Skip to content

Commit 0b948b7

Browse files
committed
fix(seatcupra): disable classic Cupra/SEAT login (Firebase App Check)
Cupra/SEAT OLA backend (ola.prod.code.seat.cloud.vwgroup.com) started enforcing Firebase App Check with the Play Integrity provider around 2026-06. Decompiled MyCupra 2.18.0 APK confirms: an OkHttp interceptor (es.seat.ola.attestation.interceptor.AppCheckInterceptor in smali_classes7/gf/a.smali) attaches an X-Firebase-AppCheck header to every API call. Without it the server returns: {"status":403,"error":"Forbidden", "message":"Forbidden device detected", "code":"missing-device-token"} User-reported failure points: /v2/vehicles/{vin}/renders, /v1/vehicles/{vin}/charging/status, /v1/vehicles/{vin}/measurements/engines, /v2/vehicles/{vin}/climatisation/settings. Play Integrity tokens require a real Android device with the registered APK signing-cert SHA-256 in Firebase project ola-apps-prod (1:530284123617:android:9b9ba5a87c7ffd37fbeea0). A Node.js adapter cannot produce them. For type=seatcupra/seat the adapter now skips the classic login the same way type=id already does (VW retired that OAuth client in May 2026). EU Data Act (brand=CUPRA/SEAT) and Tibber Data API both still work for these brands and remain active. Re-enable this block by deleting the early return if VW reverts the change or we find a token-bridge solution. updateStatus() needs no change — vinArray stays empty so the seatcupra branch iterates nothing.
1 parent 4321b81 commit 0b948b7

1 file changed

Lines changed: 22 additions & 0 deletions

File tree

main.js

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -401,6 +401,28 @@ class VwWeconnect extends utils.Adapter {
401401
return;
402402
}
403403

404+
// Cupra / SEAT: the OLA backend (ola.prod.code.seat.cloud.vwgroup.com)
405+
// started enforcing Firebase App Check with the Play Integrity provider
406+
// around June 2026. Every request now needs an X-Firebase-AppCheck
407+
// header generated on a real Android device with the signed APK; we
408+
// can't produce that from a Node.js adapter. The classic login itself
409+
// would still complete, but every subsequent /v1/vehicles/{vin}/...
410+
// call returns 403 'Forbidden device detected, missing-device-token'.
411+
// Skip the classic login for these brands and let the EU Data Act +
412+
// Tibber paths (both still working) cover their telemetry. Re-enable
413+
// by deleting this early return if VW ever reverts the change or we
414+
// find a token bridge we can host.
415+
if (this.config.type === "seatcupra" || this.config.type === "seat") {
416+
this.log.info(
417+
"Cupra/SEAT OLA backend now requires Firebase App Check (Play Integrity). " +
418+
"Adapter cannot generate that token from Node.js. Classic login is " +
419+
"skipped — use the EU Data Act portal (config.type sees brand=CUPRA/SEAT) " +
420+
"and/or the Tibber Data API for telemetry. See README.",
421+
);
422+
this.subscribeStates("*");
423+
return;
424+
}
425+
404426
this.login()
405427
.then(() => {
406428
this.log.info("Login successful");

0 commit comments

Comments
 (0)