To many request to wyze server.

[jfarmer08]

jfarmer08/homebridge-wyze-smart-home#215

[jfarmer08]

@hgoscenski If you have time to look into this that would be great.

[hgoscenski]

@jfarmer08 my suspicion is this is related to the password reset emails received by many users on January 31st.

The email I received from Wyze indicated my password was reset on the 31st. If it was reset at 0000 on the 31st, then 2300 on the 1st would be a reasonable time to see expiration.

Looking at the graph shown in jfarmer08/homebridge-wyze-smart-home#215 (comment) it seems that the rate of logins didn't scale up all at once, but rather over the course of an hour (presumably before the Wyze team blocked the user agent), I am guessing that this is scaling up as refresh tokens expired and/or stopped working due to the forced password resets. Though of course this is purely a guess.

In addition there appeared to be a change in the response of the refreshToken api, with the "msg": "SUCCESS" which led to (in my case at least) it attempting to perform a login every time.

We may want to perform an exponential backoff for the retries, I can see about putting together a PR to provide that functionality.
Perhaps a exponential backoff up to 5-10 minutes? This would help prevent accidentally DOSing the Wyze servers, while still allowing any individual user a reasonable retry rate.

Unfortunately until users update or turn off the plugin in their homebridges I suspect that User-Agent will have to remain blocked.

[jfarmer08]

That's brings up a great question. I will ask the wyze team. @xcz011 where all users passwords reset or just a subset of customers? Maybe just users using this user agent?

[xcz011]

@hgoscenski Thanks for checking on this issue.

• I would check internally what triggered the 1/31 reset password with our security team and report back here.
• About the refresh token, I didn't see any change related to this endpoint. Do you mind sharing a little bit more detail?
• Also if you got reset password email on 1/31, do you mind forward that email to me ?

Additionally, I noticed one user reported his https://camect.com/ broked as well, which leads me to believe camect may refer to this package as well for its integration with Wyze.
https://forums.wyze.com/t/api-wont-login/288805/6
cc @jfarmer08

[hgoscenski]

@xcz011 i am referencing these errors mentioned here:
jfarmer08/homebridge-wyze-smart-home#208 (comment)

They seem to have started after the header was blocked, though I can check my logs tomorrow from the plugin and see the first time I can see those particular failures.

The reason I indicate that it is an api change is the plugin treated (almost) any value in the msg field as a failure. I would assume that if this had been a preexisting bug an issue likely would have been raised, but that is conjecture.

This change was part of the fix here:
https://github.com/jfarmer08/wyze-api/pull/3/files

[hgoscenski]

@xcz011 I checked my logs, I have logs from approximately the previous 2 weeks before the end of January.

I only saw the Error: SUCCESS message starting on the 2nd.

[06:51:40] ~/wyze-homebridge λ grep SUCCESS ~/Downloads/homebridge.log.txt | head -1
[2/2/2024, 3:54:16 PM] [Wyze Smart home] Error: SUCCESS

[06:51:46] ~/wyze-homebridge λ head -1 ~/Downloads/homebridge.log.txt
com","conn_state":1,"conn_state_ts":1705279393072,"device_params":{"sw

[06:52:17] ~ λ date -r 1705279393
Sun Jan 14 18:43:13 CST 2024

[xcz011]

@hgoscenski

looks like this error message from this line https://github.com/jfarmer08/wyze-api/blob/main/src/index.js#L145
But result.data.msg is actually SUCCESS

Do you know why ?

[xcz011]

but we do have a small change on get_object_list response.

[jfarmer08]

@hgoscenski

looks like this error message from this line https://github.com/jfarmer08/wyze-api/blob/main/src/index.js#L145 But result.data.msg is actually SUCCESS

Do you know why ?

This is only throwing an error if its not Success

if (result.data.msg == "DeviceIsOffline" || result.data.msg == "SUCCESS") { return result } else
throw new Error(result.data.msg)

[jfarmer08]

but we do have a small change on get_object_list response.

What change are you referring to?

[hgoscenski]

@xcz011 previously there was no msg set, so the code was treating any value in the msg field as an error. This is what leads me to believe there was an API change, though it is certainly possible I am misattributing the location of the change.

Indeed, upon further analysis of the logs from my homebridge, this appears to be a change to the app/v2/home_page/get_object_list endpoint, rather than the refresh endpoint.

Looking at the logs, it appears when wyze-api would fail to fetch it would assume it was auth related, we can update this to help prevent that behavior. I've included an excerpt from my logs below.

[2/2/2024, 5:01:10 PM] [Wyze Smart home] Refreshing devices...
[2/2/2024, 5:01:10 PM] [Wyze Smart home] Performing request: app/v2/home_page/get_object_list
[2/2/2024, 5:01:11 PM] [Wyze Smart home] Error: SUCCESS
[2/2/2024, 5:01:11 PM] [Wyze Smart home] Error, refreshing access token and trying again
[2/2/2024, 5:01:11 PM] [Wyze Smart home] Performing request: app/user/refresh_token
[2/2/2024, 5:01:11 PM] [Wyze Smart home] /var/lib/homebridge/persist/wyze-63773091-e5d0-554a-8ba2-5a69db9191ee.json
[2/2/2024, 5:01:11 PM] [Wyze Smart home] Performing request: app/v2/home_page/get_object_list
[2/2/2024, 5:01:12 PM] [Wyze Smart home] Error, logging in and trying again
[2/2/2024, 5:01:12 PM] [Wyze Smart home] Performing request: api/user/login
[2/2/2024, 5:01:12 PM] [Wyze Smart home] /var/lib/homebridge/persist/wyze-63773091-e5d0-554a-8ba2-5a69db9191ee.json
[2/2/2024, 5:01:12 PM] [Wyze Smart home] Successfully logged into Wyze API
[2/2/2024, 5:01:12 PM] [Wyze Smart home] Performing request: app/v2/home_page/get_object_list
[2/2/2024, 5:01:13 PM] [Wyze Smart home] Error getting devices: Error: SUCCESS
[2/2/2024, 5:02:13 PM] [Wyze Smart home] Refreshing devices...
[2/2/2024, 5:02:13 PM] [Wyze Smart home] Performing request: app/v2/home_page/get_object_list
[2/2/2024, 5:02:14 PM] [Wyze Smart home] Error: SUCCESS
[2/2/2024, 5:02:14 PM] [Wyze Smart home] Error, refreshing access token and trying again
[2/2/2024, 5:02:14 PM] [Wyze Smart home] Performing request: app/user/refresh_token
[2/2/2024, 5:02:14 PM] [Wyze Smart home] /var/lib/homebridge/persist/wyze-63773091-e5d0-554a-8ba2-5a69db9191ee.json
[2/2/2024, 5:02:14 PM] [Wyze Smart home] Performing request: app/v2/home_page/get_object_list
[2/2/2024, 5:02:15 PM] [Wyze Smart home] Error, logging in and trying again
[2/2/2024, 5:02:15 PM] [Wyze Smart home] Performing request: api/user/login
[2/2/2024, 5:02:15 PM] [Wyze Smart home] /var/lib/homebridge/persist/wyze-63773091-e5d0-554a-8ba2-5a69db9191ee.json
[2/2/2024, 5:02:15 PM] [Wyze Smart home] Successfully logged into Wyze API
[2/2/2024, 5:02:15 PM] [Wyze Smart home] Performing request: app/v2/home_page/get_object_list
[2/2/2024, 5:02:16 PM] [Wyze Smart home] Error getting devices: Error: SUCCESS

[xcz011]

@hgoscenski
yes, we are returning SUCCESS in msg

I think this address the issue.

[jfarmer08]

I cannot remember why I even add this in the first place, so I removed it for now in a PR.

Without knowing all possible message that we could see it hard to code for it.

[hgoscenski]

@xcz011 I believe that did resolve the issue, however, I believe that change to the API, combined with the handling of the msg field in this code, may have led to more login requests than would otherwise be expected.

@jfarmer08's change will remove that entirely, which makes sense, given that we don't know all possible values for msg