Possible new auth flow?

[IdealText]

Python version: 3.11
OS: MacOS 15.2
fetched from master, v1.1.0

I have recently signed up to ubank and looking for a way to get my transaction history and was trying out this project. I hit a few issues with the sign up process.

In the response to https://api.ubank.com.au/app/v1/challenge/otp I was getting the error:

{'message': 'Invalid request: flowId not valid uuid', 'stackError': {'code': 'FEA-400'}}

I looked at the response payload from https://api.ubank.com.au/app/v1/challenge/password and saw it included the flowId. I included this in the json of the request to otp and got back a payload, but it was different to what was expected. It was the following

{
  "accessToken": "removed",
  "sessionToken": "removed",
  "expiresIn": 600,
  "userId": "removed",
  "username": "removed",
  "mobileNumber": "removed",
  "email": "removed",
  "refreshToken": "removed",
  "refreshExpiresIn": 600,
  "type": "bearer"
}

Missing authKey.

I played around further to see what may be going on, I noticed that when I login to the app on my phone I am unable to have a persistent login. If I use username + password + SMS, then each time I access the app I have to reauthenticate. This is then pushing me to use a passkey in the UI.

Is it possible that ubank have moved to remove long lived logins, at least for new users?

[jakepronger]

I've noticed this myself and don't think it evens works now even with a device already registered. Will look into this later when I get more time, but it does appear that they've changed some internal auth things to make it more complicated. Maybe there is a way to automate or generate a passkey instead and replicate the same behavior with this new auth method.

[eidorb]

Yes enrolling fails for me after the OTP step too. But using my existing credentials still works.

I will look into the passkey route as that should be more future proof. A fun challenge too I'm sure.