Too many login attempts

[stevenleeg]

Hi there,

I've been struggling quite a bit with the following error while trying to use this library:

ValueError: Unexpected response for initial auth request: {"status":429,"detail":"Too many log-in attempts. Please try again in 30 minutes.","userMessage":{"title":"Oops!","detail":"Too many log-in attempts. Please try again in 30 minutes."},"error":"Oops!","title":"Oops!","message":"Too many log-in attempts. Please try again in 30 minutes."}

It seems like this error is happening pretty randomly, not just for too many attempts within a 30 minute window. That is, I can wait for a few days without making any login attempts, try to execute the n26 balance command, and then still see this error message come up. It's not 100% of the time though, as it will sometimes randomly let me through with no issues and everything will work for a few minutes before I receive another auth error (will post next time I see it, but i'm currently stuck at this too many attempts error).

I have a feeling I'm doing something incorrectly, but I believe I've followed the instructions properly. For additional context, I have a n26.yaml file in the current working directory that looks like this:

n26:
    username: "[email address]"
    password: "[password]"
    device_token: "[uuid generated as instructed]"
    login_data_store_path: "~/.config/n26/token_data"
    mfa_type: app

Any ideas as to what's going on here? (Also thank you for all the hard work you've put into this library; in the times I've gotten through this auth issue everything works great!)

Update: Shortly after posting this I tried running n26 balance again and got this error:

requests.exceptions.HTTPError: 429 Client Error: Too Many Requests for url: https://api.tech26.global/oauth2/token

[nkuttler]

I started to get the oauth error recently, and as I only need the balance I tried https://github.com/guitmz/n26/ instead which just works. I didn't debug anything futher.

[nkuttler]

The problem seems to be the refresh_authentication call, when I comment it out and get a new auth every time I can get the balance. Some --new-auth or --no-refresh-token argument could help with this. I guess the go implementation doesn't attempt a refresh.

[markusressel]

That is, I can wait for a few days without making any login attempts, try to execute the n26 balance command, and then still see this error message come up.

This really suggests that there is something else issuing requests to N26 and therefore blocking access. Using the CLI with the local storage option set (as you have) should (almost) never actually run into any limits. The token is only refreshed if needed because its validUntil period is up.

I don't think I have ever had this error, but I also don't use the CLI on a daily basis. If I use the CLI after the token has expired, a new session will be automatically started and I have to 2FA in the app.

[nkuttler]

The token is only refreshed if needed because its validUntil period is up.

Maybe I'm missing something, but the auth_decorator always tries a refresh? https://github.com/femueller/python-n26/blob/master/n26/cli.py#L34

[markusressel]

hmm you are correct. I thought we would check the validity first, or use the get_token() method (which does the same internally), but we don't. We may have done this to ensure longer sessions, since we cannot update the session when the cli is not running, which is not an issue when using it as a library in some service. But this was added years ago and I cannot remember the details.

However, I still don`t think this can explain why the error can come up on first try. We would have to do more testing to confirm this.

[stevenleeg]

For additional context, I've been running into these issues using both the Python API and the command-line interface. I still haven't been able to pick up any particular rhyme or reason for why this is occurring. I've even played around with switching IP addresses to see if they're blocking my local LAN vs a VPN, but have ended up with the same results.

If there are any steps anybody could think of that might shine some more light into what's going on I'd be happy to do them and post the results.

[gygabyte017]

It is happening to me now as well, but it worked like a charm for months. You can regenerate a random uuid and it will work again, it seems like the current uuid is put in a blacklist. However, after using the new uuid successfully it gets locked again. Also I'm beginning to receive security email from n26 with unusual login information which require me to actually confirm my login attempt with a button, completely invalidating my automation process. Maybe that a change is happening from n26 side?

[AlexH-HankIT]

For me it worked sending the "x-tpp-userip" header, as stated in the documentation:

https://docs.n26.com/cs/N26-PSD2-FallbackAPI-PISP-access-documentation.pdf

If those policies above are not respected, there is no guarantee you will not be rate-limited.

[AlexH-HankIT]

Stopped working for me today with the "x-tpp-userip". Had to change the global (authentication) url from "https://api.tech26.global" to "https://api.tech26.de" to make it work again. Not sure whats going on :/

Edit: After the successful Login I got an E-Mail from N26 saying they detected a suspicious Login and asking me to confirm it's me. They probably updated their fraud detection system causing these problems.

[AlexH-HankIT]

I started to get the oauth error recently, and as I only need the balance I tried https://github.com/guitmz/n26/ instead which just works. I didn't debug anything futher.

I'm guessing this worked, because it's not using the ".global" endpoint at all and relies on the ".de" endpoint, as specified here: https://github.com/guitmz/n26/blob/master/api.go#L15

[tranb3r]

The "x-tpp-userip" header is not sent by the n26 mobile app, so I'm surprised you need to add it.

[stevenleeg]

I'm guessing this worked, because it's not using the ".global" endpoint at all and relies on the ".de" endpoint, as specified here: https://github.com/guitmz/n26/blob/master/api.go#L15

I'm testing out #126 locally and modified it to only use the .global endpoints. I'm noticing things are working more reliably for me than they previously were. I'll keep ya'll posted as time goes on/I get more data points.

[michaelber]

I get this error on the first authentication attempt. It worked flawlessly until around 3 weeks ago, so it seems N26 has changed something about their implementation. Changing the device token (uuid) as suggested above didn't help for me as well.

[stevenleeg]

I'm guessing this worked, because it's not using the ".global" endpoint at all and relies on the ".de" endpoint, as specified here: https://github.com/guitmz/n26/blob/master/api.go#L15

I'm testing out #126 locally and modified it to only use the .global endpoints. I'm noticing things are working more reliably for me than they previously were. I'll keep ya'll posted as time goes on/I get more data points.

Sorry, got this mixed up. What I meant to say is that I've modified api.py to only use the .de endpoints. So far this has been working flawlessly to me so I believe that may actually be the fix we need here.

[markusressel]

Please try if version 3.3.1 fixes the issue.