airbnbapi: error code 420
I try to get a token with:
let token = airbnb.newAccessToken({username:'user', password:'password'})
and I get this error msg:
{ error_code: 420,
error: 'unknown_error',
error_message: 'Unable to perform action. Please try again through the website or contact support if you need immediate assistance.',
client_error_info:
{ airlock:
{ action_name: 'account_login',
completion_redirect_url: '',
error_redirect_url: '',
escapable: true,
fallback_friction: 'contact_us_form',
first_name: 'xxxxx',
flow: 'captcha_flow',
friction_data: [Object],
header_text: 'Please verify yourself',
id: 12345678,
identifier: null,
keep_webview_open_on_redirect: false,
redux: true,
status: 0,
should_replay_request: true,
user_id: 876654321,
user_message: null },
metadata: {} } }
About this issue
- Original URL
- State: open
- Created 6 years ago
- Reactions: 2
- Comments: 89 (10 by maintainers)
I’ve tried using mitmproxy to intercept the Android app and so far this is what I get (this may be a repeat of previous info but I just wanted to keep it all clear)
Request: Handled by airbnbapi already
Response:
Out of this,
client_error_info.airlock.id
(Airlock ID) andclient_error_info.airlock.user_id
is important.Request:
Response: Similar to response in 1. above. HTTP Code 200
Request:
Response: Similar to 1. above. HTTP Code 200
Request: Handled by airbnbapijs already
Response:
From this, the noteworthy point is their use of PUT instead of POST or GET for airlock. That could explain some of the errors above. I’m sorry if anything’s repeated here 😃
I just completed an airlock verification via the web interface and sniffed the traffic, maybe this will help implement the verification?
I just discovered a few days ago that the mobile client started using another api call to get tokens:
Device id seems to be able to be any 32 character long alphanumberic string . I was changing it every time i logged in with a new user.
So, a 420 error is when Airbnb’s verification system, named airlock, blocks you from getting a token for an account. You may have worked this out already. It doesn’t happen all the time, but when it does, it’s proven a difficult problem to get around.
Unfortunately, I have not been able to discover the correct endpoints and proceedure for the verification check. I’ve tried a lot of different things but I haven’t been able to crack the problem yet.
I will leave this issue open and assign a task to try and fix it, as I’m aware this is a large issue for the project.
I’m sorry I couldn’t offer more help at this stage.
FYI: The token doesn’t need to be renewed. I’ve been using the same token for almost 2 years now. I do make a lot of requests with it though.
@Technohacker
Your method helps me a lot and I wrote 2 functions for the airbnbapijs Method 1: Request the verification email from airbnb:
async emailVerifyRequest({airlock_id, user_id}){ const options = this.buildOptions({ method: 'PUT', uri: 'https://api.airbnb.com/v2/airlocks/'+airlock_id+'?', _format: 'v1', body:{ action_name: "account_login", attempt: true, friction: 'email_code_verification', id: airlock_id, user_id: user_id }, timeout: 10000 }); try { const response = await (0, _requestPromise2.default)(options); return response; } catch (e) { console.error("Airbnbapi: Could not request an verification code for " + user_id); console.error(e); } }
Method 2: Send the verification code back to Airbnb:async emailVerifyCodeSend({airlock_id, user_id, verify_code}){ const options = this.buildOptions({ method: 'PUT', uri: 'https://api.airbnb.com/v2/airlocks/'+airlock_id+'?', _format: 'v1', body:{ action_name: "account_login", friction: 'email_code_verification', friction_data: { response: { code: verify_code } }, id: airlock_id, user_id: user_id }, timeout: 10000 }); try { const response = await (0, _requestPromise2.default)(options); return response; } catch (e) { console.error("Airbnbapi: Your verification Code is Wrong, Please check it and do it again !"); console.error(e); } }
These are based on your step 2 and step 3, and it works. Thank you very much. If anyone else has this second type of verification problem, I hope my code could help.I can confirm that @Technohacker 's method worked. I performed his proposed solution using curls. the
client_id
is the defaultapi_key
that we are using to authenticate (namely this). You must always have the headerx-airbnb-device-id
present at all requests. This is indeed a random hex 16-long string. Regarding the captcha, I just solved it using my browser, merely following thehttps://www.airbnb.com/airlock?al_id=AIRLOCK_ID
link.No, that’s
403
.I’m not too well versed but I’m very certain all apps on Android would pass through the Android java libs before interacting with the native interfaces (or they would (maybe?) sacrifice compatibility for using the native layer directly). So, if one compiled a version of AOSP or something else with a patch to the java framework, it’ll allow intercepting the request before it’s sent over the network and get a response after decoding it from the TLS stream.
I looked up online for a simple HTTP request class and I found this small snippet:
So all we need to get the request would be to patch HttpClient’s execute() to print the request (and similarly for response)
This is a lot of work, but it’s a sure sign that it can be done if nothing else works
wow, OK. PUT request for airlock submission? I didn’t try that. I wonder if this will work for the capcha flow. How did you mitm the airlock system? I thought they implemented cert pinning for the recent versions? Thank you very much for sharing this info.
No it’s not that simple, what we really need to do is another non mobile based project that would use pupeteer and call a human whenever Captha is needed to be solved
charlesproxy. You need to root your phone if you are using >= Android N
If you’re on osx you can try postman. Simply select File / Import - paste raw text and paste the entire curl request (starting with
curl -H ...
).It seems to work for me. The question is what it returns if the account is airlocked.
@axos88
not able to convert the response to json
.then(res => res.json())
yield the following error…it seems to work with curl, do u have a nodejs snippet similar to
curl
edit:
actually tried curl again and results in this error
@beld2107 I think you need to do unlock Airlock via the browser by visiting https://www.airbnb.com/airlock?al_id=<AIRLOCK_ID> and completing the captcha and then
/authorize
again… that should give you an access token. You should cache the token and renew it monthly.@a-eid have you tried this: Use Postman POST: https://api.airbnb.com/v1/authorize
Headers: Content-Type: application/x-www-form-urlencoded Accept: application/json Accept-Encoding: br, gzip, deflate User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 X-Airbnb-Api-Key: d306zoyjsyarp7ifhu67rjxn52tv0t20 (this is a public/general client_id) X-Airbnb-Currency: USD X-Airbnb-Device-Id: 111111111111111 X-Airbnb-Locale: en
Body: x-www-form-urlencoded: username: [your-airbnb-email@email.com] password: [password] client_id: d306zoyjsyarp7ifhu67rjxn52tv0t20 grant_type: password
If you
/authorize
multiple times, you will get Airlocked. Get the Airlock ID from the 420 Error response body and paste it in url above to confirm you’re a human.From my small test here, they don’t use cert pinning. However, Android Nougat did reject any use of user-trusted CA certs in all apps unless the app explicitly trusted them, so I used a pre-Nougat device for it.
Result: Flawless mitmproxy action 😄
EDIT: Now that I’ve posted this, Airbnb might start implementing cert pinning 🙃
Hi, Hugo*.
I suggest trying some more IP locations until you find one that works. Currently we don’t have a working solution for a recaptcha airlock. 😦 I have some free time coming up I hope to use to work on this issue. I’ll let you know if i find anything by posting in this thread.
I have been sending people to https://www.airbnb.com/airlock?al_id=AIRLOCK_ID – that seems to work most of the time and once they go there in the browser and authorize, the token will work after that. But sometimes it just continues to get a 420.
I noticed this: https://github.com/dennisvdvliet/airbnb_api mentions “registering your application with Airbnb” and then using OAuth. Obviously that would be by far more ideal than storing raw usernames/passwords, but I don’t see any way to actually do that registration step.
Any other progress?
@zxol found this: http://apidirectory.org/airbnbapi/index.php/Unofficial_Airbnb_API