Problems with refresh_token()

[martinbannert]

Hello, thanks so much for sharing this! It works really well so far, just using refresh_token() gives huzzles. After calling it, it might be that one or two following other API-calls still work, but then get a "401 - unauthorized" and need to re-authenticate with an M_TAN.
Your code looks perfectly fine and is following the spec, maybe it only works with P_TAN?

This is what I do, to test it:

I have an 'ini.py' file where I do the TAN-dance once and export the session:

from comdirect_api.comdirect_client import ComdirectClient
client = ComdirectClient(client_id, client_secret)
client.fetch_tan(userId, pin)
tan = input('Enter TAN:')
client.activate_session(tan)
client.session_export()

And then run it of the command-line python3 ini.py, which works fine.

Then I import the session in another file called 'main.js' and do some API-calls:

from comdirect_api.comdirect_client import ComdirectClient
client = ComdirectClient(client_id, client_secret, import_session=True)
balances = client.get_all_balances()
print(balances)

I can execute main.py flawlessly for the next ten minutes, before the token expires.
However whenever I add the line client.refresh_token() to main.py, the next one or two calls work, but then get 401.

[alex-kn]

Hi Martin, thanks for reporting this. I could reproduce the issue with the code you provided for P_TAN, and there seems to be an issue with the session import. Without exporting and importing refreshing works flawlessly but importing the session from a file causes the token refresh to break subsequent request (401).

Unfortunately, I haven't found out yet what causes that behavior though :(

[martinbannert]

Hi Alex, thanks for confirming reproducibility. I tried another lib and had the same problem. Could solve it by starting a daemon-thread in main.py for periodically refreshing the token.

I have abandoned using the comdirect-API all together, because some endpoints seem to be permanently out of order, but it was a delight to read your code. Thanks again for sharing!

[michaelotto]

Unfortunately, I haven't found out yet what causes that behavior though :(

Hi Alex, I've traced this a bit and compared the HTTP requests for refresh_token() made by a fresh session and an imported one.

Both looked fine, but the "Authorization: Bearer" header looked quite different:

Fresh session:
Authorization: Bearer 8442c22c-5c66-453d-be52-1f9d2c8e8b74

Imported session:
Authorization: Bearer L8jiFVX8VT31K0PA9W5LUCLStMI

These values come from the access token. I didn't dig into this any further, though. Hope this helps debugging.

[michaelotto]

A further note on this: when I pickle and unpickle the whole ComdirectClient object, refresh_token() works fine for it. So that's a workaround for me.

But thanks for your great work here anyway!

[alex-kn]

Hi Michael, thanks for sharing your findings, this is quite helpful. I will investigate this a bit more once I find the time.

[MarcoDev-Bro]

Hi Alex, I am just looking for an api, that I can use to trade with comdirect. I saw this issue and would like to know if you had a further look on it. As I understood with the workaround of refreshing ever x min I could use your api anyway. Thanks for your work and your time on this topic.