Tinder
Tinder copied to clipboard
SMS Auth
Whenever I send a request to /v2/auth/sms/send?auth_type=sms.
I get following as response:
{ "meta": { "status": 200 }, "data": { "otp_length": 6, "sms_sent": false } }
I tried different phone numbers as payload
Payload looks like this:
{ "phone_number": "491574444444" }
SMS auth on v2
endpoints will no longer works (in most cases).
Tinder base its authentication on v3
endpoint now which bases on Google protocol buffers.
@mati0090 I tried the new v3 endpoint, converted the binary to hex. But it sends different payloads. Don't know how to handle this. Do you have any idea?
I've opened a pull request with a script can log in with the v3 sms auth endpoint. Also I've included the protobuf schema for their v3 auth gateway. Just install the additional dependency (the "betterproto" package) and you're good to go.
@jimtje great, solid work. Thank you. Can you please share how did you find out protobuf schemas?
Decompiled and disassembled their Android app, used pbtk extractors to convert the bytecode to .proto, and used Google's protoc and the betterproto library to make it into Python-compliant dataclasses. There are also some other protobuf endpoints in there as well.
@jimtje 's TinderSMSAuth class worked beautifully and I was able to get an auth token - awesome work! How long is the token good for? Also, I see a refresh token is given - do we have an endpoint/class/method for a token refresh?
Could someone help me translate @jimtje betterproto package into PHP? I am paying for it!
@jimtje 's TinderSMSAuth class worked beautifully and I was able to get an auth token - awesome work! How long is the token good for? Also, I see a refresh token is given - do we have an endpoint/class/method for a token refresh?
Token has a ttl of 270000000, so that's either 3125 days or 3 days and a few hours. I don't think it's the shorter one because every time I re-auth I seem to get the same auth token. Either way, I'm not 100% sure how the refresh token is used on its own, since sending it in the AuthGatewayRequest(RefreshAuth(refresh_token=)) payload returns an internal error and I don't see the app using the refresh token at all when making requests in the wild, so I will probably hold tight and see if it's something that haven't been rolled out yet or something.
Interesting - I've also never seen a refresh go through using the web-app, but I've also probably never had it open more than a few hours - so that makes sense.
Good stuff!
Interesting - I've also never seen a refresh go through using the web-app, but I've also probably never had it open more than a few hours - so that makes sense.
Good stuff!
Did some fiddling with their auth api and it turns out that you can initiate a refresh with the refresh token (although sometimes it'll return "INVALID_REFRESH_TOKEN" and I can't quite figure out why, but you can just restart the auth process). Instead of sms auth, at least for my throwaway test account it goes to email verification instead. I've pushed an update.