This was the hurdle I came up against, and eventually gave up… I couldn’t figure out how to ensure the cookie was valid and also implement something that would refresh in the background without needing a prompt for auth.
I need this too please.
It would help so much to be able integrate with HA for customisation
Thx
Hi @5AMsan
Could you share details of the API calls you could detect to the APIs ?
I made some tests but was not able to detect this calls.
Thanks
Here you are, reply here if you need more details, maybe I’ll be able to help some more.
That’s indeed the missing point. Using a trusted browser can help but for how long ? At some point Google will ask for auth and we won’t be able to automate this part IMHO
Is there a way to find out how long the auth lasts? For me I’d gladly accept some kinda manual reauth weekly if it means I don’t have to open the Family Link app every day.
I’m wondering if it’s worth looking at how badnest handles this for inspiration because that uses cookie auth for Google logins
What’s Badnest’s project? Maybe something like this one?
That’s it, see line 187.
I’m not sure if Family Link could work in a similar fashion.
I did a bit of digging with a rooted android phone…
Auth is handled via some form of oauth2 process to “android.googleapis.com/auth” with the following scopes:
“https://www.googleapis.com/auth/kid.management https://www.googleapis.com/auth/photos.image.readonly”. It does require a whole bunch of parameters though:
Looks like there is a signature, access token and JWT. No idea where these come from, I can’t see any requests that retrieve this information so I assume its part of the core Google Play Services framework. token_request_options
appears to be a base64 string, app
and callerPkg
is the Android package ID.
Token returned is encrypted and seems to be decrypted on device to produce a new bearer token (not JWT). All requests to the kidsmangement-pa host then have the following headers, and all communication is in gRPC.
At this point, pretty much all the responses are gRPC and are completely obfuscated without the object model from the app. So they don’t really make any sense.