Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Forbidden again | Migrate to new auth ? #26

Open
RobertWojtowicz opened this issue Oct 17, 2023 · 5 comments
Open

Forbidden again | Migrate to new auth ? #26

RobertWojtowicz opened this issue Oct 17, 2023 · 5 comments

Comments

@RobertWojtowicz
Copy link

RobertWojtowicz commented Oct 17, 2023

Hi,
@abrander @davidkroell

Again there is a problem with authorization, maybe the solution is a new method of authorization? (OAuth):
petergardfjall/garminexport#104

The problem is already reported in 2 threads using bodycomposition (based on the garmin-connect library):
RobertWojtowicz/export2garmin#31
davidkroell/bodycomposition#19

BR,
Robert

@davidkroell
Copy link
Contributor

They are using matin/garth which is written in python. I think we'll need a Golang port for that to fix authentication flow again.

@abrander are you willing to implement this?

@abrander
Copy link
Owner

This one is irritating. We're getting caught in Cloudflare's anti-bot system. I would really like to know if Garmin changed something to get rid of third-party API usage, if Cloudflare changed something, or if the "web department" at Garmin simply turned on bot-protection for the complete garmin.com-domain without considering the API endpoints. If Garmin is actively trying to deter third parties from using the API this will turn into a year-long whack-a-mole, which will be fun but time-consuming.

@davidkroell You're mentioning OAuth - fun fact: The initial version of this package (before publishing to Github) did, in fact, use oauth2, but I opted for automating the web-based flow before publishing. I'm not not willing to implement this again ;-)

I don't know the best way forward. OAuth1/2 is well-understood as a protocol. Still, I like that we have existed for almost five years without leaking Garmin secrets and being honest about who we are - and I would like to continue doing exactly that.

Another well-known Garmin API project makes the OAuth tokens available in Amazon S3 - maybe we can retrieve those at runtime? Then we don't actually publish them ourselves, but it would still work out of the box for end-users..?

I see some options:

  • A1: Just steal the damn oath tokens from the app and hardcode.
  • A2: Retrieve the tokens from another project at runtime.
  • B1: Get better at imitating a browser and lie to Cloudflare (and Garmin).
  • B2: Use a real browser using Selenium or similar.

Technically I think A1 and A2 are the easiest to implement.

@matin
Copy link

matin commented Oct 25, 2023

Garth maintainer here.

Some comments:

  • the oauth1 token is valid for a year, which is a game changer for anyone with MFA
  • I don't recommend hard-coding the keys. You mentioned one of the reasons. There's another reason as well. Garmin could update them

@RobertWojtowicz
Copy link
Author

RobertWojtowicz commented Nov 27, 2023

Hi @abrander

Any good news in solving this problem ?
Unfortunately alternate YAGCC client does not support ARMv6 (older RPi).
RobertWojtowicz/export2garmin#34

I'd like to return to the good bodycompositon solution created by @davidkroell

BR,
Robert

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants