WoBike icon indicating copy to clipboard operation
WoBike copied to clipboard

Published 20 hours ago • verified publisher icon ubahnverleih

VOI - request not working anymore, 404 error

Open lucmartinon opened this issue 5 years ago • 11 comments

Hello there.

It seems the VOI api changed recently, if I try the example

https://api.voiapp.io/v1/vehicle/status/ready?lat=59.329323&lng=18.068581.

I get a 404 error, same for all the cities I try.

Do you know what is the new endpoint ? thanks

lucmartinon avatar Dec 17 '19 15:12 lucmartinon

Hello, they just shut down their old API. Partners must use the MDS feed. Contact support to get your access key.

PierrickP avatar Dec 18 '19 08:12 PierrickP

for the record: i made the last successful request to /v1/vehicle/status/ at 1576500901 (2019-12-16 12:55:01), then it returned empty files, until 1576532701 (2019-12-16 21:45:01) , and since then it returns 404.

r00t- avatar Dec 19 '19 00:12 r00t-

the app uses a different API, probably for some time already, it requires an access token, which expires very quickly, and appears to be linked to my phone number... :(

but with that: /v1/zones?lat=<lat>&lng=<lng> => {"zones":[{"zone_id":"<id>","name":...
/v1/vehicles/zone/<id>/ready => same data as from vehicle/status, it seems. (this also solves #122)

r00t- avatar Dec 19 '19 00:12 r00t-

@r00t- thanks a lot! Do you happen to have the details of the request to get the token? I also saw the zone api being discussed on issue #92 but there is no description of the first request to get the token...

lucmartinon avatar Dec 20 '19 17:12 lucmartinon

@hawisizu: i have not tried accessing those apis myself, but here's what i see in my logs: POST /v1/auth/verify/phone {"country_code":"DE","phone_number":"<number with NO prefix or leading zero>"} yields: {"token":"<UUID>"} you receive a text message POST /v1/auth/verify/code {"code":"<code from text message>","token":"<your token>"} simply returns 204 next the app does: POST /v1/auth/verify/presence {"email":"<email address>","token":"your token"} yields 204 if the email is invalid? otherwise yields {"authToken":"<very long token"} (if the email was invalid, the app seems to do: POST /v1/auth/verify/email {"token":"<your token>"} and receives another 204) (the api returns data about scooters without actually requiring a value from an email.) then: POST /v1/auth/session {"authenticationToken":"<authToken value>... yields an "access-token", which you then pass to the api requests for zones and vehicle in an x-access-token: header. i guess that access-token will expire after 10-30 minutes, and then the app requests a new one from auth/session using the authenticationToken.

r00t- avatar Dec 22 '19 03:12 r00t-

@r00t- thanks a lot! will try it in the coming days and report back

lucmartinon avatar Dec 22 '19 16:12 lucmartinon

@r00t- thanks! Though, if I follow your instructions I can't receive anything else than 204 from the /presence request. If I continue by requesting the email route, I receive an email, but after that I still receive 204 from presence.

thomaswienecke avatar Dec 22 '19 20:12 thomaswienecke

@thomasdissert what was the result of the verify/code request ? did you use an existing email? I used a spam email I have on protonmail and it worked at first try.

@r00t- : again, thanks a lot! I made a Pull Request to update the voi description. Out of curiosity, what tool did you use to get the logs of the requests? If I try to debug with charles, since this is https, I don't see the details of the path requested, much less the body of what is sent / received. Thanks!

lucmartinon avatar Dec 22 '19 21:12 lucmartinon

@hawisizu: great!

you install a custom certificate-authority on your client, and then have a proxy that generates certificates on the fly using that ca's private key, so it can impersonate the server and decrypt the data. there's a few proxies that can do this, i use mitmproxy.

voi is an easy target, it respects the system proxy settings and does not use certificate pinning (hardcoded server-cert hash).

r00t- avatar Dec 22 '19 21:12 r00t-

@hawisizu verify/code just gave me a 204. I used an existing email. As I said, even after receiving the email and clicking on the link, nothing changes for the further requests.

thomaswienecke avatar Dec 23 '19 20:12 thomaswienecke

New API endpoint for tracking scooters at api.voiapp.io/v1/vehicles/track, but requires a token which is extremely short-lived.

Example data for for track, request type is POST, and this is the body:

{
    "hdop": 24,
    "lat": <coords>,
    "lng": <coords>,
    "vehicles": []
}

Headers include information about the device itself like model, brand, manufacturer and app version, including the token at x-access-token.

It seems that the app sends quite a lot of analytics to sdk.fra-01.braze.eu, it contains:

  • app_version
  • user attributes, which include email, and user_id.
  • api_key (ofc)
  • events, time of event, information about fragments.

Example data sent to that braze.eu domain:

{
    "api_key": "<uuid-string>",
    "app_version": "2.24.2",
    "attributes": [
        {
            "email": "sm+voi2@<domain-censored>",
            "user_id": "<uuid-string>"
        }
    ],
    "device_id": "<uuid-string>",
    "events": [
        {
            "data": {
                "n": "Nav_profile"
            },
            "name": "ce",
            "session_id": "<uuid-string>",
            "time": 1577990779.4,
            "user_id": "<uuid-string>"
        },
        {
            "data": {
                "n": "Nav_history"
            },
            "name": "ce",
            "session_id": "<uuid-string>",
            "time": 1577990802.934,
            "user_id": "<uuid-string>"
        }
    ],
    "sdk_version": "3.1.0",
    "time": 1577990802
}

samip5 avatar Jan 02 '20 18:01 samip5