Unoffical danalock web API

Header request

:authority: orion-http.gw.postman.co
:method: POST
:path: /v1/request
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en,fr;q=0.9,fr-FR;q=0.8,en-US;q=0.7
authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjExYTY5YTI4LTE4ZGQtNGUwMS1hZmU3LTdhNmI3YWQ1MjBmMiIsInVzZXJJZCI6MjExNjE1MTksInRlYW1JZCI6MCwiaXYiOiJtakFTQ3BVNlYycGRZMHVSZ21hSDh3PT0iLCJhbGdvIjoiYWVzLTEyOCIsImlhdCI6MTY1MzY4MzA4NiwiZXhwIjoxNjUzNjg0ODg2fQ.oiz5fY7_4J9uEB0TufgdDug9jjNxZb1sE4G-V3-xZBY
content-length: 85
content-type: application/x-www-form-urlencoded
origin: https://web.postman.co
pm-h0: Content-Type=application/x-www-form-urlencoded, Authorization=Basic ZGFuYWxvY2std2ViOiIi, User-Agent=PostmanRuntime/7.29.0, Accept=*/*, Cache-Control=no-cache, Postman-Token=a574b6ad-6cdb-47de-9e27-316418cc8104, Host=api.danalock.com, Accept-Encoding=gzip%2C deflate%2C br, Connection=keep-alive
pm-o0: method=POST, timings=true, timeout=180000, rejectUnauthorized=true
pm-u: https://api.danalock.com/oauth2/token
referer: https://web.postman.co/workspace/4c634a3c-b884-400f-87a1-0a93981c7182/collection/21161519-1f5fb1ef-92d9-4145-b42d-73fd4763fdf6?ctx=documentation
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-site
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36

Header Answer

access-control-allow-credentials: true
access-control-allow-origin: https://web.postman.co
access-control-expose-headers: pm-e, pm-h0, pm-h1, pm-h2, pm-h3, pm-o0, pm-o1, pm-o2, pm-o3
content-encoding: gzip
content-security-policy: default-src 'none'
content-type: application/json
date: Fri, 27 May 2022 20:25:16 GMT
pm-h0: Date=Fri%2C 27 May 2022 20:25:16 GMT, Content-Type=application/json, Content-Length=212, Connection=keep-alive, Access-Control-Allow-Credentials=true, Access-Control-Allow-Headers=Content-Type%2C Authorization%2C X-Assume-User, Access-Control-Allow-Methods=GET%2C POST%2C DELETE%2C PUT%2C PATCH%2C HEAD, Access-Control-Allow-Origin=*, Access-Control-Expose-Headers=X-Page%2C X-Pages%2C X-PerPage%2C X-TotalRecords%2C mode, Cache-Control=no-cache%2C no-store%2C must-revalidate, Expires=0, Server=nginx, Vary=Origin
pm-o0: statusCode=400, statusMessage=Bad Request, httpVersion=1.1, timings=wait:0.099|dns:3.482|tcp:2.623|tls:201.329|request:0.104|firstByte:218.908, session={"id":"43966a40-4a99-45b7-a5a8-ad5a7c5169ac"%2C"reused":false%2C"data":{"addresses":{"local":{"address":"172.17.0.2"%2C"family":"IPv4"%2C"port":43630}%2C"remote":{"address":"99.83.133.6"%2C"family":"IPv4"%2C"port":443}}%2C"tls":{"reused":false%2C"authorized":true%2C"authorizationError":null%2C"cipher":{"name":"ECDHE-RSA-AES128-GCM-SHA256"%2C"standardName":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"%2C"version":"TLSv1.2"}%2C"protocol":"TLSv1.2"%2C"ephemeralKeyInfo":{"type":"ECDH"%2C"name":"prime256v1"%2C"size":256}%2C"peerCertificate":{"subject":{"commonName":"*.danalock.com"%2C"alternativeNames":"DNS:*.danalock.com%2C DNS:ekey-backend-prod.pre-prod.danalock.com%2C DNS:*.danalockservices.com%2C DNS:ekey.poly-control.com"}%2C"issuer":{"country":"US"%2C"organization":"Amazon"%2C"organizationalUnit":"Server CA 1B"%2C"commonName":"Amazon"}%2C"validFrom":"May  2 00:00:00 2022 GMT"%2C"validTo":"May 31 23:59:59 2023 GMT"%2C"fingerprint":"1A:56:EC:0A:64:86:BF:18:69:E1:3C:27:00:E3:C7:39:EA:96:BD:86"%2C"serialNumber":"09209FF8A6246AA5BA3A4E22CB3D37CA"}}}}
referrer-policy: origin
server: nginx
strict-transport-security: max-age=63072000; includeSubDomains
vary: Origin
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block

And finaly the same message

{"error":"invalid_request","message":"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.","hint":"one time password"}

Sorry, I meant that you should to login to my danalock and capture the traffic using a web browser - if that doesn’t work, try to capture traffic using fiddler

Hello! My question is, if a vulnerability is programmed into the base system, will the update override it? Suppose a hacker develops a backdoor into the base system of the smart lock. Will the update override it? Or does the base system need to be reflashed via USB TTL or some port?

HI Erik,
I understand now what mean “one time password” in the error message.
It’s the 2FA mecanisme to protect my danalock account.
It’s very strange the danalock API is stuck with that
 what is the benefits to have an API if you need to provide manually a 2FA code for every query.

Does anyone know the answer to this?

Have they managed to solve it? I have the same problem with the same errors:
29/3/2023, 1:17:49node: Oauth2msg : Object

{ _msgid: “97579d0a8be6f83d” }

29/3/2023, 1:17:49node: Oauth2msg : Object

{ _msgid: “97579d0a8be6f83d” }

29/3/2023, 1:17:49node: Oauth2msg : Object

object

_msgid: “97579d0a8be6f83d”

oauth2Request: object

access_token_url: “https://api.danalock.com/oauth2/token”

credentials: object

For api access mfa should not be required.

Im rebuilding the solution from scratch. There will be no need for custom nodes in the next version.

Thank you, I understand that the error is due to some update from the DANALOCK team. There is no early solution.

Hi Erik and all

I installed my Danalock (BT version only) last night - is it possible to get this working without the Bridge?

No, you need the bridge.

I was sure there is a bypass to “remote control” since this guy Controlling danalock via openhab using old android phone - Tutorials & Examples - openHAB Community has used an old phone to stand by near the lock and used the APIs to activate the lock

Thanks for sharing! It appears that method is very different.

Been having problem with this flow for a while now. Done some changes and also updated the flow and oath node.
Now I get an “JSON parse error” on the Call API node, and the response on request is this:

{“type”:“RFC 7231 - Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content Media Type”,“status”:415,“traceId”:“00-e5112f13a6e871986f8b81094cd22069-725fcd8a240bae18-00”}

Someone know how to fix this?

You get a HTTP status 415 response because the request payload your oauth-node creates is not what the server expects.

I’m still working on my complete rewrite of the nodered flow. I target better logging, no need for 3rd party nodes e.g. the oauth-node, and more robust operation. Need a couple of weeks more to get it in releasable shape.

Hi, any news on this update? thank you

Hi! Yes! Or almost :slight_smile:

I have been running a complete rewrite ot the solution at home for a couple weeks. Will soon make it available for everyone :+1::blush:

Please, do so!! Christmas gift?

any news on an ETA?

Hi @BrianMay, IÂŽve just released the new major version to Github! :gift:

Please do a complete reinstall since the URLs have probably changed, and the way the flow needs to be set up differs a bit compared to the previous version.

See gechu/unofficial-danalock-web-api (github.com) for more info.

Enjoy!

1 Like

Only today did I find the time to test this


since node-red file is now somwhere else (addon-configs folder) I changed the file danalock.cfg (which I created using nano) location in the “read danalock.cfg” to /config/danalock.cfg

I now get all of this in the debug area:

05/01/2024, 14:58:36msg : string[567]

“↔↔---------------------------------------------------------------------↔Your flow credentials file is encrypted using a system-generated key.↔↔If the system-generated key is lost for any reason, your credentials↔file will not be recoverable, you will have to delete it and re-enter↔your credentials.↔↔You should set your own key using the ‘credentialSecret’ option in↔your settings file. Node-RED will then re-encrypt your credentials↔file using your chosen key the next time you deploy a change.↔---------------------------------------------------------------------↔”

05/01/2024, 14:58:37node: A1msg : Object

{ _msgid: “b148854fd26b5187”, filename: “/config/danalock.cfg”, payload: "{↔ “username”: “******” }

05/01/2024, 14:58:37node: A2msg : Object

{ _msgid: “b148854fd26b5187”, filename: “/config/danalock.cfg”, payload: object }

05/01/2024, 14:58:38node: B2msg : Object

{ _msgid: “b148854fd26b5187”, filename: “/config/danalock.cfg”, payload: object, source: “auth in”, _linkSource: array[1] 
 }

05/01/2024, 14:58:38node: C1msg : Object

{ _msgid: “b148854fd26b5187”, filename: “/config/danalock.cfg”, payload: array[1], source: “locks in”, headers: object 
 }

twitter outD3Init flow variables, auth + retrieve list of locks

This will update all Home Assistant nodes to the current schema. This is not required for the nodes to function.

Nodes with yellow labels need to be updated before they can be edited. This can be done by either opening each node individually in the Node-RED editor or running this command.

Attention: It is recommended to back up your flows before doing an update of all Home Assistant nodes.