Access Lovoo API using Python

Question

I am hoping to make use of the lovoo API, but don't really know how to start. After running Charles proxy and looking at the traffic, I have come to the following conclusion:

First a GET to https://api.lovoo.com/oauth/requestToken? is sent as soon as a user logs on through the app (iPhone):

    GET /oauth/requestToken? HTTP/1.1
Host    api.lovoo.com
User-Agent  LOVOO/612 (iPhone; iOS 10.2; Scale/3.00)
kissapi-app-idfv    1EC7A8E5-DF16-4E14-8EC9-98DD4772F903
tz  Europe/xxx
kissapi-device-model    iPhone 6s Plus
kissapi-app-version 3.17.0
kissapi-new-oauth   1
kissapi-device  iphone
kissapi-app lovoo
wifi    true
kissapi-adv-id  00000000-0000-0000-0000-000000000000
Connection  keep-alive
kissapi-app-id  7F947A460DAFCA88556B2F35A6D78A3E
Authorization   OAuth oauth_callback="oob", oauth_consumer_key="an.email%40gmail.com", oauth_nonce="A32CCA91-FB7A-4AA3-8314-0A9A6E67045E", oauth_signature="Sq8KTg%2FhVIGBaWgWXprPluczOs4%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1487017515", oauth_version="1.0"
Accept-Language en-CH;q=1, de-CH;q=0.9
kissapi-adv-on  false
kissapi-version 1.20.0
kissapi-update-user-hash    6ea2bd15ea41d0dc8c2615589e2d52ec
Accept  */*
kissapi-device-os   10.2
Accept-Encoding gzip, deflate
kissapi-sync-enabled    1

This also gives following token: oauth_token=44d83e8ef50f&oauth_token_secret=37998f6c6ef2e618

This is followed by another GET to https://api.lovoo.com/oauth/accessToken?:

GET /oauth/accessToken? HTTP/1.1
Host    api.lovoo.com
User-Agent  LOVOO/612 (iPhone; iOS 10.2; Scale/3.00)
kissapi-app-idfv    1EC7A8E5-DF16-4E14-8EC9-98DD4772F903
tz  Europe/xxx
kissapi-device-model    iPhone 6s Plus
kissapi-app-version 3.17.0
kissapi-new-oauth   1
kissapi-device  iphone
kissapi-app lovoo
wifi    true
kissapi-adv-id  00000000-0000-0000-0000-000000000000
Connection  keep-alive
kissapi-app-id  7F947A460DAFCA88556B2F35A6D78A3E
Authorization   OAuth oauth_consumer_key="an.email%40gmail.com", oauth_nonce="080328C9-0A53-4971-85E7-65A43F12DC09", oauth_signature="Km0vd8xtHaQmRgkrGLsiljel13o%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1487017515", oauth_token="44d83e8ef50f", oauth_version="1.0"
Accept-Language en-CH;q=1, de-CH;q=0.9
kissapi-adv-on  false
kissapi-version 1.20.0
kissapi-update-user-hash    6ea2bd15ea41d0dc8c2615589e2d52ec
Accept  */*
kissapi-device-os   10.2
Accept-Encoding gzip, deflate
kissapi-sync-enabled    1

And provides the following token: oauth_token=60c8977c8fe9509f&oauth_token_secret=549619c0ef4c4be7d7cb898e

Now, a request to https://api.lovoo.com/init can be made:

GET /init HTTP/1.1
Host    api.lovoo.com
User-Agent  LOVOO/612 (iPhone; iOS 10.2; Scale/3.00)
kissapi-app-idfv    1EC7A8E5-DF16-4E14-8EC9-98DD4772F903
tz  Europe/xxx
kissapi-device-model    iPhone 6s Plus
kissapi-app-version 3.17.0
kissapi-new-oauth   1
kissapi-device  iphone
kissapi-app lovoo
wifi    true
kissapi-adv-id  00000000-0000-0000-0000-000000000000
Connection  keep-alive
kissapi-app-id  7F947A460DAFCA88556B2F35A6D78A3E
Authorization   OAuth oauth_consumer_key="an.email%40gmail.com", oauth_nonce="B622CE9C-DA3D-435C-939A-C58B83DBE85C", oauth_signature="0irvAsilrrdCCdLfu%2F0XSj7THlc%3D", oauth_signature_method="HMAC-SHA1", oauth_timestamp="1487017515", oauth_token="60c8977c8fe9509f", oauth_version="1.0"
Accept-Language en-CH;q=1, de-CH;q=0.9
kissapi-adv-on  false
kissapi-version 1.20.0
kissapi-update-user-hash    6ea2bd15ea41d0dc8c2615589e2d52ec
Accept  */*
kissapi-device-os   10.2
Accept-Encoding gzip, deflate
kissapi-sync-enabled    1

These are the headers I captured, but I don't know how to send them and get the Oauth authentication working, espescially with oauth_nonce.

requests-oauthlib seems to support it, but I don't know which of the token correspond to which variable:

from requests_oauthlib import OAuth1Session

lovoo = OAuth1Session(
    'client_key',
    client_secret='client_secret',
    resource_owner_key='resource_owner_key',
    resource_owner_secret='resource_owner_secret'
)
url = 'https://api.lovoo.com/init'
r = lovoo.get(url)

Answer 1

An alternative approach would be the use of selenium for login and further using the session with requests.

E.g.

def login(user, pw):     chrome_options = Options()     chrome_options.add_experimental_option("detach", True)     driver = webdriver.Chrome(options=chrome_options)     driver.get("https://www.lovoo.com/login_check")     user_agent = driver.execute_script("return navigator.userAgent;")     iframe = driver.find_element(By.ID,"gdpr-consent-notice")     driver.switch_to.frame(iframe)     privacybutton = WebDriverWait(driver, 10).until(         EC.presence_of_element_located((By.XPATH,"//b[contains(text(),'Accept All')]"))     )     privacybutton.click()     driver.switch_to.default_content()     loginbutton = WebDriverWait(driver, 4).until(         EC.presence_of_element_located((By.XPATH, "//button[contains(text(),'Log in')]"))     )     loginbutton.click()     loginbutton2=WebDriverWait(driver, 4).until(         EC.presence_of_element_located((By.XPATH, "//button[contains(@data-automation-id,'login-submit-button')]"))     )     driver.find_element(By.XPATH, '//input[@name="authEmail"]').send_keys(user)     driver.find_element(By.XPATH, '//input[@name="authPassword"]').send_keys(pw)     webdriver.ActionChains(driver).move_to_element(loginbutton2).click(loginbutton2).perform()     element = WebDriverWait(driver, 10).until(         EC.presence_of_element_located((By.ID, "topmenu"))     )     return user_agent, driver.get_cookies() 

(lat,lon)=(0.0,0.0) with requests.Session() as session:     user_agent, cookies = login(user, pw)     session.cookies.update({c['name']: c['value'] for c in cookies})     session.headers.update({'User-Agent': user_agent})     session.get(f'https://www.lovoo.com/api_web.php/users?ageFrom=0&ageTo=2&latitude={lat}&longitude={lon}') 

Answer 2

Lovoo is using OAuth 1 protocol (https://tools.ietf.org/html/draft-hammer-oauth-10).

I have previously worked with the Lovoo API. One thing I can say is that your account will soon get limited by their BOT detection algorithms. I didn't try with different combinations of HTTP headers. Hence, that may be worth the try.

However, I have published my work on Github for others to give it a try. Below you can find the functions required to make the API calls. To see some examples of how to use these functions, have a look at the above-mentioned repo.

import urllib.parse


# MD5 hashing of an input string
def md5(data: str):
    import hashlib
    return hashlib.md5(data.encode('utf-8')).hexdigest()


def normalize_params(params: dict):
    # Comply with https://tools.ietf.org/html/draft-hammer-oauth-10
    # params must be sorted alphabetically first by keys and then values
    params = dict(sorted(params.items(), key=lambda x: (x[0], x[1]), reverse=False))
    p_encoded = '&'.join(
        ["{}={}".format(urllib.parse.quote_plus(k), urllib.parse.quote_plus(v)) for k, v in params.items() if v != ''])
    # Percent encode
    p_quoted = urllib.parse.quote_plus(p_encoded)
    return p_quoted


def generate_base_string(params: str, url: str, method: str = 'GET'):
    # Comply with https://tools.ietf.org/html/draft-hammer-oauth-10
    base_str = method + '&' + urllib.parse.quote_plus(url) + '&' + params
    return base_str


# Secret hashing used in Lovoo
def secret_hash(pwd: str) -> str:
    pwd = md5("SALTforPW" + pwd)
    return md5("SALTforSecret" + pwd)


def sign_request(client_identifier: str, client_secret: str, token: str, token_secret: str, url: str, nounce: str,
                 timestamp: str, method: str = 'GET', payload: dict = None, callback_url: str = '', oauth_version: str = '1.0'):
    from hashlib import sha1
    import hmac
    import base64

    params = {
        'oauth_callback': callback_url,
        'oauth_consumer_key': client_identifier,
        'oauth_nonce': nounce,
        'oauth_signature_method': 'HMAC-SHA1',
        'oauth_timestamp': timestamp,
        'oauth_token': token,
        'oauth_version': oauth_version
    }

    # Normalize parameters
    if payload is not None:
        params = {**params, **payload}
    np = normalize_params(params)
    # Generate base string
    base_string = generate_base_string(np, url, method)

    if token != '':
        key = (f"{client_secret}&{token_secret}").encode()
    else:
        key = (client_secret + '&').encode()

    raw = base_string.encode()

    hashed = hmac.new(key, raw, sha1)

    # The signature
    return base64.b64encode(hashed.digest()).decode().rstrip('\n')

Please note that It's been some time since I tested that code and there might be some changes to Lovoo's API. Let me know if it didn't work and I will have a look.