| ▲ | eterm 5 days ago | |
Because if you know someone's email address, it sounds like you get API access fairly quickly after that? Also I trust that the scopes that you can ask for are limited appropriately? | ||
| ▲ | OtherShrezzing 4 days ago | parent | next [-] | |
I think the even better crown jewel here is that the code is predictable, with no lock-out facility at the gym door for wrong attempts. The format is (or was when I signed up) something in the format >[minute of the hour you created the account][random number, 2 digit][day (or maybe month) of birth][year of birth] So <59341295> is the code for a user who signed up at :59 past the hour, and their birthday is December 1995. If you know someone’s birth month, you can just scan through ~6000 possible codes in a for loop to get their access code. At my gym, the PT coaches would celebrate their clients birthdays loudly, I’d not be surprised if the random number component was just an integer that increases with each sign up at a gym. | ||
| ▲ | valzevul 5 days ago | parent | prev [-] | |
OP here! > it sounds like you get API access fairly quickly after that? Yes, that's correct; I am yet to hit the rate-limit but from my experience with the official app/website, it's quite forgiving to failed attempts. The scope in the post is the one used by the app and other unofficial clients on GitHub [1][2], so I doubt there are more options beyond that. -- [1] https://github.com/0wain/puregym-api-php-wrapper/blob/main/s... [2] https://github.com/2t6h/puregym-attendance/blob/main/puregym... | ||