Last active
June 15, 2020 22:05
-
-
Save huwcbjones/c28258df527e269601a950143dea450b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from hashlib import md5 | |
from typing import Any, Dict | |
from zeep import Client | |
from zeep.transports import Transport | |
from requests import Session | |
SS_USER = "sportsys" | |
SS_PASS = "HC2PjscZxTzenWsxw3573R5npnQvPRnAW5AHpCZ7cfxDgjmPzNTZy2BfmpvQJ2qR" | |
PERSONAL_KEY = "00000000-00000000-00000000-00000000" | |
PERSONAL_KEY_MEMBER = 0 | |
transport = Transport(session=Session()) | |
transport.session.headers["User-Agent"] = "Meet Organisation Rev 5.3 Web Services" | |
uri = "https://entriesapi.swimmingresults.org/v1/?wsdl" | |
client = Client(uri, transport=transport) | |
def get_credential(value: str) -> str: | |
hash_obj = md5() | |
hash_obj.update(value.encode()) | |
return hash_obj.hexdigest() | |
def get_member(member_id: int) -> Dict[str, Any]: | |
return client.service.MembDetailsSingleMembV2( | |
get_credential(SS_USER), | |
get_credential(SS_PASS), | |
MemberID=member_id, | |
PersonalKey=PERSONAL_KEY, | |
PersonalKeyMembershipNumb=PERSONAL_KEY_MEMBER, | |
) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Top tip for anybody who ventures here, the above example is why you build a good, open API and licence it properly instead of trying to monopolise your proprietary crap. If someone has enough determination, they will break it. It's not a question of if, but more when. You can always throw more obstacles in the way and done correctly, that will only increase the amount of time it will take.
If you want to stop people from breaking your stuff, then you need to take a step back and ask what is it that they want and how can you fill that need. A good example is game piracy. A while ago (in the dark ages) game piracy was a problem for developers with their proprietary DRM, always on phoning home to check your copy is legit. Then steam game along and piracy dropped. As Gabe Newell said, "We think there is a fundamental misconception about piracy. Piracy is almost always a service problem and not a pricing problem". This is why you need to take a step back and figure out the better way to give people access to the stuff you have.
Anyway, moral of the story is to never under any circumstances, ever embed secrets in client executables as it is trivial to extract them if you know how. This is why you should never embed OAuth secrets in client applications and why this workflow is different (see OAuth 2.0 for Browser-Based Apps (Draft)).
This quote was directed a web apps, but applies to any context where client has been sent code to run. Doesn't matter if it's compiled or obfuscated as a willing client can perform a MITM attack on themselves to see what's going on the wire.