Login 401 from Postman client

Question

Login 401 from Postman client

Opened this issue 7 years ago · 20 comments

Hey,

I was trying to connect to musycal.ly from a postman client so I tried to understand the Php code of src/musically.php, however, I am getting a 401 but I ain't sure about why.

There is my request:

[POST] https://api.musical.ly/rest/passport/v2/login?supportLoginVerify=true

Headers (22):

x-www-form-encoded:

And I am getting:

{
    "timestamp": 1521470164701,
    "status": 401,
    "error": "Unauthorized",
    "exception": "net.vickymedia.passport.composite.exception.UnauthorizedException",
    "message": "Unauthorized",
    "path": "/v2/login"
}

Do you have any idea why? The 3 Variables USERNAME, USER_EMAIL, and USER_PASSWORD are replaced by the correct values of course.

Thanks for any update !

Answer 1 · 2018-03-20T01:00:56.000Z

Most likely is that your X-Request-Sign5 header value is invalid. The header value is an HMAC-SHA1 hash of the request info which contains a time stamp, if the time stamp is very old, like when this library was written then the server will most likely say you are unauthorised. You need to generate your own X-Request-Info5 header value and then your own X-Request-Sign5 header value to get the correct response.

Answer 2 · 2018-03-20T13:34:25.000Z

Hey, thanks for your answer !

So I just need to generate a HMAC-SHA1 hash of a current timestamp?

You need to generate your own X-Request-Info5 header value What is it corresponding to?

Thanks !

Answer 3 · 2018-03-21T20:37:35.000Z

Base64 decode your current X-Request-Info5 header value, replace the time stamp with a current one and then encode it with base64 again. Generate an HMAC-SHA1 hash of that new value and that is the new X-Request-Sign5.

Answer 4 · 2018-03-21T21:08:22.000Z

Okay thank you, last question, do you know by any chance the key to use for the HMAC-SHA1 hash?

Answer 5 · 2018-03-22T13:38:23.000Z

It depends on whether or not you want to emulate the Android app or the IOS app.

Answer 6 · 2018-03-22T15:15:04.000Z

Since in the header I am giving the information that I am using an iOS device, let's use the full iOS logic?

Answer 7 · 2018-03-22T15:54:44.000Z

Here's a helpful article I wrote for everyone: https://medium.com/@charliethinks/reverse-engineering-musical-y-live-ly-android-apps-part-1-a910daad2ec2

Answer 8 · 2018-03-27T22:22:28.000Z

Hey, nice link, really interesting !

I was just wondering if you could explain to me the "M-TOKEN hash=" logic please?
Also, I don't know if the signature works X-Request* works since my token is probably wrong :/

But thanks !

Answer 9 · 2018-03-28T11:52:22.000Z

The "M-TOKEN hash=" is given to you as a header after login I believe, or at least a very specific endpoint.

Answer 10 · 2018-03-28T18:47:27.000Z

Hey,

Yeah it comes from the login response, thanks.

Max

Answer 11 · 2018-03-29T19:12:13.000Z

Success (y) Thanks for your help

Answer 12 · 2018-03-29T19:47:23.000Z

@charlieAndroidDev Could you make your prescribed changes and send a pull request. Thanks

Answer 13 · 2018-03-29T20:24:32.000Z

@mangledbottles

If were you, I would wait just a bit, I am currently writing an updated version. Once I am done, I will send it to @charlieAndroidDev .

After then, he will be able to make maybe a more understandable code.

Best,

Answer 14 · 2018-03-29T23:52:45.000Z

Yeah I’m happy to do that. There are gonna be pretty huge changes though...

Answer 15 · 2018-03-30T19:51:05.000Z

@charlieAndroidDev has it changed that much?
They didn't seem to care too much about checking security precautions when I first looked at it.

Answer 16 · 2018-03-30T21:14:55.000Z

@mangledbottles Not that much, but it changed

Answer 17 · 2018-04-06T02:36:36.000Z

@charlieAndroidDev Thank you 👏👏

Answer 18 · 2018-04-07T23:39:58.000Z

@charlieAndroidDev Woah, I should have found your medium write up earlier. I took a different approach to get the signature.. which works but.. it's not easy to setup for consistent use. See my repository (which also includes a c# musical.ly API): https://github.com/AeonLucid/MusicallyRE

Edit: Implemented the HMAC-SHA1 signature generation.

Answer 19 · 2018-06-09T21:26:07.000Z

Stuck on this also...

base64_decode for X-Request-Info5 (note that deviceid is the same as "Slider-Show-Session" :??):

{"method":"POST","os":"iOS 9.0.1","X-Request-ID":"D7698DF1-3676-499F-AEAA-9EBE6564E32F","ostype":"ios","deviceid":"i0cd770c6af4d34659ba7211079066de8bb3","version":"5.7.1","timestamp":"1496086576000","-r":"5054","url":"https://api.musical.ly/rest/passport/v2/login?supportLoginVerify=true"}

I replace that timestamp with current time()."000" one:

{"method":"POST","os":"iOS 9.0.1","X-Request-ID":"D7698DF1-3676-499F-AEAA-9EBE6564E32F","ostype":"ios","deviceid":"i0cd770c6af4d34659ba7211079066de8bb3","version":"5.7.1","timestamp":"1528578105000","-r":"5054","url":"https://api.musical.ly/rest/passport/v2/login?supportLoginVerify=true"}

I base64_encode it:

eyJtZXRob2QiOiJQT1NUIiwib3MiOiJpT1MgOS4wLjEiLCJYLVJlcXVlc3QtSUQiOiJENzY5OERGMS0zNjc2LTQ5OUYtQUVBQS05RUJFNjU2NEUzMkYiLCJvc3R5cGUiOiJpb3MiLCJkZXZpY2VpZCI6ImkwY2Q3NzBjNmFmNGQzNDY1OWJhNzIxMTA3OTA2NmRlOGJiMyIsInZlcnNpb24iOiI1LjcuMSIsInRpbWVzdGFtcCI6IjE1Mjg1NzgxMDUwMDAiLCItciI6IjUwNTQiLCJ1cmwiOiJodHRwczpcL1wvYXBpLm11c2ljYWwubHlcL3Jlc3RcL3Bhc3Nwb3J0XC92MlwvbG9naW4/c3VwcG9ydExvZ2luVmVyaWZ5PXRydWUifQ==

I create HMAC-SH1 above base64 string at https://www.freeformatter.com/hmac-generator.html with the key "016bb7aee66891f9b6ce10f03874eb3889f24546aa&i0cd770c6af4d34659ba7211079066de8bb3" :

3cee6e8c032b8aebad9e1e162384776a8c68ce60

appended the 01a6 (also tried with 01i6) to it to use as X-Request-Sign5 but it gives me a 400 error

Answer 20 · 2018-06-11T12:57:47.000Z

@farrusete The IOS app may well use a different secret key to the one used in the Android app. I have not reverse engineered the IOS app whatsoever and as such cannot comment on whether replicating an iOS request in such a way would work at all.