auth api failing with 1000-0999 error

[viliusdidit]

March 18 around 00 UTC authentication to aquarea-smart.panasonic.com started failing.
likely due to API change?

cjaliaga/home-assistant-aquarea#105

I believe our connection string looks like this? any request to this enpoint seems to result in the same error/403:

curl -H "Content-Type: application/x-www-form-urlencoded" 
-H "Cache-Control: max-age=0" 
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8" 
-H "Accept-Encoding: deflate, br" -H "Upgrade-Insecure-Requests: 1" 
-H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:74.0) Gecko/20100101 Firefox/74.0" 
-X POST 'https://aquarea-smart.panasonic.com/remote/v1/api/auth/login?username=panasonic@xxxx&password=xxxxx'

{"errorCode":4194816,"message":[{"errorMessage":"Logged out due to system error. Please login again after a while.","errorCode":"1000-0999","additionalErrorCode":null}],"accessToken":{}}

FWIW - I was able to see web login process to https://authglb.digital.panasonic.com/usernamepassword/login, don't have a setup for sniff the mobile app atm:

<client_id>vf2i6hW5hA2BB2BQGfTHXM4YFyW4I06K</client_id>
<redirect_uri>https://aquarea-smart.panasonic.com/authorizationCallback?lang=en</redirect_uri>
<tenant>pdpauthglb-a1</tenant>
<response_type>code</response_type>
<scope>openid offline_access</scope>
<audience>https://digital.panasonic.com/vf2i6hW5hA2BB2BQGfTHXM4YFyW4I06K/api/v1/</audience>
<_csrf>9OCkcl4F-fgQCE4wTTDWTMQnIHnO-Ek1wBlk</_csrf>
<state>hKFo2SAweUM4X0tybnhUNmZtSUZVdTlfTFVkdjQwZ0Z4TWJHeKFupWxvZ2luo3RpZNkgOG9rMzZOVkNjemJkRlN2a0J1YkN3OHdyczZ3S2RJTmOjY2lk2SB2ZjJpNmhXNWhBMkJCMkJRR2ZUSFhNNFlGeVc0STA2Sxx</state>
<_intstate>deprecated</_intstate>
<username>Panasonic@xxx</username>
<password>xxxx</password>
<lang>en</lang>
<connection>PanasonicID-Authentication</connection>

[viliusdidit]

my attempts to generate/guess/reuse state param for authglb endpoint fail with this error:
{"statusCode":403,"description":"Invalid state","name":"AnomalyDetected","code":"access_denied"}

anyone out there more familiar with this oauth2 aspect?
or is it some kind of secret authglb is expecting to be encoded in the state? fwiw, there was no forced upgrade on mobile app side, Dec 2023 still works with this auth.

[snaow]

Same error happening here.
I saw that on Native Panasonic Cloud app there was a new "policy" notes to be accepted.

Thanks.

[viliusdidit]

the good news: this new authglb seems to allow multiple logins. at least when using google login which is an option now (apple id as well; need to register here - https://accountglb.digital.panasonic.com/social first)

[cjaliaga]

Thanks @viliusdidit for all the investigation so far, let's see what we can do. The ideal (in a happy world) solution would be for us to not need to use the username and password and being able to auth as a service/application to Panasonic cloud, get a token, and use that token, with the possibility of getting a refresh_token as well. Unfortunately I don't see that happening.

[denisbobovnik]

Thanks @viliusdidit for all the investigation so far, let's see what we can do. The ideal (in a happy world) solution would be for us to not need to use the username and password and being able to auth as a service/application to Panasonic cloud, get a token, and use that token, with the possibility of getting a refresh_token as well. Unfortunately I don't see that happening.

hopefully you can make it happen for all of us somehow 🙌

[afharo]

In case it helps, I noticed this NPM library that takes a different approach: it "impersonates" the iOS app using a different set of APIs.

Just sharing due to the lack of public documentation from Panasonic around their APIs.

[bimusiek]

Hey guys, I found your issue by searching if someone fixed the new login way to Panasonic Cloud. As nobody did, here is the working code:
Hernas/homebridge-panasonic-heat-pump@dd04fc2

I hope that helps! :)

[cjaliaga]

Thanks a lot @bimusiek, I'll take a look ASAP.

[lcavalli]

@cjaliaga, I have seen that the fix has been implemented in dedicated branch. I don't know if there are some technical issues to be solved, but if you are afraid of exposing the hard-coded client id, maybe it can be provided by the user during the integration config flow.

[bimusiek]

The clientId was copied from JS code of OAuth provider at Panasonic so you could fetch it from there. AFAIK it is Panasonic client id from their oauth provider so it is not secret and should not change.

[cjaliaga]

Thanks @lcavalli, as @bimusiek said this Client Id it's not a secret and shouldn't change. Thanks for stepping in 😊

I'm implementing it on this branch:

aioaquarea/aioaquarea/core.py

Line 349 in 7ddd0ea

response: aiohttp.ClientResponse = await self.request(

To give an update, I'm currently stuck on the response 3 (call with the username and password to https://authglb.digital.panasonic.com/usernamepassword/login). I'll need to check if I'm not sending all the required cookies, the json sent with aiohttp is not properly encoded, something else.. or there's something wrong with my username because the response I get from the endpoint is a Bad Request - 400 invalid username

I'll check with @bimusiek project and my username/password to discard that.

[cjaliaga]

Quick update, it was a silly mistake. Apologies on the slow pace as I'm doing my best mainly on the night on the few spare minutes I have this week, I'm exhausted at the end of the day and I end making this mistakes haha.

My estimation is to have a working solution tomorrow for everyone to test it.

[randriese]

Quick update, it was a silly mistake. Apologies on the slow pace as I'm doing my best mainly on the night on the few spare minutes I have this week, I'm exhausted at the end of the day and I end making this mistakes haha.

My estimation is to have a working solution tomorrow for everyone to test it.

Don't worry, we appreciate your efforts!

[snaow]

Thanks @cjaliaga !!

[cjaliaga]

I have a working version, and I'm sure it will require some refactor but I think the best way is for us to test it and find the edge cases (and maybe not that edge haha) while using it so I'll release a new version with the changes.

[jp-embedded]

I am getting this:

'<' not supported between instances of 'datetime.datetime' and 'NoneType' Cannot connect to host authglb.digital.panasonic.comhttps:443 ssl:default [Name or service not known] Cannot connect to host authglb.digital.panasonic.comhttps:443 ssl:default [Name or service not known] Cannot connect to host authglb.digital.panasonic.comhttps:443 ssl:default [Name or service not known] Cannot connect to host authglb.digital.panasonic.comhttps:443 ssl:default [Name or service not known] Cannot connect to host authglb.digital.panasonic.comhttps:443 ssl:default [Name or service not known] Cannot connect to host authglb.digital.panasonic.comhttps:443 ssl:default [Name or service not known]

[cjaliaga]

@jp-embedded the first error should have been fixed in 0.7.1

The other ones authglb.digital.panasonic.comhttps:443 ssl:default [Name or service not known] Cannot connect to host I think are a result of some request failing breaking the auth flow, and hence the location header resolves to a full URL instead of a path, like here:

aioaquarea/aioaquarea/core.py

Lines 299 to 317 in a8562de

	response: aiohttp.ClientResponse = await self.request(
	"GET",
	external_url="https://authglb.digital.panasonic.com/authorize",
	referer=self._base_url,
	params=query_params,
	allow_redirects=False)
	location = response.headers.get("Location")
	parsed_url = urllib.parse.urlparse(location)
	# Extract the value of the 'state' query parameter
	query_params2 = urllib.parse.parse_qs(parsed_url.query)
	state_value = query_params2.get('state', [None])[0]
	response: aiohttp.ClientResponse = await self.request(
	"GET",
	external_url=f"https://authglb.digital.panasonic.com{location}",
	referer=self._base_url,
	allow_redirects=False)

I'll add verifications in between requests and more logging soon.

[jp-embedded]

0.7.1 works for me. Thank you so much <3

[vukisz]

Thanks. Fix was faster then heishamon delivery.
Just one issue for me:
After around 24 hours of updating all entities turned unavailable. Reloading integration fixed it

[CofkoCof]

Same issue happened to me as it did for @vukisz. Entities were unavailable until I reloaded the integration. Now is working fine.

[snaow]

Working! Thanks!

[cjaliaga]

I have a theory about why it didn't try to refresh the data, I think is due to token expiratio and some assumption I took for granted. I'll try to release a hotfix later today.

[cjaliaga]

Just merged #47 that should fix the refresh issue. Publishing 0.7.2 with the fix.

[steinbuyle]

0.7.1 works fine for me.
Thanks for the work you've put into!