Skip to content

Commit

Permalink
Changed gigya auth
Browse files Browse the repository at this point in the history
  • Loading branch information
Thomas Kopetsch committed Oct 4, 2018
1 parent 2fdbe2f commit f3cb73a
Showing 1 changed file with 8 additions and 9 deletions.
17 changes: 8 additions & 9 deletions resources/lib/pigskin/pigskin.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -272,10 +272,9 @@ def _gp_auth(self, username, password, gigya_data=False):
'uuid' : gigya_data['UID'],
'signature' : gigya_data['UIDSignature'],
'ts' : gigya_data['signatureTimestamp'],
'errorCode' : '0',
'device_type' : 'web',
'username' : username,
'password' : password,
'grant_type' : 'password'
'grant_type' : 'shield_authentication'
}

try:
Expand Down Expand Up @@ -327,13 +326,13 @@ def login(self, username, password, force=False):
to determine if access has been granted.
"""
# if the user already has access, just skip the entire auth process
if not force:
if self.check_for_subscription():
self.logger.debug('No need to login; the user already has access.')
return True
#if not force:

This comment has been minimized.

Sign in to view

Copy link
@aqw

aqw Oct 4, 2018

Needed?

This comment has been minimized.

Sign in to view

Copy link
@tommmlij

tommmlij Oct 4, 2018

Owner

Yes.
check_for_suscription seems to be wrong. Here a sample output:

14:04:43.309 T:13240 ERROR: request: 14:04:43.309 T:13240 ERROR: { "body": null, "headers": { "Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Authorization": "Bearer None", "Connection": "keep-alive", "User-Agent": "python-requests/2.19.1" }, "method": "GET", "uri": "https://www.nflgamepass.com/api/user/api/users/v1/subscription/myaccount" } 14:04:43.309 T:13240 ERROR: response: 14:04:43.309 T:13240 ERROR: { "body": { "code": "UR_10006", "httpStatusCode": 401, "id": "3c92b261-e189-4e9e-831d-f21981418a1c", "message": "error_unauthorised", "validationErrors": null }, "headers": { "Cache-Control": "max-age=0, no-cache, no-store", "Connection": "keep-alive", "Content-Length": "139", "Content-Type": "application/json; charset=utf-8", "Date": "Thu, 04 Oct 2018 12:04:43 GMT", "Expires": "Thu, 04 Oct 2018 12:04:43 GMT", "Pragma": "no-cache", "Request-Context": "appId=cid-v1:449ff629-0650-4d0a-b5fd-df8ec97c3d76", "Server": "Microsoft-IIS/10.0", "WWW-Authenticate": "Bearer", "X-Powered-By": "ASP.NET" }, "status_code": 401 } 14:04:43.309 T:13240 ERROR: No need to login; the user already has access.

So you will end up without the tokens which prevents getting the stream later.
Instead of fixing the function, I commented it out...

This comment has been minimized.

Sign in to view

Copy link
@tommmlij

tommmlij Oct 4, 2018

Owner

The thing to do would be to fix the function, of course ;)

This comment has been minimized.

Sign in to view

Copy link
@aqw

aqw Oct 4, 2018

Yeah; I have rewritten this function as part of my pigskin rewrite, so it should be working there now.

If you've determined that this is a problem, does authentication work if you remove all your other changes and just skip this subscription check?

This comment has been minimized.

Sign in to view

Copy link
@tommmlij

tommmlij Oct 4, 2018

Owner

I saw that and was tempted to implement the changes in pigskin into the xbmc-plugin, but had no time...

This comment has been minimized.

Sign in to view

Copy link
@tommmlij

tommmlij Oct 4, 2018

Owner

I'll test....

This comment has been minimized.

Sign in to view

Copy link
@tommmlij

tommmlij Oct 4, 2018

Owner

When I remove the problem with check_for_subscription and the exception in _gp_auth and use the initial request configuration, I'll get this:

14:22:15.373 T:12612   ERROR: request:
14:22:15.373 T:12612   ERROR: {
                                                "body": "errorCode=0&username=tom%40halheaven.de&grant_type=password&uuid=f84e9dbd405b954c11a2779558b29613&client_id=42cc360e-6fbb-4472-9437-2f088b8730de&signature=Bai7mM9JvJYqaKKH8ogdHP9q3QQ%3D&password=dssdfsdfsdf&ts=1538655735", 
                                                "headers": {
                                                    "Accept": "*/*", 
                                                    "Accept-Encoding": "gzip, deflate", 
                                                    "Connection": "keep-alive", 
                                                    "Content-Length": "217", 
                                                    "Content-Type": "application/x-www-form-urlencoded", 
                                                    "User-Agent": "python-requests/2.19.1"
                                                }, 
                                                "method": "POST", 
                                                "uri": "https://www.nflgamepass.com/api/user/oauth/token"
                                            }
14:22:15.373 T:12612   ERROR: response:
14:22:15.373 T:12612   ERROR: {
                                                "body": "<HTML><HEAD>\n<TITLE>Access Denied</TITLE>\n</HEAD><BODY>\n<H1>Access Denied</H1>\n \nYou don't have permission to access \"http&#58;&#47;&#47;www&#46;nflgamepass&#46;com&#47;api&#47;user&#47;oauth&#47;token\" on this server.<P>\nReference&#32;&#35;18&#46;1e016068&#46;1538655735&#46;a1b32\n</BODY>\n</HTML>\n", 
                                                "headers": {
                                                    "Cache-Control": "max-age=0, no-cache, no-store", 
                                                    "Connection": "close", 
                                                    "Content-Length": "298", 
                                                    "Content-Type": "text/html", 
                                                    "Date": "Thu, 04 Oct 2018 12:22:15 GMT", 
                                                    "Expires": "Thu, 04 Oct 2018 12:22:15 GMT", 
                                                    "Mime-Version": "1.0", 
                                                    "Pragma": "no-cache", 
                                                    "Server": "AkamaiGHost"
                                                }, 
                                                "status_code": 403
                                            }
14:22:15.373 T:12612   ERROR: login: server response is invalid

(I changed the pw...)
# if self.check_for_subscription():
# self.logger.debug('No need to login; the user already has access.')
# return True


for auth in [self._gp_auth, self._gigya_auth]:
for auth in [self._gigya_auth]:

This comment has been minimized.

Sign in to view

Copy link
@aqw

aqw Oct 4, 2018

Needed?

This comment has been minimized.

Sign in to view

Copy link
@tommmlij

tommmlij Oct 4, 2018
edited
Loading

Owner

Yes.
If the gp_auth fails, the script fails, I don't know why exactly, because I don't know much about Python Exception handling.
Here a debug output:
14:10:21.990 T:9292 ERROR: Trying _gp_auth authentication. 14:10:22.013 T:9292 ERROR: request: 14:10:22.013 T:9292 ERROR: { "body": "username=tom%40halheaven.de&password=adsfdsfssf&client_id=42cc360e-6fbb-4472-9437-2f088b8730de&grant_type=password", "headers": { "Accept": "*/*", "Accept-Encoding": "gzip, deflate", "Connection": "keep-alive", "Content-Length": "112", "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "python-requests/2.19.1" }, "method": "POST", "uri": "https://www.nflgamepass.com/api/user/oauth/token" } 14:10:22.013 T:9292 ERROR: response: 14:10:22.013 T:9292 ERROR: { "body": "<HTML><HEAD>\n<TITLE>Access Denied</TITLE>\n</HEAD><BODY>\n<H1>Access Denied</H1>\n \nYou don't have permission to access \"http&#58;&#47;&#47;www&#46;nflgamepass&#46;com&#47;api&#47;user&#47;oauth&#47;token\" on this server.<P>\nReference&#32;&#35;18&#46;15016068&#46;1538655021&#46;3400651\n</BODY>\n</HTML>\n", "headers": { "Cache-Control": "max-age=0, no-cache, no-store", "Connection": "close", "Content-Length": "300", "Content-Type": "text/html", "Date": "Thu, 04 Oct 2018 12:10:21 GMT", "Expires": "Thu, 04 Oct 2018 12:10:21 GMT", "Mime-Version": "1.0", "Pragma": "no-cache", "Server": "AkamaiGHost" }, "status_code": 403 } 14:10:22.013 T:9292 ERROR: login: server response is invalid 14:10:24.573 T:12324 NOTICE: Storing total System Uptime

This comment has been minimized.

Sign in to view

Copy link
@aqw

aqw Oct 4, 2018

Ok, so the exception needs to be caught. But moving the ._gp_auth entirely will break authentication for everyone who doesn't use Gigya.

This comment has been minimized.

Sign in to view

Copy link
@tommmlij

tommmlij Oct 4, 2018

Owner

I was expecting something like. This is why I forked...

This comment has been minimized.

Sign in to view

Copy link
@aqw

aqw Oct 4, 2018

You're of course, always welcome to fork. The joys of open source.

But this is definitely something which can be fixed in the main project, we just need someone testing (you) who actually /is/ covered by Gigya auth.

This comment has been minimized.

Sign in to view

Copy link
@tommmlij

tommmlij Oct 4, 2018

Owner

Happy to help ;)
self.logger.debug('Trying {0} authentication.'.format(auth.__name__))
try:
data = auth(username, password)
Expand Down Expand Up @@ -954,7 +953,7 @@ def _get_diva_streams(self, video_id, diva_config_url):
}
for vs in akamai_xml.iter('videoSource'):
try:
vs_format = vs.attrib['format'].lower()
vs_format = vs.attrib['name'].lower()
vs_url = vs.find('uri').text
except (KeyError, AttributeError):
continue
Expand Down

2 comments on commit f3cb73a

@aqw
Copy link

@aqw aqw commented on f3cb73a Oct 4, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this work for you if you undo the changes that I marked as "needed?"

Gigya is not rolled out uniformly across regions (annoying as hell), so I can't test this.

The grant type change is interesting to me, as "password" did work for me, back when i was covered by Gigya, but I know Plex uses the shield_authentication.

@tommmlij
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I answered in the individual comments...

Regarding pw vs. shield, I have no opinion, just did what was done in the request in Chrome ;)

Please sign in to comment.