Enable ConEd SMS MFA

[skortchmark9]

In coned.py when MFA is enabled we raise an error if there is no TOTP code set up. Setting up TOTP is a pretty big barrier to entry for most people. It's much more common to have SMS set up. It's easy enough to make SMS codes work in a hacky way like so:

mfaCode = TOTP(optional_mfa_secret.strip()).now()
mfaCode = input('📲 Enter the 2FA code: ').strip()

A better way might be to do something like this:

@classmethod
async def async_login(
    cls,
    session: aiohttp.ClientSession,
    username: str,
    password: str,
    optional_mfa_secret: Optional[str],
    optional_mfa_code_retriever: Optional[Callable[[], Awaitable[str]]]
) -> str:
  ...
  if not result["noMfa"]:
      if optional_mfa_secret:
          mfaCode = TOTP(optional_mfa_secret.strip()).now()
      elif optional_mfa_code_retriever:
          mfaCode = await optional_mfa_code_retriever()
      else:
          raise InvalidAuth(
              "TOTP secret or code retriever is required for MFA accounts"
          )

What do you think?

[tronikos]

How do SMS codes work? Are they one time use? The library is mostly used by Home Assistant. Needs a stable way of login so that users don't have to manually login every 12 hours.

[skortchmark9]

The SMS codes themselves are one-time use, but they yield a JWT access_token similar to the other flow - the token can be reused for some amount of time - at least order of minutes.

Understood the home assistant use case but the addition I'm proposing is small and strictly additive.

[skortchmark9]

I see this was closed as not planned - would you accept a pull request if I were to do it? For my use case, https://www.tracy.ac I am currently checking a forked version of this lib.

[tronikos]

Once you enter the SMS code, how long before ConEd asks you for an SMS code on the same browser if you don't clear the cookies? If that's long enough we could support this in the library and in the Home Assistant integration. In the Home Assistant config flow we can add another step that asks for the SMS code and persist the cookies for future requests. Once login fails, hopefully several weeks later, we can trigger the reauth flow and ask the user to enter the new SMS code.

Can you link to your forked version? I'd rather not introduce hacks and implement it in a way that allows Home Assistant to properly support SMS codes.

[tronikos]

I added proper support for MFA. Currently only PG&E uses it. Yes please send a PR for ConEd following the same pattern, i.e. raising an instance of MfaHandlerBase if MFA is needed.

[skortchmark9]

Here is what I did - skortchmark9@a5580c5#diff-14be95e1bc080d43883ba83912d91e7c08b0a5a922792ef0104680704cf0c7e7

TBH, I'm struggling to wrap my head around your implementation. It seems like to follow your pattern I'd need to 1.) pass a url to a service I don't need 2.) use exceptions for control flow

Isn't it simpler and more extensible to just pass this callback, and let the user decide how they want to handle MFA challenge? Genuinely trying to understand the design space.

[tronikos]

You don't need to pass a URL to a service. That's only needed for PG&E.
The pattern of raising MfaChallenge that contains an instance of MfaHandlerBase is like that to support Home Assistant.
Looking at you code it seems for ConEd we might have to make the async_get_mfa_options and async_select_mfa_option optional. Those are needed for PG&E since it first asks you how you want to receive the MFA (email or SMS). Does ConEd immediately send an SMS without confirming first?

[tronikos]

So once you login with username and password do you immediately get an SMS without a confirmation?

If yes, the simplest might be to change https://github.com/tronikos/opower/blob/2c4251610ead48b698066c9a394b21e49fb18de7/src/opower/__main__.py#L112C17-L112C24 to skip calling async_select_mfa_option if async_get_mfa_options returned an empty dict.

I asked you earlier but I never got an answer. Once you enter the SMS code, how long before ConEd asks you for an SMS code on the same browser if you don't clear the cookies?

[skortchmark9]

I guess so, for me I get the MFA code immediately, without specifying a method. For ConEd the MFA method is set up in your account profile. I am not storing the cookies between requests made with this client, but anecdotally in the browser I haven't needed the second factor in like >30d