airbnbapi
airbnbapi copied to clipboard
zxol
error code 420
I try to get a token with:
let token = airbnb.newAccessToken({username:'user', password:'password'})
and I get this error msg:
{ error_code: 420,
error: 'unknown_error',
error_message: 'Unable to perform action. Please try again through the website or contact support if you need immediate assistance.',
client_error_info:
{ airlock:
{ action_name: 'account_login',
completion_redirect_url: '',
error_redirect_url: '',
escapable: true,
fallback_friction: 'contact_us_form',
first_name: 'xxxxx',
flow: 'captcha_flow',
friction_data: [Object],
header_text: 'Please verify yourself',
id: 12345678,
identifier: null,
keep_webview_open_on_redirect: false,
redux: true,
status: 0,
should_replay_request: true,
user_id: 876654321,
user_message: null },
metadata: {} } }
So, a 420 error is when Airbnb's verification system, named airlock, blocks you from getting a token for an account. You may have worked this out already. It doesn't happen all the time, but when it does, it's proven a difficult problem to get around.
Unfortunately, I have not been able to discover the correct endpoints and proceedure for the verification check. I've tried a lot of different things but I haven't been able to crack the problem yet.
I will leave this issue open and assign a task to try and fix it, as I'm aware this is a large issue for the project.
I'm sorry I couldn't offer more help at this stage.
How long are the tokens valid for? Can we save them, and reuse them, or they expire pretty quickly?
I've had tokens last more than 6 months. Generally, if you're not using the airbnb app simultaneously, you can save and reuse a token for a long time.
Oh nice. I'll do that then. Does it continue to work if you change IPs? Any way to "just" check the validity of the token, I should "just" make any query, and take a look at the error.
yep, have a look at the testAuth() function.
At the moment the library is setup to fail silently (returning null) for most errors. You can enable error logging by setting an environmental variable LOGLEVEL=error
Its a very high quality project, thank you for putting it together
I initially had trouble getting a key, but did a few things to fix:
- Set correct 'User Agent' - this can be done with function provided with the package now that it has been updated, this is a crucial step
- Set correct currency - done same way as user agent
- Make sure it's a clean and preferably local IP - you can use a vpn or proxy with set proxy function with the package (although I havent tried this function yet) - Airbnb cares about IPs a lot, and you should use 1 ip per account for best results, given my experience with Airbnb in general
If you get airlocked (420 error) just change your IP
Also handy to know, using the dev console you can inspect the requests to the airbnb platform to get more info about what might be getting sent and received on your machine specifically. Search homes and move the map around and keep "search as I move map checked".
Open up dev tools, view network requests and inspect the json requests, these are the api calls and can give you some more information.
Hi Jake, thanks for the input!
In my tests, changing the user agent and IP do not always result in the airlock issue being resolved. It can sometimes help, but it will not always work.
Regarding your tip about the endpoints - It should be stated that this library interacts with the mobile app api, which is actually a seperate system to the website's api. The website's api is not able to be used without the correct session data.
right ok, that's good to know thanks!
I'm a pretty big newb so maybe not the best help. I use a vm and a vpn for access, so that could also be the reason for my success in getting a key after airlock
I just completed an airlock verification via the web interface and sniffed the traffic, maybe this will help implement the verification?
curl 'https://www.airbnb.hu/api/v2/airlocks/AIRLOCK_ID?key=AUTHKEY&_format=v1' -X PUT -H 'Accept: application/json' -H 'Referer: https://www.airbnb.hu/airlock?al_id=AIRLOCK_ID' -H 'Origin: https://www.airbnb.hu' -H 'X-CSRF-Token: V4$.airbnb.hu$ht-xJp_5PrA$pCBMg_qXfZvN1ZXPAw7YlsjGVhszbh3QsmLApO59GPM=' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36' -H 'Content-Type: application/json' --data-binary '{"friction":"phone_verification_via_text","friction_data":{"optionSelection":{"phone_number_id":7531677}},"attempt":true,"enable_throw_errors":true}' --compressed
{"airlock":{"action_name":"account_login","completion_redirect_url":"https://www.airbnb.hu/airlock?al_id=AIRLOCK_ID","error_redirect_url":"","escapable":false,"fallback_friction":"contact_us_form","first_name":"Akos","flow":"account_ownership_verification_for_login","friction_data":[{"name":"phone_verification_via_text","data":{"phone_numbers":[{"id":7531677,"last_four_digits":"YYYY","obfuscated":"+XX (•••) •••-YYYY","verification_method":1,"verified_at":"2014-06-14 08:26:31 UTC"}],"verification_code_num_digits":4},"status":1,"style":"modal","version":"1.0"},{"name":"phone_verification_via_call","data":{"phone_numbers":[{"id":7531677,"last_four_digits":"YYYY","obfuscated":"+XX (•••) •••-YYYY","verification_method":1,"verified_at":"2014-06-14 08:26:31 UTC"}],"verification_code_num_digits":4},"status":0,"style":"modal","version":"1.0"},{"name":"email_code_verification","data":{"delivery_methods":[{"id":4,"text":"Igazolás e-mailben"}],"obfuscated_email_address":"ax•••••@gm•••••.com","verification_code_num_digits":4},"status":0,"style":"full_page_redirect","version":"1.0"},{"name":"contact_us_form","data":{"min_length":25,"max_length":2000},"status":0,"style":"full_page_redirect","version":"1.0"},{"name":"facebook_verification","data":{},"status":0,"style":"full_page_redirect","version":"1.0"}],"header_text":"Igazold magad","id":AIRLOCK_ID,"identifier":"1532332066_Nr97FAEY5rKTLsiw","keep_webview_open_on_redirect":false,"redux":true,"status":1,"should_replay_request":false,"user_id":13381212,"user_message":null},"metadata":{}}
curl 'https://www.airbnb.hu/api/v2/airlocks/AIRLOCK_ID?key=AUTH_KEY&_format=v1' -X PUT -H 'origin: https://www.airbnb.hu' -H 'accept-encoding: gzip, deflate, br' -H 'x-csrf-token: V4$.airbnb.hu$ht-xJp_5PrA$pCBMg_qXfZvN1ZXPAw7YlsjGVhszbh3QsmLApO59GPM=' -H 'accept-language: en-US,en;q=0.9,hu;q=0.8,ro;q=0.7' -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36' -H 'content-type: application/json' -H 'accept: application/json' -H 'referer: https://www.airbnb.hu/airlock?al_id=AIRLOCK_ID' -H 'authority: www.airbnb.hu' -H 'cookie: bev=1532332066_Nr97FAEY5rKTLsiw; __svt=-1; cache_state=0; 3b689aa21=treatment; jitney_client_session_id=dba5d68d-c744-4492-99d2-64673c758572; jitney_client_session_created_at=1532332067; sdid=; ftv=1532332062729; AMP_TOKEN=%24NOT_FOUND; _ga=GA1.2.331815889.1532332063; _gid=GA1.2.4328824.1532332063; __ssid=ce94a024-27f0-4945-9b85-a71e221cdd3c; _csrf_token=V4%24.airbnb.hu%24ht-xJp_5PrA%24pCBMg_qXfZvN1ZXPAw7YlsjGVhszbh3QsmLApO59GPM%3D; li=1; _pt=1--WyI0OTVmZTE0ZjE5ZGEyZmVlOTAyNTkwYmJmNDY3YWQ0Zjg5OWZhN2E2Il0%3D--e9338f644118c4016cb5adab998196e36796a54d; _aat=0%7C98AfOV4q0y2ajs7d45JqJKSeC9WqHw7yzoCMOp1f8q6nFv5mKnGNLLJ8lI2nvoGk; abb_fa2=%7B%22user_id%22%3A%2217%7C1%7CzSVpC3gromMi3i2QnC%2B0GmZXwMTnvPbNbcLMZmdUhI6GJeuZ7%2BQfBQ%3D%3D%22%7D; alfc=0; alfces=0; jlp3=true; rclu=%7B%2213381212%22%3D%3E%22L%2FofHdWm9gxCkvVtmbNH2ccMErFwrko9%2B9qOlQPEIGE%3D%22%7D; rclmd=%7B%2213381212%22%3D%3E%22email%22%7D; _user_attributes=%7B%22curr%22%3A%22HUF%22%2C%22guest_exchange%22%3A277.54368999999997%2C%22device_profiling_session_id%22%3A%221532332067--e2b65b68ec1ad3fe7117bf5d%22%2C%22giftcard_profiling_session_id%22%3A%221532332067--1dc354f3cc1068197d8013ed%22%2C%22reservation_profiling_session_id%22%3A%221532332067--df1900f69be8434111a3b193%22%2C%22id%22%3A13381212%2C%22hash_user_id%22%3A%22495fe14f19da2fee902590bbf467ad4f899fa7a6%22%2C%22eid%22%3A%229Kh9ZvlbjYv67gdcgSqUjA%3D%3D%22%2C%22num_msg%22%3A0%2C%22num_notif%22%3A2%2C%22num_alert%22%3A3%2C%22num_h%22%3A4%2C%22num_pending_requests%22%3A0%2C%22num_trip_notif%22%3A0%2C%22name%22%3A%22Akos%22%2C%22num_action%22%3A0%2C%22is_admin%22%3Afalse%2C%22can_access_photography%22%3Afalse%2C%22referrals_info%22%3A%7B%22terms_and_conditions_link%22%3A%22%2Fhelp%2Farticle%2F2269%22%2C%22referrer_guest%22%3A%22Ft5+200%22%7D%7D; flags=806494496; roles=0; _airbed_session_id=cabd642dee291fd35abf9d145e8f7aa4; hli=1; har=1; cbkp=3; _gat=1; _uetsid=_uet881953dd; jitney_client_session_updated_at=1532332540' --data-binary '{"friction":"phone_verification_via_text","friction_data":{"optionSelection":{"phone_number_id":7531677},"response":{"code":"5683"}},"enable_throw_errors":true}' --compressed
302 location: https://www.airbnb.hu/dashboard
@zxol found this: http://apidirectory.org/airbnbapi/index.php/Unofficial_Airbnb_API
I have been sending people to https://www.airbnb.com/airlock?al_id=AIRLOCK_ID -- that seems to work most of the time and once they go there in the browser and authorize, the token will work after that. But sometimes it just continues to get a 420.
I noticed this: https://github.com/dennisvdvliet/airbnb_api mentions "registering your application with Airbnb" and then using OAuth. Obviously that would be by far more ideal than storing raw usernames/passwords, but I don't see any way to actually do that registration step.
Any other progress?
Hi Chris, thanks for getting in touch and the good info!
Ideally, what we are looking for is the exact transaction that happens when a user using the airbnb mobile app tries to login (for the first time and does not have a token) and is met with a recaptcha check. It seems to be a combination of the mobile api and a webpage delivered through a webview on the app. The piece I'm missing is how these two systems interoperate.
I can visit the https://www.airbnb.com/airlock?al_id=AIRLOCK_ID and complete the recaptcha. I can also complete the recaptcha "manually", i.e. without airbnb.com and just use recaptcha's api. But after that, I can't use the validation of the recaptcha to obtain a new token. If I try logging in again, it will just generate a new airlock. There's a missing endpoint I need where I give airbnb the completed recaptcha data and it returns a token. It could be that the token is delivered through a push notification to the device. I'm not sure.
There seems to be a few different types of airlock. There is the "we don't recognize this device, please verify via email or SMS". This type of airlock seems to just pause your token, not invalidate it, until you unlock via the website. I can probably fix this issue using the endpoints in the api guide posted by Akos.
But the airlock that really matters is the recaptcha check. This is a killer because it doesn't provide you with a token. Which means if you have a new host with this lock type, you're screwed. At the moment the only way seems to be a VPN but it's not reliable. I'd much prefer to be able to complete the recaptcha.
Regarding https://github.com/dennisvdvliet/airbnb_api, it looks like that library is for the "official api", which is airbnb's closed API designed for large PMS and channel managers (a different beast entirely). You have to apply for an account here, and I'm not sure they're accepting many partners at the moment: https://www.airbnb.com/partner
Yep, I'm working on my code to see if I can re-solve the issue. It had been working up until last month... the initial 420 error would provide an access_token and _airbed_session_id. Then by visiting the https://www.airbnb.com/airlock?al_id=AIRLOCK_ID and solving the recaptcha it would enable the token.
But now it seems like the 420 isn't returning an access_token at all, just the Airlock ID. So there's no way to get the token that would work. Still looking into other alternatives that would work.
Apparently this guy has solved it: https://github.com/wootwoot1234/Superhost-Tools -- but he's not releasing updated code with the fix.
Yes, the partner API is a bit saddening -- it seems like the OAuth would work with the main API but they're locking it down to only big companies vs. their techie roots giving API access to everybody. They'd rather have a bunch of databases with raw usernames/passwords instead of opening up the API :-/
when you say you were getting an access_token, was that in the body of the response?
Yep, I'd POST email and password to /v2/logins and get a 420 error back with access_token in the body as well as an airlock id. Then after solving the airlock on the web, the access_token from the earlier go would work.
Now I'm not getting the access_token back on most logins (although a couple still do give it).
That's good info to know, thank you. If you're able to, please share any progress you make on this issue! A rising tide lifts all (the small) boats. ^^
Yep, will share for sure. I've spent so much time trying to get access here and figure out all of the API's. I finally was able to get a method to stitch together all of the financials (charges, payments, payouts) for reservations... takes about 4 calls per rez to get all the details, LOL!
Does it seem to make a difference between using /v1/authorize and /v2/logins?
https://github.com/wootwoot1234/Superhost-Tools/blob/master/routes.js
Check from line 647
Hey there. First of all cheers Andy for the work so far on getting this repo to where it is to date. Very helpful.
Wondering if I can get any help from anyone with this airlock stuff. I'm having major issues getting past it. I've attempted to route my requests through proxies but have somehow reached some inflection point where I'm barred from most requests now. I've tried visiting https://www.airbnb.com/airlock?al_id=AIRLOCK_ID that has been previously mentioned, but I get immediately redirected to airbnb main site. Is there something I'm doing wrong?
I'm grabbing the AIRLOCK_ID from the air lock response:
{
"error_code": 420,
...
"client_error_info": {
"airlock": {
...
"header_text": "Please verify yourself",
"id": 123503232427 // using this id.
...
},
"metadata": {}
}
}
is that correct?
Any help would be greatly appreciated.
Hi, Hugo*.
I suggest trying some more IP locations until you find one that works. Currently we don't have a working solution for a recaptcha airlock. :( I have some free time coming up I hope to use to work on this issue. I'll let you know if i find anything by posting in this thread.
Hey @hugorut, make sure you visit the airlock site from a private tab / window
Did you provide the AUTH_KEY? See the correct url above:
https://www.airbnb.hu/api/v2/airlocks/AIRLOCK_ID?key=AUTHKEY&_format=v1
So I tried that as well but I got a permissions error:
{
error_code: 403,
error_type: "no_access",
error_message: "You do not have permission to access this resource.",
error_id: "42c0ec933af0e94ecfe7cfc5dca852ca"
}
Maybe I'm using an incorrect AUTHKEY? I just grabbed mine from the a network tab inspection when I was logged into airbnb. Is that correct?
It looks like they are no longer providing the Airlock payload back. Has anyone gotten around this? Systems like Pricelabs and Guesty are still somehow getting around this and having the verification message trigger automatically without an official integration.
The client_error_info part is only there if the request has x-airbnb-device-id. It seems the value is not important, it just has to be there.
Did you provide the AUTH_KEY? See the correct url above:
https://www.airbnb.hu/api/v2/airlocks/AIRLOCK_ID?key=AUTHKEY&_format=v1
@axos88 Sorry for the ping, but the apidirectory.org url doesn't seem to work anymore so I can't check what you linked. Where does this AUTHKEY come from? The client_error_info object looks like this. Also, the recaptcha is not always an option, it seems it has to be included in friction_data in order to work.
action_name: "account_login"
bill_version_token: null
completion_redirect_url: ""
error_redirect_url: ""
escapable: true
fallback_friction: "contact_us_form"
first_name: "Joe"
flow: "account_ownership_verification_for_login"
friction_data: Array(5)
0: {name: "phone_verification_via_text", data: {…}, status: 0, style: "modal", version: "1.0"}
1: {name: "phone_verification_via_call", data: {…}, status: 0, style: "modal", version: "1.0"}
2: {name: "email_code_verification", data: {…}, status: 0, style: "full_page_redirect", version: "1.0"}
3: {name: "push_code_verification", data: {…}, status: 0, style: "full_page_redirect", version: "1.0"}
4: {name: "contact_us_form", data: {…}, status: 0, style: "full_page_redirect", version: "1.0"}
length: 5
header_text: "Please verify yourself"
id: 1234
identifier: null
keep_webview_open_on_redirect: false
redux: true
should_replay_request: false
status: 0
user_id: 1234
user_message: null
I've tried using mitmproxy to intercept the Android app and so far this is what I get (this may be a repeat of previous info but I just wanted to keep it all clear)
- As soon as I log in from a previously unused location
POST https://api.airbnb.com/v2/logins?client_id=<CLIENT_ID>&locale=<LOCALE>¤cy=<CURRENCY> HTTP/2.0
Request: Handled by airbnbapi already
Response:
HTTP Code 420
{
"error_code": 420,
"error_type": "inline_risk_error",
"error_message": "Unfortunately, a server error prevented your request from being completed. Airbnb may be undergoing maintenance or your connection may have timed out. Please try again.",
"client_error_info": {
"airlock": {
"friction_data": [ // Verification methods. We could potentially use this programmatically
{
"name": "phone_verification_via_text",
"data": {
"phone_numbers": [
{
"id": 0000000,
"last_four_digits": "xxxx",
"obfuscated": "+xxxxxxxxxx",
"verification_method": 1,
"verified_at": "xxxxxxx"
}
],
"verification_code_num_digits": 4
},
"status": 0,
"style": "modal",
"version": "1.0"
},
{
"name": "phone_verification_via_call",
"data": {
"phone_numbers": [
{
"id": 000000000,
"last_four_digits": "xxxx",
"obfuscated": "+xxxxxxxxxxxxx",
"verification_method": 1,
"verified_at": "xxxxxxxxxxx"
}
],
"verification_code_num_digits": 4
},
"status": 0,
"style": "modal",
"version": "1.0"
},
{
"name": "email_code_verification",
"data": {
"delivery_methods": [
{
"id": 4,
"text": "Verify via Email"
}
],
"obfuscated_email_address": "xxxxxxxxxxx",
"verification_code_num_digits": 4
},
"status": 0,
"style": "full_page_redirect",
"version": "1.0"
}
// ...
],
"header_text": "Please verify yourself",
"id": AIRLOCK_ID,
"identifier": null,
"keep_webview_open_on_redirect": false,
"redux": true,
"status": 0,
"should_replay_request": true,
"user_id": USER_ID,
"user_message": null,
"bill_version_token": null
},
"metadata": {}
},
"error_details": "Unable to perform action. Please try again through the website or contact support if you need immediate assistance.",
"error_id": "00000000000000000000000000000000"
}
Out of this, client_error_info.airlock.id (Airlock ID) and client_error_info.airlock.user_id is important.
- Choosing a verification method. I chose email
PUT https://api.airbnb.com/v2/airlocks/AIRLOCK_ID?_format=v1&client_id=<CLIENT ID>&locale=<LOCALE>¤cy=<CURRENCY> HTTP/2.0
Request:
{
"action_name": "account_login",
"attempt": true,
"friction": "email_code_verification",
"friction_data": {},
"id": <AIRLOCK ID>,
"user_id": <USER ID>
}
Response: Similar to response in 1. above. HTTP Code 200
- After entering verification code
PUT https://api.airbnb.com/v2/airlocks/<AIRLOCK ID>?_format=v1&client_id=<CLIENT ID>&locale=<LOCALE>¤cy=<CURRENCY> HTTP/2.0
Request:
{
"action_name": "account_login",
"friction": "email_code_verification",
"friction_data": {
"response": {
"code": "<CODE FROM EMAIL>"
}
},
"id": <AIRLOCK ID>,
"user_id": <USER ID>
}
Response: Similar to 1. above. HTTP Code 200
- Login again
POST https://api.airbnb.com/v2/logins?client_id=<CLIENT_ID>&locale=<LOCALE>¤cy=<CURRENCY> HTTP/2.0
Request: Handled by airbnbapijs already
Response:
HTTP Code 200
{
"login": {
"account": {
"badges": [
{
// ...
From this, the noteworthy point is their use of PUT instead of POST or GET for airlock. That could explain some of the errors above. I'm sorry if anything's repeated here :)
