pytr icon indicating copy to clipboard operation
pytr copied to clipboard
verified publisher icon marzzzello

App Login Broken

Open ganzinotti opened this issue 2 months ago • 10 comments

Description of the bug Today I tried to fetch data from trade republic and it seems the app login is broken. The initiate_device_reset method is not working. From the error message it seems something is outdated on the client side.

What I tried already

  • I already tried to update all the python libraries (certifi, websockets, requests etc.).
  • I randomly tried different User-Agent headers. Nothing worked.
  • I tried to reverse engineer the User-Agent headers using by my phone through a http proxy, but it seems trade republic blocks the CA certificate.

To Reproduce Minimum code example:

import hashlib
from ecdsa import NIST256p, SigningKey
import requests

_default_headers = {"User-Agent": "TradeRepublic/Android 30/App Version 1.1.5534"}
_host = "https://api.traderepublic.com"

sk = SigningKey.generate(curve=NIST256p, hashfunc=hashlib.sha512)
r = requests.post(
    f"{_host}/api/v1/auth/account/reset/device",
    json={"phoneNumber": phone_number, "pin": pin},
    headers=_default_headers,
)
print(r.status_code)
print(r.json())

Expected behavior This code should trigger a token to be send.

Error log

status code: 426
{'errors': [{'errorCode': 'CLIENT_VERSION_OUTDATED', 'errorMessage': None, 'meta': None}]}

Environment

  • OS: windows
  • package manager: conda
  • python: 3.13.9
  • pytr version: 0.4.3

ganzinotti avatar Oct 24 '25 19:10 ganzinotti

Try with this useragent in api.py

_default_headers = {"User-Agent": "okhttp/4.12.0"}

dapuzz avatar Oct 25 '25 10:10 dapuzz

That change returns status code: 403, with reason forbidden.

ganzinotti avatar Oct 27 '25 20:10 ganzinotti

That's really just a shot in the dark. But the current App version is 4.2546.1. Not sure if it is the same sent in the header, since it looks very different from the previous one 1.1.5534. But you might try with:

_default_headers = {"User-Agent": "TradeRepublic/Android 30/App Version 4.2546.1"}

ExploracuriousAlex avatar Nov 14 '25 18:11 ExploracuriousAlex

That still results in an {'errors': [{'errorCode': 'CLIENT_VERSION_OUTDATED', 'errorMessage': None, 'meta': None}]}. sadly i did also not find a way to spoof the android app, to check what its sending in such a case. Tho its blocking any custom signed CAs (or i its above my knowledge how to fix that).

Might be an idea to drop the app login support if no one finds a solution. That should then also "fix" https://github.com/pytr-org/pytr/issues/249 as ecdsa is pulled for the device login if i see it correctly

Shawn8901 avatar Nov 15 '25 15:11 Shawn8901

@Shawn8901 Could you try TradeRepublic/5834 CFNetwork/3826.600.41 Darwin/24.6.0 as User-Agent?

ExploracuriousAlex avatar Nov 15 '25 19:11 ExploracuriousAlex

Still gives a CLIENT_VERSION_OUTDATED.

20:30:08 Logging in
Error logging in. Reset device? (y)
y
{'User-Agent': 'TradeRepublic/5834 CFNetwork/3826.600.41 Darwin/24.6.0'}
{"errors":[{"errorCode":"CLIENT_VERSION_OUTDATED","errorMessage":null,"meta":null}]}

Added the following output in the TradeRepublicAPI.initiate_device_reset

    def initiate_device_reset(self):
        self.sk = SigningKey.generate(curve=NIST256p, hashfunc=hashlib.sha512)

        r = requests.post(
            f"{self._host}/api/v1/auth/account/reset/device",
            json={"phoneNumber": self.phone_no, "pin": self.pin},
            headers=self._default_headers,
        )
        print(self._default_headers)
        print(r.text)

        self._process_id = r.json()["processId"]

Shawn8901 avatar Nov 15 '25 19:11 Shawn8901

There seems to be a V2. But this one gives a MISSING_REQUIRED_HEADER error. What is the benefit of using the app login?

ExploracuriousAlex avatar Nov 15 '25 22:11 ExploracuriousAlex

AFAIK it was the initial way of downloading documents when there was not (yet) the web-interface. Nowerdays the "benefit" is, that you dont need the token from the web login.

I was just looking at the code because i wanted to check my code changes for the ecdsa dependency that i had prepared and noticed that the app login is broken (like mentioned in the issue by the issue author).

So for me personally i did/do just use the web login.

Shawn8901 avatar Nov 15 '25 22:11 Shawn8901

@Shawn8901 Could you please try again? Maybe it was a temporary issue on TR side. User @richi1993 just reported, that app login still works.

ExploracuriousAlex avatar Dec 02 '25 16:12 ExploracuriousAlex

For me i can not confirm that its working. I am at 5d6a19f8adfb9d70f95aa30eb69cc350e8249373 (+ a flake config for development as i am running nixos) + a print(r.text) in pytr/api.py:136.

Running python3 pytr/main.py login -n +49<number> --applogin causes the following output.

20:38:13 Phone number provided as argument
20:38:13 Logging in
Error logging in. Reset device? (y)
y
{"errors":[{"errorCode":"CLIENT_VERSION_OUTDATED","errorMessage":null,"meta":null}]}
Traceback (most recent call last):
  File "/home/shawn/dev/pytr/pytr/account.py", line 91, in login
    tr.login()
  File "/home/shawn/dev/pytr/pytr/api.py", line 157, in login
    r = self._sign_request(
        ^^^^^^^^^^^^^^^^^^^
  File "/home/shawn/dev/pytr/pytr/api.py", line 174, in _sign_request
    signature = self.sk.sign(
                ^^^^^^^
  File "/home/shawn/dev/pytr/pytr/api.py", line 772, in __getattr__
    return object.__getattribute__(self, name)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'TradeRepublicApi' object has no attribute 'sk'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/shawn/dev/pytr/pytr/main.py", line 560, in <module>
    main()
  File "/home/shawn/dev/pytr/pytr/main.py", line 424, in main
    login(
  File "/home/shawn/dev/pytr/pytr/account.py", line 97, in login
    tr.initiate_device_reset()
  File "/home/shawn/dev/pytr/pytr/api.py", line 137, in initiate_device_reset
    self._process_id = r.json()["processId"]
                       ~~~~~~~~^^^^^^^^^^^^^
KeyError: 'processId'

So for me the issue is still reproducible.

I mean i personally don't need AppLogin, i normally use the Web Login method, so its not important for me.

But does App login still work for one of the contributor/maintainer?

Shawn8901 avatar Dec 02 '25 19:12 Shawn8901

I can confirm, that app login is broken for me, too. Also with the CLIENT_VERSION_OUTDATED error.

What I can tell ist, that the latest Android app uses e.g. this user-agent: TradeRepublic/Android 35/App Version 4.2549.0

Android 35 ist the Android API level (see below) and 4.2549.0 is the Trade Republic App version

Android 7.0 (API level 24)
Android 7.1 (API level 25)
Android 8.0 (API level 26)
Android 8.1 (API level 27)
Android 9 (API level 28)
Android 10 (API level 29)
Android 11 (API level 30)
Android 12 (API levels 31, 32)
Android 13 (API level 33)
Android 14 (API level 34)
Android 15 (API level 35)
Android 16 (API level 36)

The device reset is now initiated with https://api.traderepublic.com/api/v2/auth/account/reset/device (obey the v2) and the body not only contains phoneNumber and pin but also a deviceKey

ExploracuriousAlex avatar Dec 05 '25 18:12 ExploracuriousAlex