ch-ua-mobile":"?0",
   "User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36",
   "Content-Type":"application/json;charset=UTF-8",
   "Origin":"https://auth.tesla.com",
   "sec-fetch-site":"same-origin",
   "sec-fetch-mode":"cors",
   "sec-fetch-dest":"empty",
   "Referer":"https://auth.tesla.com/oauth2/v3/authorize?client_id=ownerapi&code_challenge=SNIP&code_challenge_method=S256&redirect_uri=https://auth.tesla.com/void/callback&response_type=code&scope=openid+email+offline_access&state=u5UBPIuVbHGIQy72dr50GcUGXViFjBaqa769BEkc5vdQDLskAAwgwd0uHAZsrQeHy5Y2ztuFzUvQqYHf0_gdGw",
   "Accept-Encoding":"gzip, deflate, br",
   "Accept-Language":"en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7,ja;q=0.6,mt;q=0.5",
   "x-tesla-user-agent":"TeslaApp/3.10.9-433/adff2e065/android/10",
   "Cookie": "TS6e0b27e6027=08ce580718ab2000...; tesla-auth.sid=s%3A9JoFZC..., csm-hit=tb:03G1FG4SP67BKETK8G3Z+s-ANHGB69F7KKCKQZ6JA53|1613019298183&t:1613019 98183&adb:adblk_yes; i18next=en-US;"
}

[alandtse]

As an update, I disabled the user-agent generation and only am auto generating the content-length and it still works for MFA.