Race Condition w/ Multiple QR Code Tabs Open about api HOT 13 CLOSED

@d11wtq Thanks. I have generated a new token and used the latest generated token in the request. I can confirm that the old tokens are not used as explained on the docs that they will be revoked once new token is issued.

Are the requests monitored for the whitelisted IP Addresses? Does the request need to pass any additional headers etc?

from api.

@d11wtq No more an issue. I can get the response now. Not sure what was wrong.

Whats the token timeout?

{
    "meta": {
        "id": "9bec95e8-0ca8-42f2-9e10-585c2c84c0f1",
        "statusEmoji": "⚡️"
    }
}

from api.

We've just deployed a fix for this. Essentially now you can only have the QR code page open in one window at a time. Opening a new window invalidates the others.

from api.

@yogeshpathade thanks for reaching out. The token should have something after the up:yeah: part. Without posting the actual token here, can you confirm you are sending the full token correctly?

from api.

@d11wtq I can confirm I am passing through the actual token.
Removed it in the issue description for Security reason.

curl --location --request GET 'https://api.up.com.au/api/v1/util/ping' \ --header 'Authorization: Bearer up:yeah:oh<REMOVED'

from api.

Have you only generated one token? Currently generating a token will revoke any existing tokens.

from api.

Is it possible you have some additional white space before the token? Not seeing anything obvious on our end.

from api.

could you try wrap the --header part with "" instead of '' ?
--header "Authorization: Bearer up:yeah:oh<REMOVED"

from api.

Closing this issue. I could access all of my accounts and transactions.

Thanks for your help @d11wtq

from api.

Fantastic!

Whats the token timeout?

While we're in beta and access tokens are for personal use only, there isn't one. This will change when we start supporting third parties accessing your data.

from api.

Thanks, @d11wtq For your prompt response.

I found the problem with the Unauthorized 401 responses happening yesterday. It's probably a bug.
I had the get access token page open in multiple tabs of the browser https://api.up.com.au/getting_started and when one of them I scan a QR Code to confirm the IP address request from the Up App both (or all) the open pages fires the request

GET https://api.up.com.au/auth_granted 

to fetch the tokens which in the race condition one of them revokes the previously granted token. Assuming the Open tab page which is used to scan the QR Code has the latest token to copy makes the API request failed with 401 since the tokens are already overridden and revoked by some other pages in the background.
I should probably raise this as a bug?

from api.

Ohhhh, good find. That definitely sounds like a bug. @plasticine fyi.

from api.

Looks good. Thanks @d11wtq

from api.