Race Condition w/ Multiple QR Code Tabs Open

[yogeshpathade]

Hi,

I have generated the Access Token by following the steps https://api.up.com.au/getting_started here.

curl --location --request GET 'https://api.up.com.au/api/v1/util/ping'
--header 'Authorization: Bearer up:yeah:'

Getting HTTP 401 with Response

    "errors": [
        {
            "status": "401",
            "title": "Not Authorized",
            "detail": "The request was not authenticated because no valid credential was found in the Authorization header, or the Authorization header was not present."
        }
    ]
}

I am not sure if the token is incorrect or invalid or something else is wrong. I tried multiple times with other APIs as well.

[d11wtq]

@yogeshpathade thanks for reaching out. The token should have something after the up:yeah: part. Without posting the actual token here, can you confirm you are sending the full token correctly?

[yogeshpathade]

@d11wtq I can confirm I am passing through the actual token.
Removed it in the issue description for Security reason.

curl --location --request GET 'https://api.up.com.au/api/v1/util/ping' \ --header 'Authorization: Bearer up:yeah:oh<REMOVED'

[d11wtq]

Have you only generated one token? Currently generating a token will revoke any existing tokens.

[yogeshpathade]

@d11wtq Thanks. I have generated a new token and used the latest generated token in the request. I can confirm that the old tokens are not used as explained on the docs that they will be revoked once new token is issued.

Are the requests monitored for the whitelisted IP Addresses? Does the request need to pass any additional headers etc?

[d11wtq]

Is it possible you have some additional white space before the token? Not seeing anything obvious on our end.

[scottgbailey]

could you try wrap the --header part with "" instead of '' ?
--header "Authorization: Bearer up:yeah:oh<REMOVED"

[yogeshpathade]

@d11wtq No more an issue. I can get the response now. Not sure what was wrong.

Whats the token timeout?

{
    "meta": {
        "id": "9bec95e8-0ca8-42f2-9e10-585c2c84c0f1",
        "statusEmoji": "⚡️"
    }
}

[yogeshpathade]

Closing this issue. I could access all of my accounts and transactions.

Thanks for your help @d11wtq

[d11wtq]

Fantastic!

Whats the token timeout?

While we're in beta and access tokens are for personal use only, there isn't one. This will change when we start supporting third parties accessing your data.

[yogeshpathade]

Thanks, @d11wtq For your prompt response.

I found the problem with the Unauthorized 401 responses happening yesterday. It's probably a bug.
I had the get access token page open in multiple tabs of the browser https://api.up.com.au/getting_started and when one of them I scan a QR Code to confirm the IP address request from the Up App both (or all) the open pages fires the request

GET https://api.up.com.au/auth_granted 

to fetch the tokens which in the race condition one of them revokes the previously granted token. Assuming the Open tab page which is used to scan the QR Code has the latest token to copy makes the API request failed with 401 since the tokens are already overridden and revoked by some other pages in the background.
I should probably raise this as a bug?

[d11wtq]

Ohhhh, good find. That definitely sounds like a bug. @plasticine fyi.

[d11wtq]

We've just deployed a fix for this. Essentially now you can only have the QR code page open in one window at a time. Opening a new window invalidates the others.

[yogeshpathade]

Looks good. Thanks @d11wtq