[#910] unauthorized access

system · July 15, 2022, 6:28am

Migrated from Redmine #910 | Author: Matt Weiner
Status: New | Priority: High, I’m very impatient | Created: 2022-07-15

I continually get “unauthorized access” errors after making a few api calls. I’ve tried renewing the token before every api call, but I still get the same error.

Can you please outline the recommended practice for when to renew an auth token? How long are they active for? Are we supposed to check if it’s expired prior to every api call? Does doing this cost an api call?

You have clearly made a change to your policies in the past 2-3 weeks because I never had this issue before. Can you please outline what changes were made and how we should handle api calls going forward?

system · July 15, 2022, 7:01am

Redmine Admin wrote:

please provide raw http request and response. In any case you should not make a new access token before each call, there is login limits to protect users from hackers. You always need to reuse token, not to create a new one for each call

system · July 15, 2022, 12:50pm

Matt Weiner wrote:

Redmine Admin wrote:

please provide raw http request and response. In any case you should not make a new access token before each call, there is login limits to protect users from hackers. You always need to reuse token, not to create a new one for each call

Followup questions:

How long until an authToken expires?
How long until a refresh token expires?
Is there a way to check the expiration date/time of an auth or refresh token?
Are you suggesting that we only login once and then use refresh tokens going forward to generate new auth tokens?

There’s definitely been a change to your policies, can you please generate some form of documentation that specifies exactly how we should be using authTokens and refresh tokens?

Here’s the response {“code”:401,“message”:“Unauthorized”,“data”:,“message_data”:}
the request that I’m making works sometimes, but not others:

	sbmRefreshTokenHeaders = Map();
	sbmRefreshTokenHeaders.put("Content-Type","application/json");
	sbmRefreshTokenParameters = Map();
	sbmRefreshTokenParameters.put("company","companyName");
	sbmRefreshTokenParameters.put("refresh_token",refreshToken);
	refreshToken = invokeurl
	[
		url :"https://user-api-v2.simplybook.me/admin/auth/refresh-token"
		type :POST
		parameters:sbmRefreshTokenParameters.toString()
		headers:sbmRefreshTokenHeaders
	];
	authToken = refreshToken.get("token");
	refreshToken = refreshToken.get("refresh_token");

updateClientId = {"count":1,"start_datetime":bookingDetails.get("start_datetime"),"location_id":null,"category_id":bookingDetails.get("category_id"),"provider_id":bookingDetails.get("provider_id"),"service_id":bookingDetails.get("service_id"),"client_id":newClientId,"additional_fields":updateAdditionalFields};
updateBooking = invokeurl
[
	url :"https://user-api-v2.simplybook.me/admin/bookings/" + bookingId
	type :PUT
	parameters:updateClientId.toString()
	headers:sbmHeaders
];

system · July 15, 2022, 12:53pm

Redmine Admin wrote:

Hi,

30 min
never
no
yes!

it is impossible to check your code unfortunately, we need raw http request data

system · July 15, 2022, 1:46pm

Matt Weiner wrote:

Redmine Admin wrote:

Hi,

30 min

never

no

yes!

it is impossible to check your code unfortunately, we need raw http request data

super helpful information!