Authentication failed (ewelink-api)

[SpoedNick80]

Hi all,

I have been using the ewelink node api for more than a year now on my solar home automation system. Been working flawless, but now the api returns 'Authentication failed'. I noticed my Authorization Key expired on https://dev.ewelink.cc. I deleted the old app created a new one and started using the new APP_ID and APP_SECRET. Its been more than a week now and its still not working. Has there been changes to the API or something i'm not aware of?

Thanks for any help in advance.
lou

[garikou]

Similar issue here but API key has not expired for me, but I get a 407 path request not allowed for any endpoint that was already working before. Created a ticket and they sent me to talk to [email protected], no reply from them for the last 5 days.

[NickWaterton]

Same problem here. Created a new APP_ID and APP_SECRET (even though previous had not expired), but same message:

407 path request not allowed for appid:xxxxxxxxxxxxxxxxxxxxxx

Looks like something changed.

[garikou]

Yes, I got in touch with support and the only options are: -Pay for an enterprise license (2k/yr) to be able to call the /login endpoint directly -Login manually using the web interface to obtain an authorization token to interact with the rest of the endpoints

…

On Tue, 10 Dec 2024 at 8:24 PM Nick Waterton ***@***.***> wrote: Same problem here. Created a new APP_ID and APP_SECRET (even though previous had not expired), but same message: 407 path request not allowed for appid:xxxxxxxxxxxxxxxxxxxxxx Looks like something changed. — Reply to this email directly, view it on GitHub <#242 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A5R4D3RTOSNNQ3ID2NIM5TD2E5ZZFAVCNFSM6AAAAABR63CLYCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMZTGIYDKOJZHE> . You are receiving this because you commented.Message ID: ***@***.***>

[NickWaterton]

Well that’s super annoying.

when they say “login manually”, do they mean just send your login and password to get the token? I can’t see why you would have to specifically use the web interface.

I see they have a getToken endpoint, that expects a url to be passed - do you think this is what they are talking about?

[garikou]

Agree, they did this without any notice. This is what they replied. You are using Oauth2.0 interface, you can not directly call the login interface, you need to obtain an authorization code (at) in the authorization page, you can use this at to call other interfaces. https://coolkit-technologies.github.io/eWeLink-API/#/en/OAuth2.0?id=access-process <https://coolkit-technologies.github.io/eWeLink-API/#/en/OAuth2.0> You basically need to setup a web page (the authorization page) where you would enter the user/pass in an form to obtain the authorization token. “After the user fills in the account password and clicks login successfully, the page will jump to the redirect address URL you added before and carries the parameters code, regin, state, and the request method is GET.”

…

On Tue, 10 Dec 2024 at 9:44 PM Nick Waterton ***@***.***> wrote: Well that’s super annoying. when they say “login manually”, do they mean just send your login and password to get the token? I can’t see why you would have to specifically use the web interface. I see they have at getToken endpoint, that expects a url to be passed - do you think this is what they are talking about? — Reply to this email directly, view it on GitHub <#242 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A5R4D3XUBAQSCL7DKPL5JLT2E6DIPAVCNFSM6AAAAABR63CLYCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMZTGM3DCMRQGE> . You are receiving this because you commented.Message ID: ***@***.***>

[NickWaterton]

I have a feeling they don’t know what they are talking about. There is no need to have an actual web page for people to fill in.

I’ve read their docs, the problem is that most of them are out of date, or don’t actually work.

I’ll figure it out.

[garikou]

if you figure out how to do it without the webpage please let me know. thank you!

…

On Tue, Dec 10, 2024 at 10:44 PM Nick Waterton ***@***.***> wrote: I have a feeling they don’t know what they are talking about. There is no need to have an actual web page for people to fill in. I’ve read their docs, the problem is that most of them are out of date, or don’t actually work. I’ll figure it out. — Reply to this email directly, view it on GitHub <#242 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A5R4D3RXIUJEJ7L6ZHUPP6T2E6KHJAVCNFSM6AAAAABR63CLYCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMZTGQZTCNRXHE> . You are receiving this because you commented.Message ID: ***@***.***>

[SpoedNick80]

It seems the api only supports oauth2 now. I wrote an application in Python to fetch the oath token. Then with the token I'm able to get status/update/stop/start devices. I am by no mean a developer by trade, but if your stuck let me know and I can upload the code here....

[NickWaterton]

@SpoedNick80 If you have some code that gets the token without using the /v2/user/login end point I would certainly be interested.

Feel free to upload a snippet.

[Husseinhassan1]

@SpoedNick80 Would you be able to share the code? It's my first time using this library and I couldn't get even the basic example from the documentation to work as I am getting this error

[NickWaterton]

@Husseinhassan1 This is the problem, this library won’t work anymore, as they have moved the login end point to be an enterprise feature.

[NickWaterton]

Ok, so I figured out how to get the code (without the login page), I can pass that to get token and successfully get the access and refresh tokens.

Problem is when you use this access token to try to get the apikey you get the same error messagepath not allowed for app id:xxxxxxxxxxxxxxxxx.

So, I’m still stuck. I can query devices, homes etc, but you can’t connect to the websocket without the apikey.

[NickWaterton]

So, I finally have it working again.

The process is:

1. Obtain the access code
2. exchange the access code for an access token
3. get the family data to obtain the apikey
4. open the websocket using the obtained apikey and access token

To get the access code (without using the login page) - sorry this is Python:
APP = [(appid, clientsecret)]
redirectUrl is the redirect url you defined in the developer console for the app - it is NOT USED, so it can be whatever you want, but it has to match. I used "https://127.0.0.1:8888"
helper methods:

    def makeSign(self, key, message):
        j = hmac.new(key.encode(), message.encode(), digestmod=hashlib.sha256)
        return (base64.b64encode(j.digest())).decode()

    def get_nonce(self):
        ts = time.time()
        return str(int(ts))[-8:]
        
    def get_ts(self):
        '''
        gets timestamp in ms as string
        '''
        return str(int(time.time()* 1000))

    async def get_code(login, password, app=0):
        appid, appsecret = APP[app]
        seq = self.get_ts()
        nonce = self.get_nonce()
        state = '12345'
        sign = self.makeSign(appsecret, '{}_{}'.format(appid, seq))
        payload =   {   'authorization' : 'Sign ' + sign,
                        "email" : login,
                        "password" : password,
                        'seq': seq,
                        'clientId': appid,
                        "state" : state,
                        "grantType" : "authorization_code",
                        'redirectUrl':redirectUrl,
                        "nonce" : nonce
                    }
        data = json.dumps(payload).encode()
        headers =   {   "X-CK-Appid": appid,
                        "X-CK-Nonce": nonce,
                        "X-CK-Seq": seq,
                        "Authorization": "Sign " + sign,
                        "Content-Type": "application/json; charset=utf-8"
                    }    
        url = "https://apia.coolkit.cn/v2/user/oauth/code"
        self.log.info('Logging in via: {} with {} and {}'.format(url, appid, appsecret))
        r = await self.session.post(
            url, data=data, headers=headers,
            timeout=30
        )
        resp = await r.json()
        return resp['data']

the access code is in resp.
To get the access token from the access code:

    async def get_token(self, code, app=0):
        '''
        get token from code
        '''
        appid, appsecret = APP[app]
        payload = { "code": code,
                    "redirectUrl":redirectUrl,
                    "grantType":"authorization_code"
                  }
        data = json.dumps(payload).encode()
        sign = self.makeSign(appsecret, json.dumps(payload))
        headers =   {   "X-CK-Appid": appid,
                        "X-CK-Nonce": self.get_nonce(),
                        "Authorization": "Sign " + sign,
                        "Content-Type": "application/json; charset=utf-8"
                    }
        self.host = "https://us-apia.coolkit.cc" #depends on region (returned with code)
        url =  self.host + '/v2/user/oauth/token'
        self.log.info('Getting token via: {} with code: {}'.format(url, code))
        r = await self.session.post(
            url, data=data, headers=headers,
            timeout=30
        )
        resp = await r.json()
        return resp['data']

The access token, refresh token and expiry dates (in timestamp milliseconds) are returned.
To get the apikey using the access token:

    async def _get(self, token, app = 0):
        headers = { "Authorization": "Bearer " + token,
                    "X-CK-Appid": APP[app][0]}
        r = await self.session.get(
            self.host + '/v2/family', headers=headers, timeout=5
        )
        resp = await r.json()
        return resp['data']

The apikey is contained in the returned json, and can be used to open and connect to the websocket.

Sorry this is a bit rough, and in Python, but hopefully you understand the sequence.

[gbsallery]

@NickWaterton that's extremely helpful, thank you. Can confirm that your approach works when implemented in Kotlin.