Error: 406 { error: 406, msg: 'Authentication failed' }
ksaye opened this issue · 21 comments
I have been using the Node ewelink-api for years and really do like the automation it gives me. I wrote about it here: https://kevinsaye.wordpress.com/2020/11/03/home-automation-creating-an-azure-function-to-control-sonoff-via-ewelink/
In the last few days, I noticed it stopped working and I got the error message: { error: 406, msg: 'Authentication failed' }
Following #220 , I tried to use the APP_ID and APP_SECRET which resolved it. Documenting this issue here, in hopes it gets updated in the source and that others can get a quick fix.
Failing code, that worked for years:
const ewelink = require('ewelink-api');
const connection = new ewelink({
email: '*************',
password: '**********',
region: 'us'
});
(async () => {
const bb = await connection.getDevices();
console.log(bb);
})();
Response:
{ error: 406, msg: 'Authentication failed' }
New code:
const ewelink = require('ewelink-api');
const connection = new ewelink({
email: '*************',
password: '***********',
region: 'us',
APP_ID: 'Uw83EKZFxdif7XFXEsrpduz5YyjP7nTl',
APP_SECRET: 'mXLOjea0woSMvK9gw7Fjsy7YlFO4iSu6'
});
(async () => {
const bb = await connection.getDevices();
console.log(bb);
})();
Response (real JSON removed for sensitivity reasons):
[{*****}]
same here
Facing same issue
I resolved the issue like this.
const newConnection = new ewelink({
email: '******',
password: '******',
region: 'as',
APP_ID: 'Uw83EKZFxdif7XFXEsrpduz5YyjP7nTl',
APP_SECRET: 'mXLOjea0woSMvK9gw7Fjsy7YlFO4iSu6'
});
const devices = await newConnection.getDevices();
I resolved the issue like this.
const newConnection = new ewelink({ email: '******', password: '******', region: 'as', APP_ID: 'Uw83EKZFxdif7XFXEsrpduz5YyjP7nTl', APP_SECRET: 'mXLOjea0woSMvK9gw7Fjsy7YlFO4iSu6' }); const devices = await newConnection.getDevices();
It feels like this is something that will happen soon again.
Doesn't work for my
- You can create your own APPID repeatedly.
- We will provide a renewal method in the near future. Currently, it is automatic, and if you continue to use it, it will be automatically renewed.
As for Uw83EKZFxdif7XFXEsrpduz5YyjP7nTl, I sincerely do not recommend you to use it as it will bring security issues.
- You can create your own APPID repeatedly.
- We will provide a renewal method in the near future. Currently, it is automatic, and if you continue to use it, it will be automatically renewed.
As for Uw83EKZFxdif7XFXEsrpduz5YyjP7nTl, I sincerely do not recommend you to use it as it will bring security issues.
Carl, not disagreeing but trying to understand the security issue.
What attack vector could there be?
@coolkit-carl I can also report the same issue. I'm using the library from node-red and it has become very unreliable. Can you please document the correct procedure and the requirements.
In summary - the old way of doing things by providing your actual username (phone or email) and password and a random persons AppId and Secret is no longer the correct way to be connecting to eWeLink v1 interface and is deprecated, and end of life.
It's time to move to v2 - which has a (custom) OAuth 2.0 login flow, which grants you an access token to use on subsequent requests,.
This is talked about here #219 by @coolkit-carl
There is a working example for OAuth here https://github.com/coolkit-carl/eWeLinkOAuthLoginDemo - using that you can get a token, which you can then use as a HTTP Bearer token in subsequent HTTP requests as per the documentation here https://coolkit-technologies.github.io/eWeLink-API/#/en/PlatformOverview
see my longer comment on this here #220 (comment)
So in summary - its time to give up trying to make this project work (as it uses the old v1 endpoints and an outdated method of connection with a password stored in plain text in your code) and move to the meow common and more secure OAuth2.0 authorisation flow with the resultant token to use as a bearer token in future requests.
Thank you for the very clear explanation, is anyone aware of a patch for the AuthN function? The Node-Red module for SonOff devices depends on it.
Thank you for the very clear explanation, is anyone aware of a patch for the AuthN function? The Node-Red module for SonOff devices depends on it.
What exactly do you want to achieve?
I wan't my node-red to control my SonOff switches. In order to keep using the ewelink-api from node-red, the ewelink-api authentication function needs to refactored to support OAuth2 as @PhilETaylor explained.
I don't think such a thing exists yet.
It's not just Authentication than has changed, the API is a different API version completely. I don't think you are going to fix the "quick fix" you are looking for without you - or another developer - designing and integrating it.
There is "start" of such a project at https://www.npmjs.com/package/ewelink-api-next but it's completely missing the OAuth stuff according to the TODO list and even I was unable to make it actually control my devices.
It conflicts with the eWeLink app.
I don't think such a thing exists yet.
It's not just Authentication than has changed, the API is a different API version completely. I don't think you are going to fix the "quick fix" you are looking for without you - or another developer - designing and integrating it.
There is "start" of such a project at https://www.npmjs.com/package/ewelink-api-next but it's completely missing the OAuth stuff according to the TODO list and even I was unable to make it actually control my devices.
https://github.com/coolkit-carl/ewelink-api-next/blob/main/docs/en/OAuth2.0.md
There is already a complete document.
https://github.com/coolkit-carl/eWeLinkOAuthLoginDemo Complete examples available
do you know how fix in NodeRed. I tried change API key but is not working
It just happened again? Anyone know what the new password will or if there a complete end to end solution for having this automated via our own ewelink dev token?
I managed to patch this repo in my fork. It works on my Sonoff S31 plug, but I haven't tested on other devices. I only spent a few hours as I needed to get it to work asap. Therefore, I haven't patched every function, don't expect it to work well on other devices. The changes between v1 and v2 API are minimal.
I only patched these:
- login
- getDevice
- getDevices
- getDevicePowerState
- setDevicePowerState
- getDevicePowerUsage
If you look at the diff, it's not that much. I belive this project can be patched to migrate to v2 API entirely with minimal effort.
baugp@2f4d1b0
In summary - the old way of doing things by providing your actual username (phone or email) and password and a random persons AppId and Secret is no longer the correct way to be connecting to eWeLink v1 interface and is deprecated, and end of life.
It's time to move to v2 - which has a (custom) OAuth 2.0 login flow, which grants you an access token to use on subsequent requests,.
This is talked about here #219 by @coolkit-carl
There is a working example for OAuth here https://github.com/coolkit-carl/eWeLinkOAuthLoginDemo - using that you can get a token, which you can then use as a HTTP Bearer token in subsequent HTTP requests as per the documentation here https://coolkit-technologies.github.io/eWeLink-API/#/en/PlatformOverview
see my longer comment on this here #220 (comment)
So in summary - its time to give up trying to make this project work (as it uses the old v1 endpoints and an outdated method of connection with a password stored in plain text in your code) and move to the meow common and more secure OAuth2.0 authorisation flow with the resultant token to use as a bearer token in future requests.
I believe the API v2 still has an option to log in using the old way (email/phone + password), as documented on their website here:
https://coolkit-technologies.github.io/eWeLink-API/#/en/APICenterV2?id=login
Are you saying that this login method will be discontinued in API v2 also?
The announcement from @coolkit-carl only talks about discontinuing the legacy (v1) API. Perhaps I missed something, but to me it looks like OAuth is an optional feature, not mandatory.
In fact, I looked at carl's login code. It has both OAuth version and the old method.
https://github.com/coolkit-carl/ewelink-api-next/blob/main/src/web/apis/user/login.ts
https://github.com/coolkit-carl/ewelink-api-next/blob/main/src/web/apis/oauth/createLoginUrl.ts
I managed to patch this repo in my fork by just switching to API v2, as linked in my post above.
basic API working here https://github.com/RealZimboGuy/ewelink-api-java