fix: device flow client_id, form-encoded auth body, expired token fallback#314
Open
manW13-be wants to merge 2 commits into
Open
fix: device flow client_id, form-encoded auth body, expired token fallback#314manW13-be wants to merge 2 commits into
manW13-be wants to merge 2 commits into
Conversation
…lback - Add `client_id` parameter to `Http.__init__` and `Tado.__init__`, defaulting to `CLIENT_ID_DEVICE`. Removes the need to monkey-patch the module global for custom client IDs. - Fix verification URL to include `client_id` query param (required by login.tado.com — omitting it causes `missing_client_id` rejection). - Fix `_refresh_token`, `_login_device_flow`, and device polling to use form-encoded body (`application/x-www-form-urlencoded`) instead of query params + empty JSON body. The Tado auth server requires a form body; the previous format silently failed. - Add missing `else` branch in `__init__`: when a saved token exists but the refresh fails (expired), fall back to a new device flow instead of staying in `NOT_STARTED` indefinitely.
manW13-be
force-pushed
the
fix/device-flow-client-id-token-refresh
branch
from
7b55319 to
34ae9cf
Compare
Owner
|
@manW13-be willing to fix the CI/Lint and tests? |
Token refresh now sends params as form-encoded body, not query string. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Four bugs affecting the OAuth2 device flow and token refresh, confirmed against
login.tado.comin production.Bug 1 — Verification URL missing
client_iddevice_verification_url()returned a URL with onlyuser_code. Opening it in a browser causeslogin.tado.comto reject the session withmissing_client_id. Fixed: bothuser_codeandclient_idare now included.Bug 2 —
NOT_STARTEDwhen saved token is expiredWhen a token file existed but the refresh failed (expired token), there was no fallback — status stayed
NOT_STARTEDindefinitely. Fixed: added the missingelsebranch to start a new device flow in that case.Bug 3 —
client_idas constructor parameterThe only way to pass a custom
client_idwas to monkey-patchPyTado.const.CLIENT_ID_DEVICE, a module-level global shared across all instances. Fixed:Http.__init__andTado.__init__now acceptclient_id=None, defaulting toCLIENT_ID_DEVICEif not provided.Bug 4 — Auth requests sent as query string + empty JSON body
_refresh_token,_login_device_flow, and device polling sent parameters viaparams=(query string) withdata=json.dumps({})andContent-Type: application/json. The Tado auth server requiresapplication/x-www-form-urlencoded. Fixed on all three call sites.Test plan
user_codeandclient_idNOT_STARTEDTado(client_id="custom-id")works without patchingPyTado.constlogin.tado.com)