Commit 0b948b7
committed
fix(seatcupra): disable classic Cupra/SEAT login (Firebase App Check)
Cupra/SEAT OLA backend (ola.prod.code.seat.cloud.vwgroup.com) started
enforcing Firebase App Check with the Play Integrity provider around
2026-06. Decompiled MyCupra 2.18.0 APK confirms: an OkHttp interceptor
(es.seat.ola.attestation.interceptor.AppCheckInterceptor in
smali_classes7/gf/a.smali) attaches an X-Firebase-AppCheck header to
every API call. Without it the server returns:
{"status":403,"error":"Forbidden",
"message":"Forbidden device detected",
"code":"missing-device-token"}
User-reported failure points: /v2/vehicles/{vin}/renders,
/v1/vehicles/{vin}/charging/status,
/v1/vehicles/{vin}/measurements/engines,
/v2/vehicles/{vin}/climatisation/settings.
Play Integrity tokens require a real Android device with the registered
APK signing-cert SHA-256 in Firebase project ola-apps-prod
(1:530284123617:android:9b9ba5a87c7ffd37fbeea0). A Node.js adapter
cannot produce them.
For type=seatcupra/seat the adapter now skips the classic login the same
way type=id already does (VW retired that OAuth client in May 2026).
EU Data Act (brand=CUPRA/SEAT) and Tibber Data API both still work for
these brands and remain active. Re-enable this block by deleting the
early return if VW reverts the change or we find a token-bridge
solution. updateStatus() needs no change — vinArray stays empty so the
seatcupra branch iterates nothing.1 parent 4321b81 commit 0b948b7
1 file changed
Lines changed: 22 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
401 | 401 | | |
402 | 402 | | |
403 | 403 | | |
| 404 | + | |
| 405 | + | |
| 406 | + | |
| 407 | + | |
| 408 | + | |
| 409 | + | |
| 410 | + | |
| 411 | + | |
| 412 | + | |
| 413 | + | |
| 414 | + | |
| 415 | + | |
| 416 | + | |
| 417 | + | |
| 418 | + | |
| 419 | + | |
| 420 | + | |
| 421 | + | |
| 422 | + | |
| 423 | + | |
| 424 | + | |
| 425 | + | |
404 | 426 | | |
405 | 427 | | |
406 | 428 | | |
| |||
0 commit comments