Invalid User Credentials using Nest login

[JsChiSurf]

Just started receiving this message and can no longer login (traditional nest login flow, not Google), as soon as my local cache expired. On another machine things are still working and cookie does not expire for another few days. I suspect after expiration it may start experiencing the same problem.

Anyone else notice this yet / having the same issue?

[xetra27]

I have the same issue as of January 3rd.

[jfstgermain]

Same here...

[gboudreau]

Did you guys try to logout and re-login using the web or mobile apps?
Is it still working with your Nest account?
Maybe Google decided to start forcing users to migrate..? Or they changed the API used for the Nest accounts (which would be weird, but still possible).

[JsChiSurf]

Did you guys try to logout and re-login using the web or mobile apps?
Is it still working with your Nest account?
Maybe Google decided to start forcing users to migrate..? Or they changed the API used for the Nest accounts (which would be weird, but still possible).

Yes, no problem logging in via the web and/or phone app. My best guess, as well, is that they've started to disable the "traditional" login method altogether :-(

[bauzer714]

I'm guessing this email is related.

We wanted to inform you of important changes we’re making to the Nest app that will improve security, and will require you to update your Nest apps for TV, phone, and tablet to the latest version. You’ll need to update by January 2, 2020, or you won’t be able to sign in to the app.

For the Nest TV app, check for updates on Google Play or the Apple TV App Store. You’ll also need Android 5.0 or later, or tvOS version 12 or later.

[JsChiSurf]

What's interesting, though, is that you can still, from the web, login after selecting the 'login with nest' option, which would make you think we should still (at least for now) be able to login the same way through this API.

Though, I just noticed this message (which may prove problematic) below the login form (not sure if that has been there for a while or not):

Nest uses the Google reCAPTCHA service and your device data to verify your login and protect your account.

[gboudreau]

We wanted to inform you of important changes we’re making to the Nest app that will improve security, and will require you to update your Nest apps for TV, phone, and tablet to the latest version. You’ll need to update by January 2, 2020, or you won’t be able to sign in to the app.

This indeed points to a backward-incompatible change on the API. So the API endpoint we're using in this PHP class, to log in, is no longer working.

We'd need a HTTP trace of the new login process, from the mobile app, in order to be able to modify the class to continue supporting logging in with Nest accounts. (As pointed above, a trace of the web app won't help, as it uses reCAPTCHA.)

I guess if it comes to that, we could replicate what we do with the Google Accounts, and use the cookies from a browser session to authenticate.

[cagivacode]

I don't have a trace...but HA integration has the same issue and it has to do with a change in the json about recapcha

[gboudreau]

I don't have a trace...but HA integration has the same issue and it has to do with a change in the json about recapcha

That is a trace from mobile? So even the mobile app uses reCAPTCHA?

[gboudreau]

You can manually create the cache file required by this class using this script:
https://gist.github.com/gboudreau/8b8851a9c99140b6234856bbc80a2d24

That will work around the login issue, as the cache file contains the necessary access token, which is valid for a month.

Save that as nest-api-php-workaround-login.php on the same server that you used the nest-api class, and run it:

$ php ~/Downloads/nest-account-workaround.php 

Instructions:
  - Login to https://home.nest.com in your browser
  - Once logged in, using the same tab, go to https://home.nest.com/session
  - Copy-paste the text (JSON) here (then press ENTER):

{"access_token":..., "is_staff":false}

Thanks!

What is your Nest username: bob
What is your Nest password: test

Will create cache file at /var/folders/dl/h0p431kj1_141mdfg21jksk40000gn/T/nest_php_cache_ffff9d4d69095c4a2d865c4f4d7e7114 ...
Done.
Access token will expire on Mon, 03-Feb-2020 20:25:12 GMT. You will need to re-execute this script before then.

[knappster1]

You can manually create the cache file required by this class using this script:
https://gist.github.com/gboudreau/8b8851a9c99140b6234856bbc80a2d24

That will work around the login issue, as the cache file contains the necessary access token, which is valid for a month.

Save that as nest-api-php-workaround-login.php on the same server that you used the nest-api class, and run it:

$ php ~/Downloads/nest-account-workaround.php 

Instructions:
  - Login to https://home.nest.com in your browser
  - Once logged in, using the same tab, go to https://home.nest.com/session
  - Copy-paste the text (JSON) here (then press ENTER):

{"access_token":..., "is_staff":false}

Thanks!

What is your Nest username: bob
What is your Nest password: test

Will create cache file at /var/folders/dl/h0p431kj1_141mdfg21jksk40000gn/T/nest_php_cache_ffff9d4d69095c4a2d865c4f4d7e7114 ...
Done.
Access token will expire on Mon, 03-Feb-2020 20:25:12 GMT. You will need to re-execute this script before then.

@gboudreau thanks for the update, but when I paste the JSON string I get a Segmentation fault about 1/3 through the access token value and then the rest appears to paste as a new line. This is on a raspberry pi running raspbian buster and php 7.3.11. Maybe I will try on some other OS's, but I wonder if it is unique to my JSON string somehow?

[joe248]

@knappster1 I have the same issue. I just put the JSON directly into the PHP script to work around it.

[stuartajc]

@gboudreau I created the cache file using that script with no errors, but am still seeing the user credentials error:

PHP Fatal error: Uncaught RuntimeException: Error: HTTP 400 from request to https://home.nest.com/session. JSON error: access_denied - invalid user credentials in /root/nest.class.php:584

[doctorkb]

@gboudreau Guillaume - thank you so much for the work you've done on this. I've been an avid user (and proponent) since I got my Nest back in 2013.

That said, given the changes Google/Nest are making, I felt it was time to switch away. I've replaced my Nest thermostat with an Ecobee and my cameras with Ring Indoor Cams.

All the best to you, and I hope that things go well for you in the future. If you decide to switch also, I'd be happy to share my Ecobee API code and/or lessons learned.

Cheers!

[knappster1]

@joe248 good tip. I panicked this morning when I saw that it wasn't working and tried to resolve it quickly. Needless to say I did not, but I will try that when I get home.

[xetra27]

@gboudreau I created the cache file using that script with no errors, but am still seeing the user credentials error:

PHP Fatal error: Uncaught RuntimeException: Error: HTTP 400 from request to https://home.nest.com/session. JSON error: access_denied - invalid user credentials in /root/nest.class.php:584

I have the same problem. Created the cache but still get the invalid user credentials.
I also use homebridge-nest and I noticed that the config file no longer uses user and password, just the access_token and it works fine. Has that been modified in the nest.class.php as well?

[knappster1]

@gboudreau this worked with @joe248's tip. If I migrate to a google account, would this become a non-issue?

[J-Prince]

@knappster1 I have the same issue. I just put the JSON directly into the PHP script to work around it.

Where exactly should we put the JSON in the PHP file? It seems the file in /tmp gets zeroed out way before the expiration of the session... The cache file is there, but its size suddenly becomes 0 after only a couple of days. Thanks!

[oblivionratula]

@knappster1 I have the same issue. I just put the JSON directly into the PHP script to work around it.

Where exactly should we put the JSON in the PHP file? It seems the file in /tmp gets zeroed out way before the expiration of the session... The cache file is there, but its size suddenly becomes 0 after only a couple of days. Thanks!

Same problem here. Results in a "406 Not Acceptable" error. Re-running:
nest-api-phpworkaround-login.php
recreates the file and things go along again.

Edit to add:
I changed the script and nest.class.php to read/write from my home directory for now.

[cagivacode]

Mine timed out after most of you about 10 days ago.....I pasted my token directly into nest-api-phpworkaround-login.php before running it....and had no issues

....I have not had my cache file zero out

my implementation may be different...my php scripts are being called through a webserver and not command line. (litespeed / centos)

[t1n1wall]

a '406 not acceptable' response is because nest have blocked your ip doing curl requests. you can work around it by setting a user agent in nest.class.php

i.e.

curl_setopt($ch,CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');

They might block you again, but that got me out of the 406 error.

[xetra27]

I just noticed I still get error 400 (invalid user credentials) when calling the script from any browser. However it works when called from a terminal or crontab. Might have something to do with https/ self-signed SSL I'm using on my server, but I'm not sure.

[knappster1]

FWIW, I saw a post on google's blog that appears to state that Nest accounts will be forced to use 2 factor authentication starting this spring. My interpretation is that the options are to either migrate to a google account or use 2 factor authentication and I am not sure whether 2FA is supported with this code. I was forced to start using a google account last week when a family member inadvertently migrated and hopefully this won't impact google accounts...
https://www.blog.google/products/google-nest/security-nest-accounts-safer-internet-day/

[alanfoster99]

Edit to add:
I changed the script and nest.class.php to read/write from my home directory for now.

@oblivionratula can you share the changes you made? Did you change all references to sys_get_temp_dir() ?

Thanks, and sorry for digging up an old thread!