Possible to disable 2FA code if already logged in?

[backslashV]

Hi,

I am locked out of my account because I switched phones without backing up my 2FA codes. I am already logged in via docker-wyze-bridge and have the access_token, refresh_token, user_id, and phone_id. Will I be able to disable the 2FA by sending a DELETE/POST request of some sort?

I tried sending a DELETE request to https://auth-prod.api.wyze.com/api/v2/users/me/mfa with the following headers, but I got 401 unauthorized in response:

authorization: your_access_token
phone-id: your_phone_id
user-agent: wyze_ios_2.24.52
x-api-key: WMXHYf79Nr5gIlt3r0r7p9Tcw5bvs6BB4U8O8nGJ

Thanks

[JoeSchubert]

While I'm sure that it is entirely possible to do what you're asking... and completely understand the frustrations when something like this happens... It would most likely bring the ire of Wyze on this project if we start helping people bypass account security settings

I would suggest you contact Wyze Support.

edit
I will say that unless the IOS app is somehow different than the android app in what it's sending to that endpoint... you're missing some pretty important headers.

[backslashV]

Thank you for your response. There are two situations here: 1) I don't have physical access to 3 of my cameras, so I can't just create a new account and relink these. 2) wyze support has no idea about access tokens or anything beyond the scope of the wyze app itself. I spoke with them today and requested a higher level support, but I'm not hopeful.

[JoeSchubert]

Fair enough. I know I contacted them before about a rule that glitched on my account so I can't do anything with it from the app (i could probably delete it manually if it really bothers me). They were completely unable to help with it though, unsurprisingly.

These are the header fields I get when I post to that endpoint on an android device at least. authorization and access_token were the same. (Obviously, I cleared the data fields from most of these)

authorization:
access_token:
requestid:
appid:
user-agent:
phoneid:
x-api-key:
appinfo:
signature2:
content-type: application/json; charset=utf-8
content-length: 0
accept-encoding: gzip

[JoeSchubert]

Also, be advised that your access token will expire after ~60 hours and the refresh tokens are one-shots. If you have something working right now, I would let it renew the access token to get an updated one once yours expires.

[backslashV]

Thanks. My current access_token didn't work. However, when I restored an earlier HA backup, auth.pickle got updated, and the new access_token worked. I used the 4 headers mentioned initially.

[backslashV]

See my original post and yoinx's comment regarding access token's expiration.

[JoeSchubert]

Glad you got it figured out. It really worked without the signature2 field though? That's supposed to be, more or less, a hash to make sure that your headers weren't messed with in transit.

[backslashV]

Yes, it worked without it.