brut/bincio-activity
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

Here's what was built and why each decision was made:

Browse Source 
Key at data_dir.parent/.garmin_key — nginx serves location /data/ { alias /var/bincio/data/; } so
  anything inside that dir is reachable. The key lives one level up at /var/bincio/.garmin_key,
  outside nginx's reach.

  Two-layer storage — garmin_creds.json holds the encrypted email+password (needed for re-login when
  tokens expire); garmin_session/ holds the garth OAuth tokens in plain JSON (short-lived, not the
  user's actual password).

  test_login() — called by the connect endpoint before saving anything, so credentials are only
  persisted if they actually work.

  get_client() — tries the session first (fast, no network), falls back to full re-login
  transparently. The caller never needs to think about whether the session is fresh.
This commit is contained in:
Davide Scaini
2026-04-12 15:12:20 +02:00
parent e80231b442
commit 6c431e8821
4 changed files with 305 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/garmin_connect_disclaimer.md
+75
View File
@@ -0,0 +1,75 @@
# Garmin Connect Sync — Disclaimer
**This feature uses an unofficial, community-maintained library to access Garmin Connect.
It is not affiliated with, endorsed by, or supported by Garmin Ltd. or its subsidiaries.**
---
## What this feature does
When you enable Garmin Connect sync, BincioActivity will:
1. Ask for your Garmin Connect **email address and password**
2. Store those credentials on the server, encrypted at rest
3. Use them to log in to Garmin Connect on your behalf and download your activity files (FIT format)
4. Import those activities into your BincioActivity account
---
## What you need to know before enabling this
### Your credentials are stored on the server
Unlike Strava (which uses OAuth — you authorize without sharing your password),
Garmin Connect has no official third-party API. This feature works by logging in
as you, using your actual email and password.
This means:
- The server operator has technical access to your stored credentials
- You are trusting both the software and the person running the server
- Only enable this on a server you control or run by someone you fully trust
### This uses an unofficial API
Garmin does not provide a public developer API for activity data.
This feature relies on a reverse-engineered interface that:
- May break without notice when Garmin changes their systems
- Is not covered by any Garmin service agreement or SLA
- May violate Garmin Connect's Terms of Service
BincioActivity takes no responsibility for account restrictions or bans
that may result from using this feature.
### Two-factor authentication (2FA)
If your Garmin account has 2FA enabled, this feature may not work or may
require additional steps. Garmin has changed their authentication flow
several times; compatibility depends on the current state of the underlying library.
### Rate limits
Garmin does not publish API rate limits. Syncing too frequently or importing
large volumes of activities may result in temporary or permanent IP blocks.
BincioActivity applies conservative limits, but cannot guarantee uninterrupted access.
---
## How to revoke access
BincioActivity does not hold an OAuth token that can be revoked from Garmin's settings.
To stop BincioActivity from accessing your Garmin account:
1. Delete your stored credentials from BincioActivity (Settings → Garmin Connect → Disconnect)
2. **Change your Garmin Connect password** — this is the only way to guarantee that
no previously stored credentials can be used
---
## Recommendation
If you have concerns about credential storage, consider the alternative:
export your activities from Garmin Connect or Garmin Express as FIT files
and upload them directly to BincioActivity. This requires no credentials
and is always available.