Login 401 from Postman client
Opened this issue ยท 20 comments
Hey,
I was trying to connect to musycal.ly from a postman client so I tried to understand the Php code of src/musically.php, however, I am getting a 401 but I ain't sure about why.
There is my request:
[POST] https://api.musical.ly/rest/passport/v2/login?supportLoginVerify=true
Headers (22):
x-www-form-encoded:
And I am getting:
{
"timestamp": 1521470164701,
"status": 401,
"error": "Unauthorized",
"exception": "net.vickymedia.passport.composite.exception.UnauthorizedException",
"message": "Unauthorized",
"path": "/v2/login"
}
Do you have any idea why? The 3 Variables USERNAME, USER_EMAIL, and USER_PASSWORD are replaced by the correct values of course.
Thanks for any update !
Most likely is that your X-Request-Sign5 header value is invalid. The header value is an HMAC-SHA1 hash of the request info which contains a time stamp, if the time stamp is very old, like when this library was written then the server will most likely say you are unauthorised. You need to generate your own X-Request-Info5 header value and then your own X-Request-Sign5 header value to get the correct response.
Hey, thanks for your answer !
So I just need to generate a HMAC-SHA1 hash of a current timestamp?
You need to generate your own X-Request-Info5 header value What is it corresponding to?
Thanks !
Base64 decode your current X-Request-Info5 header value, replace the time stamp with a current one and then encode it with base64 again. Generate an HMAC-SHA1 hash of that new value and that is the new X-Request-Sign5.
Okay thank you, last question, do you know by any chance the key to use for the HMAC-SHA1 hash?
It depends on whether or not you want to emulate the Android app or the IOS app.
Since in the header I am giving the information that I am using an iOS device, let's use the full iOS logic?
Here's a helpful article I wrote for everyone: https://medium.com/@charliethinks/reverse-engineering-musical-y-live-ly-android-apps-part-1-a910daad2ec2
Hey, nice link, really interesting !
I was just wondering if you could explain to me the "M-TOKEN hash=" logic please?
Also, I don't know if the signature works X-Request* works since my token is probably wrong :/
But thanks !
The "M-TOKEN hash=" is given to you as a header after login I believe, or at least a very specific endpoint.
Hey,
Yeah it comes from the login response, thanks.
Max
Success (y) Thanks for your help
@charlieAndroidDev Could you make your prescribed changes and send a pull request. Thanks
If were you, I would wait just a bit, I am currently writing an updated version. Once I am done, I will send it to @charlieAndroidDev .
After then, he will be able to make maybe a more understandable code.
Best,
Yeah Iโm happy to do that. There are gonna be pretty huge changes though...
@charlieAndroidDev has it changed that much?
They didn't seem to care too much about checking security precautions when I first looked at it.
@mangledbottles Not that much, but it changed
@charlieAndroidDev Thank you ๐๐
@charlieAndroidDev Woah, I should have found your medium write up earlier. I took a different approach to get the signature.. which works but.. it's not easy to setup for consistent use. See my repository (which also includes a c# musical.ly API): https://github.com/AeonLucid/MusicallyRE
Edit: Implemented the HMAC-SHA1 signature generation.
Stuck on this also...
base64_decode for X-Request-Info5 (note that deviceid is the same as "Slider-Show-Session" :??):
{"method":"POST","os":"iOS 9.0.1","X-Request-ID":"D7698DF1-3676-499F-AEAA-9EBE6564E32F","ostype":"ios","deviceid":"i0cd770c6af4d34659ba7211079066de8bb3","version":"5.7.1","timestamp":"1496086576000","-r":"5054","url":"https://api.musical.ly/rest/passport/v2/login?supportLoginVerify=true"}
I replace that timestamp with current time()."000" one:
{"method":"POST","os":"iOS 9.0.1","X-Request-ID":"D7698DF1-3676-499F-AEAA-9EBE6564E32F","ostype":"ios","deviceid":"i0cd770c6af4d34659ba7211079066de8bb3","version":"5.7.1","timestamp":"1528578105000","-r":"5054","url":"https://api.musical.ly/rest/passport/v2/login?supportLoginVerify=true"}
I base64_encode it:
eyJtZXRob2QiOiJQT1NUIiwib3MiOiJpT1MgOS4wLjEiLCJYLVJlcXVlc3QtSUQiOiJENzY5OERGMS0zNjc2LTQ5OUYtQUVBQS05RUJFNjU2NEUzMkYiLCJvc3R5cGUiOiJpb3MiLCJkZXZpY2VpZCI6ImkwY2Q3NzBjNmFmNGQzNDY1OWJhNzIxMTA3OTA2NmRlOGJiMyIsInZlcnNpb24iOiI1LjcuMSIsInRpbWVzdGFtcCI6IjE1Mjg1NzgxMDUwMDAiLCItciI6IjUwNTQiLCJ1cmwiOiJodHRwczpcL1wvYXBpLm11c2ljYWwubHlcL3Jlc3RcL3Bhc3Nwb3J0XC92MlwvbG9naW4/c3VwcG9ydExvZ2luVmVyaWZ5PXRydWUifQ==
I create HMAC-SH1 above base64 string at https://www.freeformatter.com/hmac-generator.html with the key "016bb7aee66891f9b6ce10f03874eb3889f24546aa&i0cd770c6af4d34659ba7211079066de8bb3" :
3cee6e8c032b8aebad9e1e162384776a8c68ce60
appended the 01a6 (also tried with 01i6) to it to use as X-Request-Sign5 but it gives me a 400 error
@farrusete The IOS app may well use a different secret key to the one used in the Android app. I have not reverse engineered the IOS app whatsoever and as such cannot comment on whether replicating an iOS request in such a way would work at all.