Login 401 from Postman client #7
Comments
|
Most likely is that your X-Request-Sign5 header value is invalid. The header value is an HMAC-SHA1 hash of the request info which contains a time stamp, if the time stamp is very old, like when this library was written then the server will most likely say you are unauthorised. You need to generate your own X-Request-Info5 header value and then your own X-Request-Sign5 header value to get the correct response. |
|
Hey, thanks for your answer ! So I just need to generate a HMAC-SHA1 hash of a current timestamp? You need to generate your own X-Request-Info5 header value What is it corresponding to? Thanks ! |
|
Base64 decode your current X-Request-Info5 header value, replace the time stamp with a current one and then encode it with base64 again. Generate an HMAC-SHA1 hash of that new value and that is the new X-Request-Sign5. |
|
Okay thank you, last question, do you know by any chance the key to use for the HMAC-SHA1 hash? |
|
It depends on whether or not you want to emulate the Android app or the IOS app. |
|
Since in the header I am giving the information that I am using an iOS device, let's use the full iOS logic? |
|
Here's a helpful article I wrote for everyone: https://medium.com/@charliethinks/reverse-engineering-musical-y-live-ly-android-apps-part-1-a910daad2ec2 |
|
Hey, nice link, really interesting ! I was just wondering if you could explain to me the "M-TOKEN hash=" logic please? But thanks ! |
|
The "M-TOKEN hash=" is given to you as a header after login I believe, or at least a very specific endpoint. |
|
Hey, Yeah it comes from the login response, thanks. Max |
|
Success (y) Thanks for your help |
|
@charlieAndroidDev Could you make your prescribed changes and send a pull request. Thanks |
|
If were you, I would wait just a bit, I am currently writing an updated version. Once I am done, I will send it to @charlieAndroidDev . After then, he will be able to make maybe a more understandable code. Best, |
|
Yeah I’m happy to do that. There are gonna be pretty huge changes though... |
|
@charlieAndroidDev has it changed that much? |
|
@mangledbottles Not that much, but it changed |
|
@charlieAndroidDev Thank you 👏👏 |
This comment has been minimized.
This comment has been minimized.
|
Stuck on this also... base64_decode for X-Request-Info5 (note that deviceid is the same as "Slider-Show-Session" :??):
I replace that timestamp with current time()."000" one:
I base64_encode it:
I create HMAC-SH1 above base64 string at https://www.freeformatter.com/hmac-generator.html with the key "016bb7aee66891f9b6ce10f03874eb3889f24546aa&i0cd770c6af4d34659ba7211079066de8bb3" : 3cee6e8c032b8aebad9e1e162384776a8c68ce60 appended the 01a6 (also tried with 01i6) to it to use as X-Request-Sign5 but it gives me a 400 error |
|
@farrusete The IOS app may well use a different secret key to the one used in the Android app. I have not reverse engineered the IOS app whatsoever and as such cannot comment on whether replicating an iOS request in such a way would work at all. |
Hey,
I was trying to connect to musycal.ly from a postman client so I tried to understand the Php code of src/musically.php, however, I am getting a 401 but I ain't sure about why.
There is my request:
[POST] https://api.musical.ly/rest/passport/v2/login?supportLoginVerify=true
Headers (22):
x-www-form-encoded:
And I am getting:
Do you have any idea why? The 3 Variables USERNAME, USER_EMAIL, and USER_PASSWORD are replaced by the correct values of course.
Thanks for any update !
The text was updated successfully, but these errors were encountered: