Skip to content

Latest commit

 

History

History
182 lines (126 loc) · 4.37 KB

endpoints.md

File metadata and controls

182 lines (126 loc) · 4.37 KB

StarHub Application Endpoints

Updates

December 2019 endpoint update (link to markdown file)

Note: HTTP Headers

StarHub's endpoints require a specific User-Agent and x-sh-msa-version value. If the values are outdated/incorrect/missing, the endpoint might not work or would return an Internal Server Error.

Currently the User-Agent is 870330a7f6fe26b489e0f353753504ad and the x-sh-msa-version is 5.1.15.

Authentication Sequence

After some trial and errors the authentication flow is structured as such:

  1. https://login.starhubgee.com.sg/msso/mapp/api/login (a.k.a MSSO)
    • Retrieve user_token from response (see MSSO Login reference)
    • Even though the payload contains a expiry field, it seems like the user_token` can still be used even after it is expired
  2. https://fapi.starhub.com/MyStarhub/login/esso (a.k.a ESSO)
    • Using user_token retrieve utoken from response (see ESSO Login reference)

endpoint sequence diagram

Endpoint Reference

MSSO Login

  • URL

    https://login.starhubgee.com.sg/msso/mapp/api/login

  • Method:

    POST

  • Headers

    'User-Agent': '870330a7f6fe26b489e0f353753504ad'

  • Data Params

    JSON

    {
      "site_id": "mystarhub",
      "user_id": "[email protected]",
      "user_password": "---REDACTED---"
    }
  • Success Response:

    • Code: 200
      Content: JSON

      {
          "expiry": 1529138910047,
          "ret_code": 1000,
          "ret_msg": "Success",
          "session_id": "---REDACTED---",
          "sso_token": "---REDACTED---",
          "time_issued": 1529137110047,
          "user_data": {
              "dob": "---REDACTED---",
              "email": "[email protected]",
              "gender": "---REDACTED---",
              "name": "---REDACTED---",
              "nick_name": "null",
              "status": "bill_associated",
              "uuid": "[email protected]"
          },
          "user_id": "[email protected]",
          "user_token": "---REDACTED---"
      }

ESSO Login

  • URL

    https://fapi.starhub.com/MyStarhub/login/esso

  • Method:

    POST

  • Headers

    'User-Agent': '870330a7f6fe26b489e0f353753504ad'

  • Data Params

    JSON

    {
        "essoLogin": {
            "loginId": "[email protected]",
            "siteId": "mystarhub",
            "siteKey": "1q23TypKwgba7984",
            "vctk3": "---REDACTED---"
        }
    }
  • Success Response:

    • Code: 200

    • Content: JSON

      {
          "attachment": null,
          "irid": "IR00057",
          "mainContext": { ... },
          "subContext": [],
          "updatedOn": null,
          "userDetails": { ... },
              "permission": null,
              "perxUToken": null,
              "prepaid": false,
              "uid": "[email protected]",
              "utoken": "---REDACTED---",
              "utype": "HUBID"
          }
      }

Data Endpoint

Tools Used

mitmproxy (mitmweb) was used to capture and inspect the network requests made by the mobile application

Guide for setting up mitmproxy with an iOS device: https://jasdev.me/intercepting-ios-traffic

Note: For iOS devices, an additional step is required: https://docs.mitmproxy.org/stable/concepts-certificates/#installing-the-mitmproxy-ca-certificate-manually