[WIP] Implement mobile auth flow (from #7)

Author: bendikrb

podme_api/auth/__init__.py

@@ -1,9 +1,11 @@
 from .client import PodMeAuthClient, PodMeDefaultAuthClient
+from .mobile_client import PodMeMobileAuthClient
 from .models import PodMeUserCredentials, SchibstedCredentials
 
 __all__ = [
     "PodMeAuthClient",
     "PodMeDefaultAuthClient",
     "PodMeUserCredentials",
+    "PodMeMobileAuthClient",
     "SchibstedCredentials",
 ]

podme_api/auth/client.py

@@ -276,12 +276,14 @@ async def authorize(self, user_credentials: PodMeUserCredentials) -> SchibstedCr
                 "redirectToAccountPage": "",
             },
         )
-        final_location = response.history[-1].headers.get("Location")
-        jwt_cookie = response.history[-1].cookies.get("jwt-cred").value
-        jwt_cred = unquote(jwt_cookie)
-        self.set_credentials(jwt_cred)
-
-        _LOGGER.debug(f"Login successful: (final location: {final_location})")
+        jwt_cred = next(
+            (unquote(h.cookies["jwt-cred"].value) for h in response.history if "jwt-cred" in h.cookies), None
+        )
+        if jwt_cred:
+            self.set_credentials(jwt_cred)
+            _LOGGER.debug("Login successful")
+        else:
+            _LOGGER.error("Login failed")
 
         await self.close()
 

podme_api/auth/common.py

@@ -73,6 +73,11 @@ def invalidate_credentials(self):
         """Invalidate the current credentials."""
         raise NotImplementedError  # pragma: no cover
 
+    @property
+    def credentials_filename(self):
+        """Get the filename for storing credentials."""
+        return "credentials.json"
+
     async def close(self) -> None:
         """Close open client session."""
         if self.session and self._close_session:

podme_api/auth/mobile_client.py

@@ -0,0 +1,210 @@
+from __future__ import annotations
+
+from dataclasses import dataclass
+from datetime import datetime, timezone
+import hashlib
+import json
+import logging
+import os
+import secrets
+from typing import TYPE_CHECKING
+
+from aiohttp.hdrs import METH_GET, METH_POST
+import pkce
+from yarl import URL
+
+from podme_api.auth.client import PodMeDefaultAuthClient
+from podme_api.auth.models import SchibstedCredentials
+
+if TYPE_CHECKING:
+    from podme_api.auth.models import PodMeUserCredentials
+
+_LOGGER = logging.getLogger(__name__)
+
+CLIENT_ID = "62557b19f552881812b7431c"
+
+
+@dataclass
+class PodMeMobileAuthClient(PodMeDefaultAuthClient):
+    """Default authentication client for PodMe.
+
+    This class handles authentication using Schibsted credentials for the PodMe service.
+    """
+
+    device_data = {
+        "platform": "Android",
+        "userAgent": "Chrome",
+        "userAgentVersion": "128.0.0.0",
+        "hasLiedOs": "0",
+        "hasLiedBrowser": "0",
+        "fonts": [
+            "Arial",
+            "Courier",
+            "Courier New",
+            "Georgia",
+            "Helvetica",
+            "Monaco",
+            "Palatino",
+            "Tahoma",
+            "Times",
+            "Times New Roman",
+            "Verdana",
+        ],
+        "plugins": [],
+    }
+    """Device information for authentication."""
+
+    async def authorize(self, user_credentials: PodMeUserCredentials) -> SchibstedCredentials:
+        code_verifier, code_challenge = pkce.generate_pkce_pair()
+        response = await self._request(
+            "oauth/authorize",
+            params={
+                "client_id": CLIENT_ID,
+                "redirect_uri": f"pme.podme.{CLIENT_ID}:/login",
+                "response_type": "code",
+                "scope": "openid offline_access",
+                "state": hashlib.sha256(os.urandom(1024)).hexdigest(),
+                "nonce": secrets.token_urlsafe(),
+                "code_challenge": code_challenge,
+                "code_challenge_method": "S256",
+                "prompt": "select_account",
+            },
+            allow_redirects=False,
+        )
+        # Login: step 1/3
+        await self._request("", METH_GET, response.headers.get("Location"))
+        # Login: step 2/4
+        response = await self._request(
+            "authn/api/settings/csrf",
+            params={"client_id": CLIENT_ID},
+        )
+        csrf_token = (await response.json())["data"]["attributes"]["csrfToken"]
+
+        # Login: step 3/4
+        response = await self._request(
+            "authn/api/identity/email-status",
+            method=METH_POST,
+            params={"client_id": CLIENT_ID},
+            headers={
+                "X-CSRF-Token": csrf_token,
+                "Accept": "application/json",
+            },
+            data={
+                "email": user_credentials.email,
+                "deviceData": json.dumps(self.device_data),
+            },
+        )
+        email_status = await response.json()
+        _LOGGER.debug(f"Email status: {email_status}")
+
+        # Login: step 4/4
+        response = await self._request(
+            "authn/api/identity/login/",
+            method=METH_POST,
+            params={"client_id": CLIENT_ID},
+            headers={
+                "X-CSRF-Token": csrf_token,
+                "Accept": "application/json",
+            },
+            data={
+                "username": user_credentials.email,
+                "password": user_credentials.password,
+                "remember": "true",
+                "deviceData": json.dumps(self.device_data),
+            },
+        )
+        login_response = await response.json()
+        _LOGGER.debug(f"Login response: {login_response}")
+
+        # Finalize login
+        response = await self._request(
+            "authn/identity/finish/",
+            method=METH_POST,
+            params={"client_id": CLIENT_ID},
+            headers={
+                "Content-Type": "application/x-www-form-urlencoded",
+            },
+            data={
+                "deviceData": json.dumps(self.device_data),
+                "remember": "true",
+                "_csrf": csrf_token,
+                "redirectToAccountPage": "",
+            },
+            allow_redirects=False,
+        )
+
+        # Follow redirect manually
+        response = await self._request("", METH_GET, response.headers.get("Location"), allow_redirects=False)
+        code = URL(response.headers.get("Location")).query.get("code")
+
+        # Request tokens with authorization code
+        response = await self._request(
+            "oauth/token",
+            method=METH_POST,
+            headers={
+                "X-OIDC": "v1",
+                "X-Region": "NO",  # @TODO: Support multiple regions.
+            },
+            data={
+                "client_id": CLIENT_ID,
+                "grant_type": "authorization_code",
+                "code": code,
+                "redirect_uri": f"pme.podme.{CLIENT_ID}:/login",
+                "code_verifier": code_verifier,
+            },
+            allow_redirects=False,
+        )
+
+        jwt_cred = await response.json()
+        jwt_cred["expiration_time"] = int(datetime.now(tz=timezone.utc).timestamp() + jwt_cred["expires_in"])
+        self.set_credentials(jwt_cred)
+
+        _LOGGER.debug("Login successful")
+
+        await self.close()
+
+        return self._credentials
+
+    async def refresh_token(self, credentials: SchibstedCredentials | None = None):
+        if credentials is None:
+            credentials = self._credentials
+
+        response = await self._request(
+            "oauth/token",
+            method=METH_POST,
+            headers={
+                "Host": "payment.schibsted.no",
+                "Content-Type": "application/x-www-form-urlencoded",
+                "User-Agent": "AccountSDKAndroidWeb/6.4.0 (Linux; Android 15; API 35; Google; sdk_gphone64_arm64)",
+                "X-OIDC": "v1",
+                "X-Region": "NO",  # @TODO: Support multiple regions.
+            },
+            data={
+                "client_id": CLIENT_ID,
+                "grant_type": "refresh_token",
+                "refresh_token": credentials.refresh_token,
+            },
+            allow_redirects=False,
+        )
+
+        refreshed_credentials = await response.json()
+        refreshed_credentials["expiration_time"] = int(
+            datetime.now(tz=timezone.utc).timestamp() + refreshed_credentials["expires_in"]
+        )
+        self.set_credentials(
+            SchibstedCredentials.from_dict(
+                {
+                    **credentials.to_dict(),
+                    **refreshed_credentials,
+                }
+            )
+        )
+
+        _LOGGER.debug(f"Refreshed credentials: {self.get_credentials()}")
+
+        await self.close()
+
+        return self._credentials
+
+    def credentials_filename(self):
+        return "credentials_mobile.json"

podme_api/client.py

@@ -11,7 +11,7 @@
 import math
 from pathlib import Path
 import socket
-from typing import TYPE_CHECKING, Callable, Self, Sequence, TypeVar
+from typing import TYPE_CHECKING, Any, Callable, Self, Sequence, TypeVar
 
 import aiofiles
 import aiofiles.os
@@ -25,6 +25,7 @@
 from podme_api.const import (
     DEFAULT_REQUEST_TIMEOUT,
     PODME_API_URL,
+    PODME_API_USER_AGENT,
 )
 from podme_api.exceptions import (
     PodMeApiConnectionError,
@@ -39,6 +40,7 @@
     PodMeApiUnauthorizedError,
 )
 from podme_api.models import (
+    PodMeApiPlatform,
     PodMeCategory,
     PodMeCategoryPage,
     PodMeDownloadProgressTask,
@@ -74,6 +76,9 @@ class PodMeClient:
     auth_client: PodMeAuthClient
     """auth_client (PodMeAuthClient): The authentication client."""
 
+    api_platform: PodMeApiPlatform = PodMeApiPlatform.MOBILE
+    """api_platform (PodMeApiPlatform): The API platform to use."""
+
     disable_credentials_storage: bool = False
     """Whether to disable credential storage."""
 
@@ -114,7 +119,7 @@ async def save_credentials(self, filename: PathLike | None = None) -> None:
 
         """
         if filename is None:
-            filename = Path(self._conf_dir) / "credentials.json"
+            filename = Path(self._conf_dir) / self.auth_client.credentials_filename
         filename = Path(filename).resolve()
         credentials = self.auth_client.get_credentials()
         if credentials is None:  # pragma: no cover
@@ -132,7 +137,7 @@ async def load_credentials(self, filename: PathLike | None = None) -> None:
 
         """
         if filename is None:
-            filename = Path(self._conf_dir) / "credentials.json"
+            filename = Path(self._conf_dir) / self.auth_client.credentials_filename
         filename = Path(filename).resolve()
         if not filename.exists():
             _LOGGER.warning("Credentials file does not exist: <%s>", filename)
@@ -171,7 +176,8 @@ async def _request(  # noqa: C901
             The response data from the API.
 
         """
-        url = URL(f"{PODME_API_URL.strip('/')}/").join(URL(uri))
+        base_url = PODME_API_URL.format(platform=self.api_platform)
+        url = URL(f"{base_url.strip('/')}/").join(URL(uri))
 
         access_token = await self.auth_client.async_get_access_token()
         headers = {
@@ -264,6 +270,7 @@ def request_header(self) -> dict[str, str]:
         return {
             "Accept": "application/json",
             "X-Region": str(self.region),
+            "User-Agent": PODME_API_USER_AGENT,
         }
 
     async def _get_pages(
@@ -983,7 +990,7 @@ async def _resolve_m3u8_url(self, master_url: URL | str) -> FetchedFileInfo:
         # Parse master.m3u8 to get the audio playlist URL (first match only).
         audio_playlist_url: URL | None = None
         for line in master_content.splitlines():
-            if line.endswith(".m3u8"):
+            if ".m3u8" in line:
                 audio_playlist_url = master_url.join(URL(line.strip()))
                 break
 
@@ -1013,7 +1020,7 @@ async def _resolve_m3u8_url(self, master_url: URL | str) -> FetchedFileInfo:
     @staticmethod
     async def _run_concurrent(
         func: Callable[..., T],
-        args_list: Sequence[any],
+        args_list: Sequence[Any],
         **kwargs: any,
     ) -> list[T]:
         """Run multiple asynchronous tasks concurrently.

podme_api/const.py

@@ -3,7 +3,8 @@
 import logging
 
 PODME_AUTH_USER_AGENT = "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:131.0) Gecko/20100101 Firefox/131.0"
-PODME_API_URL = "https://api.podme.com/web/api/v2"
+PODME_API_USER_AGENT = "Podme android app/6.29.3 (Linux;Android 15) AndroidXMedia3/1.5.1"
+PODME_API_URL = "https://api.podme.com/{platform}/api/v2"
 PODME_BASE_URL = "https://podme.com"
 PODME_AUTH_BASE_URL = "https://payment.schibsted.no"
 PODME_AUTH_RETURN_URL = f"{PODME_BASE_URL}/no/oppdag"

podme_api/models.py

@@ -46,6 +46,13 @@ def __repr__(self):
         return self.value.lower()
 
 
+class PodMeApiPlatform(StrEnum):
+    """Enumeration of PodMe API platforms."""
+
+    WEB = auto()
+    MOBILE = auto()
+
+
 class PodMeRegion(IntEnum):
     """Enumeration of PodMe regions."""
 
@@ -338,17 +345,20 @@ class PodMeEpisode(PodMeEpisodeBase):
     medium_image_url: str = field(metadata=field_options(alias="mediumImageUrl"))
     stream_url: str | None = field(default=None, metadata=field_options(alias="streamUrl"))
     slug: str | None = None
-    current_spot: time = field(
+    current_spot: time | None = field(
+        default=None,
         metadata=field_options(
             alias="currentSpot",
             deserialize=time.fromisoformat,
             serialize=time.isoformat,
-        )
+        ),
+    )
+    current_spot_sec: int | None = field(default=None, metadata=field_options(alias="currentSpotSec"))
+    episode_can_be_played: bool | None = field(
+        default=None, metadata=field_options(alias="episodeCanBePlayed")
     )
-    current_spot_sec: int = field(metadata=field_options(alias="currentSpotSec"))
-    episode_can_be_played: bool = field(metadata=field_options(alias="episodeCanBePlayed"))
     only_as_package_subscription: bool = field(metadata=field_options(alias="onlyAsPackageSubscription"))
-    has_completed: bool = field(metadata=field_options(alias="hasCompleted"))
+    has_completed: bool | None = field(default=None, metadata=field_options(alias="hasCompleted"))
     is_rss: bool | None = field(default=None, metadata=field_options(alias="isRss"))
     total_no_of_episodes: int | None = field(default=None, metadata=field_options(alias="totalNoOfEpisodes"))