Discussion: suggestions for handling First Energy?

[jhansche]

First Energy corp is the parent company of my utility, JCP&L (as well as several others). I see that JCP&L is using opower on the fenj subdomain.

However, the problem I'm having that's preventing contributing a jcpl utility is the login process. The login form itself seems simple enough, but there is an encrypted js file added to the login page that intercepts the form submit action and injects 6 hidden form fields with encrypted or hashed data to accompany the login/password fields. Since these inputs are added JIT before submitting the form, we can't just extract those values from the login/landing page. Examples of the injected inputs:

# large values truncated for obscurity and brevity
-d "r8loFrsvDB-a=esnC<...5386 bytes total...>oCY" \
-d "r8loFrsvDB-z=q" \
-d "r8loFrsvDB-d=AB<...80...>M" \
-d "r8loFrsvDB-c=AG<...61...>O-S" \
-d "r8loFrsvDB-b=-3pntgr" \
-d "r8loFrsvDB-f=Axg<...93...>AAAA%3D%3D"

To make matters worse, it appears that there is also a tripwire attached to this honeypot, where if you don't send the exact required values, your IP is blocked for a period of time (seems to be 5-15 min or so).

Looking at the other utility providers, none of them appear to have anything close to this level of security involved (why FirstEnergy requires such security..? 🤷)

I haven't tried something like headless chrome, which I think that would likely work.. But I suspect that would not be a welcome addition to this library.

Are there any other recommendations for how this could be handled?

[tronikos]

Since this library is used by Home Assistant, we cannot have a headless browser due to https://github.com/home-assistant/architecture/blob/master/adr/0004-webscraping.md

Possible alternatives that I can think of:

• in theory you could reverse engineer the JS but it seems hard.
• try to see if you can bypass the login by capturing and reusing an existing session cookie. It's likely to expire though
• fork the library, introduce a headless browser dependency, and create a custom integration
• change the official integration to accept an access token for any utility, create an addon with a headless browser that is responsible for handling the login and getting the access token which can then be passed to the integration

[tronikos]

Also take a look at #13 since it might give you ideas to do something similar. That one is reusing the device token as a cookie which is similar to my 2nd alternative. Apparently that expires after 2 years.

[jhansche]

Thanks for the info. I did look at that PR and noticed the 2FA addition.

This does give me some ideas, because it's not FE this library integrates with, it's opower. So if I can identify how the utility authorizes the access token to opower, then maybe an option could be to add a last-resort "utility" that's configured with subdomain and opower_access_token, which in theory could work for any yet-unimplemented utility as well.

I'll look over the har I captured, and see what I can find. But if the access token has a short expiration, the only alternative might be a cookie combined with some kind of ongoing ping to keep the session alive. The FE website does auto-logout after an annoyingly short time (again, makes no sense to me why they're treating it like a bank account 🤷‍♂️)

[tronikos]

Yes we should only need subdomain, opower_access_token, and optionally timezone (we could get that from the API response) to integrate with any utility. I haven't tried but the access token is likely to be short lived. If we somehow had the refresh token we could in theory get a new access token before it expires without needing username/password.

[jhansche]

So, I've done some testing today, and I made a generic manual.py utility, taking subdomain=username and access_token=password (not great, I understand, I just wanted to see the library work with fenj utility). ...and success! Kind of...

I get the Customer[] list, but then fenj responds 404 from combined-forecast. That crashes in demo.py, because it's expecting a response. I see that demo.py takes the Account objects from the forecast response. However, in fenj, I see the utilityAccounts coming back in the customers response. I can work around that by suppressing the 404, but of course the rest of demo.py is driven entirely by the forecast response, which isn't going to work with fenj (and likely other FirstEnergy utilities, at least for now).

I'm not sure how other utilities respond, but this is how fenj responds to customers:

{
  "customers": [
    {
      "id": ####,
      "uuid": "u-u-i-d",
      "legacyOpowerId": "ab-1-####",
      "accountNumber": "####-####",
      "accountName": "",
      "address": {
        "uuid": "u-u-i-d",
        "streetNumber": "##",
        "streetName": "xxxxx",
        "subpremise": "####",
        "postalCode": "#####",
        "city": "xxxxx",
        "country": "XX",
        "state": "XX"
      },
      "type": null,
      "utilityAccounts": [
        {
          "id": #####,
          "uuid": "u-u-i-d",
          "utilityAccountId": "#####",
          "utilityAccountId2": null,
          "servicePointId": #####,
          "meterType": "ELEC",
          "preferredUtilityAccountId": "#####",
          "readResolution": "BILLING"
        }
      ]
    }
  ],

I have to step away for now, just wanted to mention that in case this is a dealbreaker and not worth pursuing. I will work on converting this response into a fake list of forecasts, and just see how far I can get.

but the access token is likely to be short lived

Yeah, the access token seems to be in the ~10-15 min range. Then I have to log back in and extract my access token manually.

Even if this won't work for JCP&L/fenj, I can contribute the manual utility, if you think it would be useful. It's really only going to be useful for testing and debugging.

[tronikos]

If you go over the commit history you should find an earlier version that I was similarly getting the accounts but I ended up cleaning it up since it was unused and I wanted to avoid maintenance costs. For the same reason I'd suggest not committing the manual.py utility. If you do manage to leverage it with an addon that has a headless browser to login into hard to reverse engineer sites like yours I'd be happy to merge any changes, including getting the accounts differently for utilities that don't have forecasted data.

[tronikos]

FYI, I added back the way getting accounts from customer instead of forecasts

[jhansche]

I do see that we get past that request, only to hit a 500 Internal Server Error on the next:

aiohttp.client_exceptions.ClientResponseError: 500, message='Internal Server Error', url=URL('https://fenj.opower.com/ei/edge/apis/DataBrowser-v1/cws/cost/utilityAccount/u-u-i-d?aggregateType=day&startDate=2023-07-30T00:00:00-04:00&endDate=2023-08-07T00:00:00-04:00')

On the actual website, it only seems to list monthly usage/weather/reads data; I don't see daily readings. From the HAR I saved, these are the requests I captured:
{noformat}
"url": "https://fenj.opower.com/ei/edge/apis/multi-account-v1/cws/fenj/customers/current",
"url": "https://fenj.opower.com/ei/edge/apis/billComparison-v2/cws/v2/fenj/bill-comparison/customer/u-u-i-d/bill-dates?asOf=2023-08-02",
"url": "https://fenj.opower.com/ei/edge/apis/survey-v2/cws/surveys/resume/WHAT_USES_MOST?version=2&customerClassifier=ELEC",
"url": "https://fenj.opower.com/ei/edge/apis/bill-forecast-cws-v1/cws/fenj/customers/u-u-i-d/combined-forecast",
"url": "https://fenj.opower.com/ei/edge/apis/solar-v1/cws/v1/fenj/customers/u-u-i-d/accounts",
"url": "https://fenj.opower.com/ei/edge/apis/cws-bill-nc-v1/cws/v1/neighbors-comparison?fuelType=ELEC",
"url": "https://fenj.opower.com/ei/edge/apis/billComparison-v2/cws/v2/fenj/bill-comparison/customer/u-u-i-d/comparison-by-type?bill=PREVIOUS&asOf=2023-08-02",
"url": "https://fenj.opower.com/ei/edge/apis/multi-account-v1/cws/fenj/customers?offset=0&batchSize=100&addressFilter=",
"url": "https://fenj.opower.com/ei/edge/apis/survey-v2/cws/surveys/percentComplete/WHAT_USES_MOST?version=2",
"url": "https://fenj.opower.com/ei/edge/apis/DataBrowser-v1/cws/metadata?preferredUtilityAccountIdType=UTILITY_ACCOUNT_ID_1&includeCommercialAndIndustrial=true&customerUuid=u-u-i-d",
"url": "https://fenj.opower.com/ei/edge/apis/DataBrowser-v1/cws/utilities/fenj/utilityAccounts/u-u-i-d/reads?startDate=2021-08-02&endDate=2023-08-02&aggregateType=bill&includeEnhancedBilling=false&includeMultiRegisterData=false",
"url": "https://fenj.opower.com/ei/edge/apis/disaggregation-v1/cws/disaggregators/consumption/annual/categories?fuelType=ELEC&ratioScaling=2",
"url": "https://fenj.opower.com/ei/edge/apis/disaggregation-v1/cws/disaggregators/consumption/bills/categories?fuelType=ELEC&cents=false&ratioScaling=2",
"url": "https://fenj.opower.com/ei/edge/apis/billComparison-v2/cws/v2/fenj/bill-comparison/customer/u-u-i-d/comparison-by-type?bill=YEAR_AGO&asOf=2023-08-02",
"url": "https://fenj.opower.com/ei/edge/apis/DataBrowser-v1/cws/weather/aggregate?interval=2022-06-24%2F2022-07-27&interval=2022-07-28%2F2022-08-25&interval=2022-08-26%2F2022-09-26&interval=2022-09-27%2F2022-10-25&interval=2022-10-26%2F2022-11-22&interval=2022-11-23%2F2022-12-22&interval=2022-12-23%2F2023-01-25&interval=2023-01-26%2F2023-02-22&interval=2023-02-23%2F2023-03-24&interval=2023-03-25%2F2023-04-24&interval=2023-04-25%2F2023-05-24&interval=2023-05-25%2F2023-06-23&interval=2023-06-24%2F2023-07-25&useCelsius=false",
"url": "https://fenj.opower.com/ei/edge/apis/TipsRetrieval-v1/cws/v1/fenj/guides/guide002_cooling?locale=en_US&tipsLimit=1&customerMeterTypes=ELEC",
"url": "https://fenj.opower.com/ei/edge/apis/TipsRetrieval-v1/cws/v1/fenj/guides/guide006_electronics_other?locale=en_US&tipsLimit=1&customerMeterTypes=ELEC",
"url": "https://fenj.opower.com/ei/edge/apis/TipsRetrieval-v1/cws/v1/fenj/guides/guide005_appliances?locale=en_US&tipsLimit=1&customerMeterTypes=ELEC",
{noformat}

I'm going to assume that since I'm not seeing hourly (or even daily) usage on the FE website, that opower apparently does not have that data either, and so this integration won't work for me at this time. It may work for other First Energy markets (after solving the login problems).

[tronikos]

Atlantic City Electric, see home-assistant/core#97814, is another utility that lacks forecast data and only provides monthly data. I did try to request hourly or daily data via the API but opower returns 500, same error you encountered.

[jhansche]

I think I agree with your comment about it not being very useful if it can only pull monthly data 🤔
But then again it might still be a useful data point to have in the energy dashboard for historical comparisons.

Interesting that opower even allows this, given that according to another thread here, their documentation specifically says that daily is the bare minimum required update frequency. But our meters also aren't actually smart, and reading through the usage history, it only gives us "actual" readings about once every 2-4 months. Other months in between are "estimated".

[eracknaphobia]

@jhansche I believe this is why FirstEnergy has such beefy security now. I used to have a DIY custom component that was scraping the json from them and if i remember right they used a SAML type login before the hack.

Hopefully we can figure something out eventually, I do miss having the info feed into HA, it beats logging into the website to keep an eye on things.