HTTPS required starting Monday, Nov 3, 2014

JeremiahFitbit · ‎08-04-2014

This is a 90 day notice of a potentially breaking change.

On Monday, November 3, 2014, connections to api.fitbit.com will be restricted to HTTPS connections only. TLS ("SSL") will be required to use all api.fitbit.com endpoints, including all steps of OAuth.

TLS creates a secure communication channel between your application and Fitbit's API. If your application uses plaintext HTTP connections to access the Fitbit API, you need to update it to use HTTPS immediately.

For most applications, changing "http://" to "https://" on requests to api.fitbit.com and redirects to www.fitbit.com is all that is necessary to comply with this requirement.

The Fitbit API will return a HTTP 400 or 403 error to all non-HTTPS requests starting on November 3, 2014.

A "blackout test" will be performed on Tuesday, October 7, 2014, between 8–9 AM PDT. Non-HTTPS requests will fail for a brief period of time. This time will be announced here and at https://status.fitbit.com/ .

If you have questions about securely connecting to https://api.fitbit.com, please post them here.

bigrice · ‎09-15-2014

Hi Jeremiah, can you please give me some detailed instructions as to what we should do in order to comply the TLS requirements?

We use oAuth fitbitphp.php (https://github.com/heyitspavel/fitbitphp) for our application.

We can buy a SSL from the hosting company.

Do we need to change any code? Which part? Can you lend us a hand? We don't have IT contractor anymore.

Many Thanks for your help

Lan

SunsetRunner · ‎09-15-2014

@bigrice wrote:

Hi Jeremiah, can you please give me some detailed instructions as to what we should do in order to comply the TLS requirements?

We use oAuth fitbitphp.php (https://github.com/heyitspavel/fitbitphp) for our application.

We can buy a SSL from the hosting company.

Do we need to change any code? Which part? Can you lend us a hand? We don't have IT contractor anymore.

Many Thanks for your help

Lan

Hi Lan,

You do NOT need to buy SSL or any kind of hosting product. This change should be purely in your code.

That "fitbitphp" library just needs to be updated so it connects to https://api.fitbit.com instead of http://api.fitbit.com (the difference is just the "s" in https).

On line 98 and 106 of fitbitphp.php file, you will need to change 2 of the function signatures

https://github.com/heyitspavel/fitbitphp/blob/master/fitbitphp.php#L98-L106

Change:

public function setEndpointBase($apiHost, $authHost, $https = true, $httpsApi = false)

To:

public function setEndpointBase($apiHost, $authHost, $https = true, $httpsApi = true)

Change:

private function initUrls($https = true, $httpsApi = false)

To:

private function initUrls($https = true, $httpsApi = true)

Extracon · ‎10-06-2014

Hello,

This message and the status page both state that a "blackout test" will be performed on Oct 7 (Tomorrow) and that the time will be announced in both places, but I do not see a time announcement in either place (Am I just overlooking it?).

Is the blackout still taking place tomorrow (Oct 7) and what will be the time period of this blackout?

Thanks,

Kevin

JeremiahFitbit · ‎10-06-2014

@Extracon wrote:

Is the blackout still taking place tomorrow (Oct 7) and what will be the time period of this blackout?

Yes, the blackout test will be conducted between 8–9 AM PDT tomorrow (Oct 7, 2014). This topic and the status site have been updated.

JeremiahFitbit · ‎10-07-2014

The blackout test will begin at 8:25 AM PDT.

Extracon · ‎10-07-2014

Just to confirm... Is the Blackout test currently active right now?

JeremiahFitbit · ‎10-07-2014

@Extracon wrote:

Just to confirm... Is the Blackout test currently active right now?

Yes, the blackout test is now live. It began at 8:25:48 AM PDT.

JeremiahFitbit · ‎10-07-2014

The blackout test concluded at 9:17:35 AM PDT.

ibahdanau · ‎10-07-2014

As of 9:17:35am PDT HTTPS blackout testing is done.

HTTPS requirement had been removed from Fitbit api serviers.

Ivan Bahdanau
Senior Software Developer at Fitbit

CW_TO · ‎10-16-2014

I recieved an email stating that we failed out the blackout test. Our redirect to fitbit.com and all calls (api.fitbit.com) are https. Can you think of other reason(s) this would happen or provide specific examples of the violation(s)?

password1 · ‎10-16-2014

Got an unhelpful email today saying we failed the blackout test because we're making non-https calls. We updated our app months ago and have https everywhere. Not sure why fitbit doesn't give us a list of failed calls or summary.

How can I go about finding what your logs are reporting as non-https?

Or is this just another fitbit bug, and was everyone possibly incorrectly spammed???

bgkenny · ‎10-16-2014

Hi Ivan,

We're using fitbit Java client, specified in https://wiki.fitbit.com/display/API/API+Java+Client. We already use https on fitbitSiteBaseUrl property.

fitbitSiteBaseUrl=https://www.fitbit.com

apiBaseUrl=api.fitbit.com

However, we got an email from fitbit that we need to switch to HTTPS.

"...We noticed that your application has not been updated to access the Fitbit API via HTTPS..."

We've found an init() method in com.fitbit.api.client.Configuration class (fitbit4j-1.0.25.jar) that sets a property to disable HTTPS, by default. Would this cause our requests not being sent via HTTPS? If yes, how do we overwrite this property, programmatically? We haven't been able to find a way on the wiki page. If this is not the issue, what do we need to implement to enabe HTTPS for all requests?

defaultProperty.setProperty("fitbitAPIClient.http.useSSL", "false");

public static boolean useSSL() {

return getBoolean("fitbitAPIClient.http.useSSL");

}

public static String getScheme() {

return useSSL() ? "https://" : "http://";

}

Thanks,

kenny

aarondcoleman · ‎10-16-2014

The Fitbit.NET library appears to be completely tied to HTTPS already. HOWEVER, if you copied our example MVC website project's code here, note that you should update to add the "s" in https:

https://github.com/aarondcoleman/Fitbit.NET/blob/master/SampleWebMVC/Controllers/FitbitController.cs

So, to sum up, all the FitbitClient class calls already do connect using HTTPS, but it's that OAuth handshake that you need to specify with the "s". That's done via the Fitbit.Api.Authenticator class constructor. It should be:

 Fitbit.Api.Authenticator authenticator = new Fitbit.Api.Authenticator(
ConsumerKey,                                                                                    ConsumerSecret,                                                                                "https://api.fitbit.com/oauth/request_token",                                                                                    "http://api.fitbit.com/oauth/access_token",                                                                                    "http://api.fitbit.com/oauth/authorize");

--Aaron

Using Fitbits in Research? Check out Fitabase --www.fitabase.com

Extracon · ‎10-16-2014

Hello,

We also received the message that our app is not using HTTPS.

However, as far as I can tell, all of our API calls have been set to use HTTPS since will before the blackout test. Also, we did not see any errors on our end during the blackout test and everything seemed to be functioning normally.

We are using the Fitbit.NET library and the URLs used in the Authenticator Constructor are ALL set to use HTTPS as in:

Fitbit.Api.Authenticator authenticator

= new Fitbit.Api.Authenticator(ConsumerKey, ConsumerSecret, "https://api.fitbit.com/oauth/request_token", "https://api.fitbit.com/oauth/access_token", "https://api.fitbit.com/oauth/authorize");

The only place that I can find a non-https URL is OUR subscribers endpoint URL in our application settings on dev.fitbit.com. My understanding of the new HTTPS requirement is that HTTPS is required for all FitBit API calls and thus not a requirement for our endpoint. Also, our endpoint was HTTP during the blackout and was working.

Would a non-https subscribers endpoint URL cause the email we received or is there something else that we need to look for?

Thank you for your assistance,

Kevin

JeremiahFitbit · ‎10-16-2014

We believe that some application owners may have received this email in error. We are creating a tool to help you verify that you are only using HTTPS.

JeremiahFitbit · ‎10-16-2014

To verify if your application is making non-HTTPS requests to the Fitbit API:

Go to http://httpschecker-30885.onmodulus.net/
Enter your client key from https://dev.fitbit.com
If your application had any non-HTTPS Fitbit API requests in the time period noted on the page, they will be displayed.

MarkMZ1 · ‎10-16-2014

We thought our app was ready, but received an email stating that our application has not been updated to access the Fitbit API via HTTPS. If we received the email, does that mean for sure there is a problem or is it possible we got the email by mistake? (edit: sorry, missed your prior reply that it is possible some emails were sent in error).

We missed the original test and were wondering if another test is possible?

james86 · ‎10-17-2014

I recieved the mail below from api@fitbit.com linking to http://httpschecker-30885.onmodulus.net/?utm_campaign=website&utm_source=sendgrid.com&utm_medium=ema... Is this the offical place to verifiy HTTPS complance?

You are receiving this email because you have registered an application to use the Fitbit API at https://dev.fitbit.com/. This is a notice of a potentially breaking change to your integration with the Fitbit API.

Yesterday, we emailed you because we believed that your application had not been updated to use HTTPS with the Fitbit API. We learned that some people who received this email had already updated their application to use HTTPS and received this notice in error.

We created a tool to allow you to verify if your application is still making non-HTTPS requests. To use it, copy your client key and paste it here. If any non-HTTPS requests were made during the time period noted, the timestamp and endpoint will be displayed. We will periodically update this tool with recent access data.

We are sorry for so many emails, especially if you have already updated your application. We want to ensure a smooth transition for your app and our shared users.

If you have questions about securely connecting to Fitbit’s API, please post them in our support forum.

—The Fitbit API Team

ibahdanau · ‎10-17-2014

Yes, this is official place to verifiy HTTPS complance.

Ivan Bahdanau
Senior Software Developer at Fitbit

Join us on the Community Forums!

Community Guidelines

Learn the Basics

Join the Community!

Not finding your answer on the Community Forums?

Go to the Help Site

Contact Support

HTTPS required starting Monday, Nov 3, 2014

JeremiahFitbit

bigrice

SunsetRunner

Extracon

JeremiahFitbit

JeremiahFitbit

Extracon

JeremiahFitbit

JeremiahFitbit

ibahdanau

CW_TO

password1

bgkenny

aarondcoleman

Extracon

JeremiahFitbit

JeremiahFitbit

MarkMZ1

james86

ibahdanau