Getting Bad Request (HTTP 400) Error about robinhood HOT 14 CLOSED

Thanks for the info. Looks like something changed with the API. I'll check it out this weekend and see if I can get a patch quickly.

from robinhood.

Edit: After directly trying the api_login() function with v1.6.2, I can login correctly, however, with the same mfa code in the Robinhood() function I get the tbl_vars error. No idea what that means but figured it might be helpful in diagnosing the issue. Thanks again for the great package!

I tried downgrading to 1.6.2 and using the api_login function. It doesn't work for me. I can confirm your tbl_vars error when going 1.6.2 route.

I upgraded back to 1.6.5 from Github and dug into the api_login function. What I did find is the following error by tracing the function to the line dta <- httr::POST(url) . Calling the following yields a detailed error message:

> dta
$detail
[1] "This version of Robinhood is no longer supported. Please update your app or use Robinhood for Web to log in to your account."

I'm reaching the edge of my troubleshooting depth at this point. Maybe someone can pick it up from here?

from robinhood.

Same issue here as of this morning PT.

from robinhood.

Edit: After directly trying the api_login() function with v1.6.2, I can login correctly, however, with the same mfa code in the Robinhood() function I get the tbl_vars error. No idea what that means but figured it might be helpful in diagnosing the issue. Thanks again for the great package!

from robinhood.

All,

I found a temporary solution in the meantime but having trouble passing the MFA code into the payload. The following will work when the MFA is not required.

1. We first need to modify the api_login function:

note: Not sure if the device_token & al_pk is unique to each user? Also not sure if all headers are required but those are the ones I found.

base_api_login = function (username, password, mfa_code) 
{
  RH <- list(api_grant_type = "password", api_client_id = "c82SH0WZOsabOXGP2sxqcj34FxkvfnWRZBKlBjFS")

  PAYLOAD <- list(
    al_pk= "7F867EDC-C71B-467F-B0A1-8DCBA5D4D2E3",
    client_id= "c82SH0WZOsabOXGP2sxqcj34FxkvfnWRZBKlBjFS",
    device_token= "a1c884f5-a03b-4255-9efb-b28ad0fc8dff",
    expires_in= 86400,
    grant_type= "password",
    password= password,
    scope= "internal",
    username= username)
  
  dta <- POST(url='https://api.robinhood.com/oauth2/token/', 
              httr::add_headers(`accept` = "*/*",
                                `accept-encoding` = 'gzip, deflate, br',
                                `accept-language` = 'en-US,en;q=0.9,es;q=0.8',
                                `content-length` = 285,
                                `content-type` = 'application/json',
                                `origin` = 'https://robinhood.com',
                                `referer` = 'https://robinhood.com/',
                                `sec-ch-ua` = '"Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"',
                                `sec-ch-ua-mobile` = '?0',
                                `sec-ch-ua-platform` = "macOS",
                                `sec-fetch-dest` = 'empty',
                                `sec-fetch-mode` = 'cors',
                                `sec-fetch-site` = 'same-site',
                                `user-agent` = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36',
                                `x-robinhood-api-version` = '1.431.4'
              ), body = toJSON(PAYLOAD, auto_unbox = TRUE), encode = "json")
  
  RH$tokens.access_token = httr::content(dta)$access_token
  RH$tokens.refresh_token = httr::content(dta)$refresh_token
  return(RH)
}

2. Next I modified the RobinHood function to add our modified api_login function:

base_RobinHood = function (username, password, mfa_code = NULL) 
{
  mfa_code <- ifelse(is.null(mfa_code), "000000", mfa_code)
  RH <- base_api_login(username, password, mfa_code)
  accounts <- api_accounts(RH)
  url_account_id <- accounts$url
  RH <- c(RH, url = list(account_id = url_account_id))
  if (is.null(RH$tokens.access_token)) {
    cat("Login not successful, check username and password.")
  }
  class(RH) <- "RobinHood"
  return(RH)
}

3. Login by passing in your username and password:

RH <- base_RobinHood(username,password)

from robinhood.

So far I have not been able to figure it out. I have been trying to mimic the same process as the web login which i can see with the debug tools in Firefox, which has worked in the past, but doing so now doesnt seem to change the error message. I have not tried turning MFA off yet.

I can confirm that my device_token is different, but the al_pk is a new parameter that has been added. Im not sure where the API version is coming from in the payload that is triggering the response. I wonder if maybe its the application_id. Ill admit that most of the login stuff I learned from looking at the other github robinhood packages and all of those static values i grabbed from other people looking through the JS.

Ill keep looking at it, and seeing if I can find references to this being an issue with the python equivalent package.

from robinhood.

All,

I found a temporary solution in the meantime but having trouble passing the MFA code into the payload. The following will work when the MFA is not required.

1. We first need to modify the api_login function:

note: Not sure if the device_token & al_pk is unique to each user? Also not sure if all headers are required but those are the ones I found.

base_api_login = function (username, password, mfa_code) 
{
  RH <- list(api_grant_type = "password", api_client_id = "c82SH0WZOsabOXGP2sxqcj34FxkvfnWRZBKlBjFS")

  PAYLOAD <- list(
    al_pk= "7F867EDC-C71B-467F-B0A1-8DCBA5D4D2E3",
    client_id= "c82SH0WZOsabOXGP2sxqcj34FxkvfnWRZBKlBjFS",
    device_token= "a1c884f5-a03b-4255-9efb-b28ad0fc8dff",
    expires_in= 86400,
    grant_type= "password",
    password= password,
    scope= "internal",
    username= username)
  
  dta <- POST(url='https://api.robinhood.com/oauth2/token/', 
              httr::add_headers(`accept` = "*/*",
                                `accept-encoding` = 'gzip, deflate, br',
                                `accept-language` = 'en-US,en;q=0.9,es;q=0.8',
                                `content-length` = 285,
                                `content-type` = 'application/json',
                                `origin` = 'https://robinhood.com',
                                `referer` = 'https://robinhood.com/',
                                `sec-ch-ua` = '"Not A;Brand";v="99", "Chromium";v="100", "Google Chrome";v="100"',
                                `sec-ch-ua-mobile` = '?0',
                                `sec-ch-ua-platform` = "macOS",
                                `sec-fetch-dest` = 'empty',
                                `sec-fetch-mode` = 'cors',
                                `sec-fetch-site` = 'same-site',
                                `user-agent` = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36',
                                `x-robinhood-api-version` = '1.431.4'
              ), body = toJSON(PAYLOAD, auto_unbox = TRUE), encode = "json")
  
  RH$tokens.access_token = httr::content(dta)$access_token
  RH$tokens.refresh_token = httr::content(dta)$refresh_token
  return(RH)
}

2. Next I modified the RobinHood function to add our modified api_login function:

base_RobinHood = function (username, password, mfa_code = NULL) 
{
  mfa_code <- ifelse(is.null(mfa_code), "000000", mfa_code)
  RH <- base_api_login(username, password, mfa_code)
  accounts <- api_accounts(RH)
  url_account_id <- accounts$url
  RH <- c(RH, url = list(account_id = url_account_id))
  if (is.null(RH$tokens.access_token)) {
    cat("Login not successful, check username and password.")
  }
  class(RH) <- "RobinHood"
  return(RH)
}

3. Login by passing in your username and password:

RH <- base_RobinHood(username,password)

FWIW, this didn't work for me. The client_id was the same for sure, but I couldn't verify whether al_pk or device_token were the same.

from robinhood.

So.. i have a partial workaround. I did confirm that if you login through the browser and use the debug tools to see your POST command, you can copy the token out of your browser and replace the value in your current RH object. Or you can just build one. You technically only need the access_token.

access_token <- "********"
  
RH <- list(tokens.access_token = access_token)
 
class(RH) <- "RobinHood"

I will keep messing with the login api. The al_key and al_token are puzzling me. I use postman to test and debug the apis. Im going to try copy all of the headers to make sure its not something there. Hopefully the above workaround keeps everyone going in the meantime. If someone needs more details of seeing their token in the browser tools I can post some screenshots of how to see it through firefox. Just let me know.

from robinhood.

Actually, i have figured it out... the format of the API has changed.. instead of passing most of the inputs as parameters, you now have to pass all of those credentials with the body. I was able to get this to work in Postman. I will replicate in R and git something out to test on the github version shortly.

al_key and al_token do not appear to be required. I think they are related to how the web login works. device_token does look like a new variable that has been added. It looks like you can pass any uuid value and it will work fine. I will set up the function to pass a random one for each login (although I was able to use the same ID for multiple login attempts).

from robinhood.

Thanks for digging into this, @JestonBlu! Were you able to replicate in R yet?

from robinhood.

For what it's worth, the access token workaround worked for me for get_quote(), but for get_contracts() I am still getting the following error:

Error in RobinHood::api_contracts(RH, chain_symbol, type) :
Unauthorized (HTTP 401).

from robinhood.

Yeah, i am just finishing up a fix. In the end I had to rewrite the login in function. I have temporarily disabled not using an MFA. I also redesigned the RH object to have more transparency about what the API response is returning. I have a test script and all but 2 functions failed (those are related to ACH so ill look at that separate). Would appreciate some testing to see if anything else isnt working right.

from robinhood.

from robinhood.

Hi All - thanks for publishing this fix so promptly. However, I tried updating to the latest github version (1.6.7) but am still getting 400 Bad Request in my api_login function. I turned on MFA and tried entering the code as a string and as a numeric but neither seems to work.

Any ideas on what could still be causing the issue? Is there a way to look in the "dta" object for a 400 error "reason"?

from robinhood.