[#1298] Using Simplybook API for server-side user identity verification -> Too Many Attempts

API General
,
1

Migrated from Redmine #1298 | Author: Janek Metsallik
Status: Feedback | Priority: Normal | Created: 2024-10-30

Hi,

Our solution is proxying Simplybook for user authentication. Our server routes the login attempts to the Simplybook’s 2fa; ‘admin/auth’ and '/admin/auth/2fa’. It has been a convenient method of combining Simplybooks provider management and scheduling with our custom application. However, as the number of users slowly grows, we observe more and more of the response 403 Too Many Attempts. Is there a proper way of using Simplybook’s API to verify users’ identities, or should we migrate?

Thanks for the help,
Janek

2

Dmytro Bondarev wrote:

Hi, you should cache token and reuse it and when it expires use refresh token to issue new access token.

3

Janek Metsallik wrote:

Thanks! Yes, I understand the idea of refresh tokens. However, the solution does not manage a session in Simplybook for the users. The solution uses Simplybook to verify the identity of users during authentication. Would you please comment on the following scenario:

  1. A user provides their username, password, and OTP on our custom login page.
  2. Our system calls Simplybook API “admin/auth” for user name and password verification.
  3. When Simplybook requests 2fa our system also calls Simplybook API “/admin/auth/2fa” for the user’s OTP verification.
  4. On success, our system continues serving the user
  5. In a few seconds, our system calls Simplybook API for “admin/logout” to release the session in Simplybook.

Simplybook often replies “Too many attempts”.

Thank you!

4

Janek Metsallik wrote:

I may have found the cause of the “too many attempts”. Our system did not complete the logout properly, which may have caused a number of lasting sessions. This was not usually successful:

  1. In a few seconds, our system calls Simplybook API for “admin/logout” to release the session in Simplybook.

I’m not sure if this was the actual cause and if I use the API according to the policy. However, I’ll keep you updated about the outcome.

5

Janek Metsallik wrote:

Solved . My attempts to outsmart the throttling of Simplybook authenticating from the server side did not lead to any useful results. The same “Too many attempts”. Eventually, we moved the authentication against Simplybook API to our client-side component, which is distributed to users’ devices. Now, the users do not receive “too many attempts” so often.