Accessing Lime API by email

[sean-mooney-jcbs]

I'm able to access the lime API with a phone number but not with an email address. The command I'm using is:
requests.post("https://web-production.lime.bike/api/rider/v2/onboarding/magic-link/email=email_address@gmail.com&user_agreement_country_code=US&user_agreement_version=4")
This is giving a 404 error (same with replacing '@' with '%40')
My understanding from the documentation is that I should be emailed a token which can then be used to access the API

Can someone explain what I'm doing wrong please?

Edit:
I've also tried using the pycurl package but again, I'm not sure why it isn't working (403 error):

c = pycurl.Curl()
c.setopt(c.URL, 'https://web-production.lime.bike/api/rider/v2/onboarding/magic-link/')
data = {'Content-Type': 'application/x-www-form-urlencoded; charset=utf-8',
        'email': 'email_address%40gmail.com&user_agreement_country_code=US&user_agreement_version=4'}
pf = urlencode(data)

c.setopt(c.POSTFIELDS, pf)
c.perform()
print(f'Response Code: {c.getinfo(c.RESPONSE_CODE)}')
c.close()

[BastelPichi]

Hello,
You did some things wrong.
You added the data as params, like in a GET request, but you also forget an ?. However you're supposed to submit the data as body. Also you didn't set the correct headers, but this doesn't matter here. Heres some functioning code:

import requests

data = {
  "email": "nospam@pichisdns.com",
  "user_agreement_country_code": "US",
  "user_agreement_version": 4
}

r = requests.post("https://web-production.lime.bike/api/rider/v2/onboarding/magic-link", data=data)

print(r.json())

# returns {'errors': [{'status': 'send_magic_link_user_unavailable', 'title': 'Hmm...', 'detail': "We couldn't find an existing Lime account with this email. Please check the email entered or sign up for a new account using another method.", 'data': {}}]}
# If successful, returns {}

[sean-mooney-jcbs]

Thanks for your help. While I think I see where I went wrong I must still be missing something because I can't use the code I'm emailed to access the API.

From what I can see login should work the same way but the data dictionary should only contain the code I'm emailed. So when I get the email at the bottom I should do the following?

data = {"magic_link_token": "tak51fgzbbmc2gqkjKASZXnL"}
r = requests.post("https://web-production.lime.bike/api/rider/v2/onboarding/login", data=data)

However, this is giving a 422 error code with the following output:
'{"errors":[{"status":"bad_argument_error","title":"Hmm...","detail":"Sorry, we can\'t process the request at the moment. Please try again later.","data":{}}]}'

Specifically its giving a bad_arguement_error but there's only one arguement which looks to me like the code I'm using is wrong but I'm copying and pasting it directly from the email so I'm not sure what's wrong here.

[BastelPichi]

Thanks for your help. While I think I see where I went wrong I must still be missing something because I can't use the code I'm emailed to access the API.

From what I can see login should work the same way but the data dictionary should only contain the code I'm emailed. So when I get the email at the bottom I should do the following?

data = {"magic_link_token": "tak51fgzbbmc2gqkjKASZXnL"}
r = requests.post("https://web-production.lime.bike/api/rider/v2/onboarding/login", data=data)

However, this is giving a 422 error code with the following output: '{"errors":[{"status":"bad_argument_error","title":"Hmm...","detail":"Sorry, we can\'t process the request at the moment. Please try again later.","data":{}}]}'

Specifically its giving a bad_arguement_error but there's only one arguement which looks to me like the code I'm using is wrong but I'm copying and pasting it directly from the email so I'm not sure what's wrong here.

Can help you tommorrow.

[sean-mooney-jcbs]

If you have the time, I'd really appreciate it (if not though, no worries). I've been looking at a few bike share schemes recently and this is the only one I've been having issues with.

[BastelPichi]

Sorry, completely forgot it. Will fix this later (pinky promise)

[sean-mooney-jcbs]

That's no problem. As you can probably tell I'm not too time pressured.

[BastelPichi]

Yeah... Now I forgot it, butt i will hopefully get this tmorrow lol

[BastelPichi]

Now I'm here. Gimme 20min...

[BastelPichi]

So, heres what I found out:

• Lime has some very weird anti-sniffing technologies, as no requests fail, but you also dont receive anything if you try to sniff the http traffic, while a the same time the app is fully functional
• If you try SSL unpinning, the app is completely broken
• If the token is wrong, it gives a different error.
  Ill try again tomorrow.

[sean-mooney-jcbs]

I'm finding that not receiving anything makes debugging this very difficult as I don't know where to start and I find that that effectively makes it a black box (to me at least).

[BastelPichi]

I'm finding that not receiving anything makes debugging this very difficult as I don't know where to start and I find that that effectively makes it a black box (to me at least).

Yep. Normally, if theres explicit SSL pinning, it doesnt work at all, and you can see an Connection aborted error in your sniffing software. Ill try with some older version. However, from previous posts it apperas that at least beack then sniffing on IOS is way easier. I do not have any IOS phone, or even PC, but if you do, would be cool if you could try out.

[BastelPichi]

Got it. The trick is to setup your proxy after the initial launch of the app.

Here's a working script. You might need the x-device-token for later requests.

import uuid
import requests

device_token = str(uuid.uuid4())
print("UUID:", device_token, "\n")

headers = {
    "x-device-token": device_token
}

data = {"magic_link_token": "ASJybRiOdiuZKYNhthSQyMKH"}
r = requests.post("https://web-production.lime.bike/api/rider/v2/onboarding/login", data=data, headers=headers)

print(r.json())

[sean-mooney-jcbs]

Works perfect. Thanks a million. I really appreciate your help. I'll keep this in mind for future APIs I'll be using.