Use AppAPI again, but with oauth2

Belongs to solectrus/senec-collector#639

Author: ledermann

.env.test

@@ -1,6 +1,6 @@
 SENEC_USERNAME=mail@example.com
 SENEC_PASSWORD=topsecret
-SENEC_SYSTEM_ID=0
+SENEC_SYSTEM_ID=999999
 
 SENEC_HOST=senec
 SENEC_SCHEMA=https

README.md

@@ -5,7 +5,7 @@
 
 # Unofficial Ruby Client for SENEC Home
 
-Access your local SENEC Solar Battery Storage System or the SENEC Cloud (mein-senec.de) from Ruby.
+Access your local SENEC Solar Battery Storage System or the SENEC Cloud (App API) from Ruby.
 
 **WARNING:** I'm not affiliated in any way with the SENEC company.
 
@@ -28,59 +28,16 @@ $ gem install senec
 ````ruby
 require 'senec'
 
-# Login to the SENEC cloud (mein-senec.de):
+# Build connection with your credentials
 connection = Senec::Cloud::Connection.new(username: 'me@example.com', password: 'my-secret-senec-password')
 
-# Get the Dashboard data of first systems (without knowing the ID):
-puts Senec::Cloud::Dashboard[connection].first.data
-
-# => {
-#   'wartungsplan' => {
-#     'possibleMaintenanceTypes' => [],
-#     'applicable' => false,
-#     'maintenanceDueSoon' => false,
-#     'maintenanceOverdue' => false,
-#     'minorMaintenancePossible' => false
-#   },
-#   'suppressedNotificationIds' => [],
-#   'steuereinheitState' => 'AKKU_VOLL',
-#   'wartungNotwendig' => false,
-#   'firmwareVersion' => 826,
-#   'gridimport' => {
-#     'today' => 0.0302734375,
-#     'now' => 0.0
-#   },
-#   'powergenerated' => {
-#     'today' => 30.94140625,
-#     'now' => 2.382683
-#   },
-#   'consumption' => {
-#     'today' => 5.501953125,
-#     'now' => 0.327035
-#   },
-#   'gridexport' => {
-#     'today' => 24.779296875,
-#     'now' => 2.032288
-#   },
-#   'accuexport' => {
-#     'today' => 2.55419921875,
-#     'now' => 0.0
-#   },
-#   'accuimport' => {
-#     'today' => 1.84619140625,
-#     'now' => 0.01752
-#   },
-#   'acculevel' => {
-#     'today' => 89.47079467773438,
-#     'now' => 100.0
-#   },
-#   'mcuOperationalModeId' => 2,
-#   'senecBatteryStorageGeneration' => 'V3',
-#   'machine' => 'MCU',
-#   'lastupdated' => 1_753_277_119,
-#   'state' => 13
-# }
+# List available systems (with their IDs)
+puts connection.systems
+# => {"id" => 999999, "controlUnitNumber" => "1234567890", ...
 
+# Get the current dashboard data for a specific system
+puts connection.dashboard(999999)
+# => {"currently" => {"powerGenerationInW" => 8539.603515625, "powerConsumptionInW" => 765.77, "gridFeedInInW" => 6451.11376953125, "gridDrawInW" => 0.0, "batteryChargeInW" => 1316.9090576171875, "batteryDischargeInW" => 0.0, "batteryLevelInPercent" => 88.88888549804688, "selfSufficiencyInPercent" => 100.0, "wallboxInW" => 0.0}, "today" => {"powerGenerationInWh" => 19687.5, "powerConsumptionInWh" => 4960.93, "gridFeedInInWh" => 15310.546875, "gridDrawInWh" => 28.3203125, "batteryChargeInWh" => 1175.78125, "batteryDischargeInWh" => 1732.421875, "batteryLevelInPercent" => 88.88888549804688, "selfSufficiencyInPercent" => 99.43, "wallboxInWh" => 0.0}, "timestamp" => "2025-07-26T10:55:07Z", "electricVehicleConnected" => false, "numberOfWallboxes" => 0, "systemId" => 999999, "systemType" => "V123", "storageDeviceState" => "CHARGING"}
 
 ### Local access (V2.1 and V3 only)
 

lib/senec.rb

@@ -4,6 +4,5 @@
 require 'senec/local/request'
 require 'senec/local/error'
 
-require 'senec/cloud/stats_overview'
-require 'senec/cloud/wallboxes'
+require 'senec/cloud/connection'
 require 'senec/cloud/error'

lib/senec/cloud/connection.rb

@@ -1,129 +1,192 @@
-require 'faraday'
-require 'json'
+require 'oauth2'
 
 module Senec
   module Cloud
-    BASE_URL = 'https://mein-senec.de'.freeze
+    CONFIG_URL =
+      'https://sso.senec.com/realms/senec/.well-known/openid-configuration'.freeze
+
+    CLIENT_ID = 'endcustomer-app-frontend'.freeze
+    REDIRECT_URI = 'senec-app-auth://keycloak.prod'.freeze
+    SCOPE = 'roles meinsenec'.freeze
+
+    SYSTEMS_HOST = 'https://senec-app-systems-proxy.prod.senec.dev'.freeze
+    MEASUREMENTS_HOST = 'https://senec-app-measurements-proxy.prod.senec.dev'.freeze
+    WALLBOX_HOST = 'https://senec-app-wallbox-proxy.prod.senec.dev'.freeze
 
     class Connection
       DEFAULT_USER_AGENT = "ruby-senec/#{Senec::VERSION} (+https://github.com/solectrus/senec)".freeze
-      MAX_REDIRECTS = 10
 
       def initialize(username:, password:, user_agent: DEFAULT_USER_AGENT)
         @username = username
         @password = password
         @user_agent = user_agent
-        @cookies = {}
       end
 
-      attr_reader :username, :password, :user_agent, :cookies
+      attr_reader :username, :password, :user_agent
+
+      def authenticate!
+        code_verifier = SecureRandom.alphanumeric(43)
+        digest = Digest::SHA256.digest(code_verifier)
+        code_challenge = Base64.urlsafe_encode64(digest).delete('=')
+
+        auth_url =
+          oauth_client.auth_code.authorize_url(
+            redirect_uri: REDIRECT_URI,
+            scope: SCOPE,
+            code_challenge:,
+            code_challenge_method: 'S256',
+          )
+
+        # Manual HTTP needed for Keycloak cross-domain form handling
+        login_form_url = fetch_login_form_url(auth_url)
+        redirect_url = submit_credentials(login_form_url)
+        authorization_code = extract_authorization_code(redirect_url)
+
+        self.oauth_token =
+          oauth_client.auth_code.get_token(
+            authorization_code,
+            redirect_uri: REDIRECT_URI,
+            code_verifier:,
+          )
+      end
 
       def authenticated?
-        authenticate if cookies.empty?
-
-        cookies.key?('sso.senec.com_KEYCLOAK_IDENTITY')
+        !!oauth_token
       end
 
-      def authenticate
-        response = request_with_redirects(Cloud::BASE_URL)
+      def systems
+        fetch_payload "#{SYSTEMS_HOST}/v1/systems"
+      end
 
-        # Find form with username and password inputs
-        form_match = find_login_form(response.body)
-        raise Error, 'Login form not found!' unless form_match
+      def system_details(system_id)
+        fetch_payload "#{SYSTEMS_HOST}/systems/#{system_id}/details"
+      end
 
-        # Perform the login request with the extracted form action URL
-        form_action = form_match.gsub('&', '&')
-        request_with_redirects(
-          form_action, {
-            'username' => username,
-            'password' => password
-          },
-        )
+      def dashboard(system_id)
+        fetch_payload "#{MEASUREMENTS_HOST}/v1/systems/#{system_id}/dashboard"
       end
 
-      def simple_request(url)
-        perform_request(url)
+      def wallbox(system_id, wallbox_id)
+        fetch_payload "#{WALLBOX_HOST}/v1/systems/#{system_id}/wallboxes/#{wallbox_id}"
       end
 
-      def request_with_redirects(url, data = nil)
-        uri = URI(url)
-        redirect_count = 0
-        response = nil
+      private
 
-        loop do
-          response = perform_request(uri.to_s, data)
-          store_cookies(response)
+      attr_accessor :oauth_token
 
-          break unless (300..399).cover?(response.status)
+      def fetch_login_form_url(auth_url)
+        response = http_request(:get, auth_url)
+        store_cookies(response) # Required for Keycloak CSRF protection
+        extract_form_action_url(response.body)
+      end
 
-          location = response.headers['location']
-          break unless location
+      def extract_form_action_url(html)
+        forms = html.scan(%r{<form[^>]*action="([^"]+)"[^>]*>(.*?)</form>}mi)
 
-          redirect_count += 1
-          raise 'Too many redirects!' if redirect_count > MAX_REDIRECTS
+        forms.each do |action_url, form_content|
+          has_username = form_content.match(/name=["']?username["']?/i)
+          has_password = form_content.match(/name=["']?password["']?/i)
 
-          uri = location.start_with?('http') ? URI(location) : URI.join(uri, location)
-          data = nil # Clear data after first request (no POST redirects)
+          return CGI.unescapeHTML(action_url) if has_username && has_password
         end
 
-        response
+        # :nocov:
+        raise 'Login form not found'
+        # :nocov:
       end
 
-      private
+      def submit_credentials(form_url)
+        credentials = { username:, password: }
+        response = http_request(:post, form_url, data: credentials)
+        raise 'Login failed' unless response.status == 302
 
-      def find_login_form(html_body)
-        # Find all forms and check if they contain both username and password inputs
-        html_body.scan(%r{<form[^>]*action="([^"]+)"[^>]*>(.*?)</form>}m).each do |action, form_content|
-          has_username = form_content.match(/input[^>]*name=["']username["'][^>]*/)
-          has_password = form_content.match(/input[^>]*name=["']password["'][^>]*/)
+        response.headers['location'] || raise('No redirect location')
+      end
 
-          return action if has_username && has_password
-        end
+      def extract_authorization_code(redirect_url)
+        raise 'Invalid redirect URL' unless redirect_url&.start_with?(REDIRECT_URI)
+
+        uri = URI(redirect_url)
+        params = URI.decode_www_form(uri.query).to_h
+
+        params['code'] || raise('No authorization code found')
+      end
+
+      def ensure_token_valid
+        authenticate! unless authenticated?
+        return true unless oauth_token.expired?
 
+        self.oauth_token = oauth_token.refresh!
+        true
+      rescue StandardError => e
         # :nocov:
-        nil
+        warn "Token refresh failed: #{e.message}"
+        false
         # :nocov:
       end
 
-      def faraday
-        @faraday ||= Faraday.new do |f|
-          f.adapter :net_http_persistent, pool_size: 1 do |http|
-            # :nocov:
-            http.idle_timeout = 400
-            # :nocov:
-          end
-        end
+      def fetch_payload(url, default = nil)
+        return default unless ensure_token_valid
+
+        response = oauth_token.get(url)
+        return default unless response.status == 200
+
+        JSON.parse(response.body)
+      rescue StandardError => e
+        # :nocov:
+        warn "API error: #{e.message}"
+        default
+        # :nocov:
       end
 
-      def perform_request(url, data = nil)
-        method = data ? :post : :get
-        faraday.public_send(method, url) do |req|
-          configure_request_headers(req)
-          if method == :post
-            req.body = URI.encode_www_form(data)
-            req.headers['content-type'] = 'application/x-www-form-urlencoded'
+      def http_request(method, url, data: nil)
+        Faraday
+          .new
+          .send(method, url) do |req|
+            req.headers['user-agent'] = user_agent
+            req.headers['connection'] = 'keep-alive'
+            req.headers['cookie'] = cookie_string if cookies.any?
+            req.body = URI.encode_www_form(data) if data
           end
-        end
       end
 
-      def configure_request_headers(request)
-        request.headers['user-agent'] = user_agent
-        request.headers['connection'] = 'keep-alive'
-        request.headers['cookie'] = cookies.values.join('; ') unless cookies.empty?
+      def oauth_client
+        @oauth_client ||=
+          OAuth2::Client.new(
+            CLIENT_ID,
+            nil,
+            site: openid_config['issuer'],
+            authorize_url: openid_config['authorization_endpoint'],
+            token_url: openid_config['token_endpoint'],
+          )
+      end
+
+      def openid_config
+        @openid_config ||= JSON.parse(http_request(:get, CONFIG_URL).body)
+      rescue StandardError => e
+        # :nocov:
+        raise "Failed to load OpenID configuration: #{e.message}"
+        # :nocov:
+      end
+
+      def cookies
+        @cookies ||= {}
+      end
+
+      def cookie_string
+        cookies.map { |k, v| "#{k}=#{v}" }.join('; ')
       end
 
       def store_cookies(response)
-        host = URI(response.env.url).host
-        cookie_header = response.headers['set-cookie']
-        return unless cookie_header
-
-        Array(cookie_header).each do |cookie_string|
-          cookie_string.split(', ').each do |cookie|
-            cookie_name = cookie.split('=').first
-            cookie_value = cookie.split(';').first
-            @cookies["#{host}_#{cookie_name}"] = cookie_value
+        set_cookie = response.headers['set-cookie']
+        return unless set_cookie
+
+        set_cookie
+          .split(', ')
+          .each do |cookie_header|
+            name, value = cookie_header.split(';').first.split('=', 2)
+            cookies[name] = value if name && value
           end
-        end
       end
     end
   end