bunqCommunity / bunqDesktop

The unofficial, free and open source desktop application for the bunq API
https://bunqdesk.top
MIT License
272 stars 52 forks source link

Insufficient authorisation (couldn't reproduce) #279

Closed JeroenEeuwes closed 6 years ago

JeroenEeuwes commented 6 years ago

I'm new to bunqDesktop, I'm using it on Widows, version 0.8.11.

After toying with the date filter and generating the screenshots for issue 278 I got errors about insufficient authorisation: stats Unfortunately I can't reproduce this. On the remote chance that this is still somehow useful to report see the screen shot above.

OGKevin commented 6 years ago

This means your session expired and you just have to refresh the app F5. The session takes as long as your auto logout settings in the Bunq app. If you make the app make a call to the bunq servers In the last 30 seconds of your session, it will automatically be extended.

JeroenEeuwes commented 6 years ago

Thanks, that is exactly what might have happened as I have a short session time-out (5 minutes) and sometimes am a bit slow with typing.

I think it would be more user friendly to make a new session automatically when a user clicks on something that needs a new request and is denied access.

Or at least show some message like: "Your session expired. Press F5 to refresh and try again".

L00Cyph3r commented 6 years ago

I think it should be possible to reauthenticate upon this error (at least try it once). I'm not sure, but I don't think you even need to enter the password again since the bunq-session is seperate from your bunqDesktop-session.

Crecket commented 6 years ago

There already is some code in place which automatically keeps the session alive by sending a request in the last 30 seconds. But in some situations it still seems to time-out so I'll look into it

JeroenEeuwes commented 6 years ago

I found out yesterday that with bunq the API key is matched against an IP address. So when I'm at home with my laptop I can't use the bunqDesktop API key created when I was at work.

Besides the fact that this is rather annoying when you are using the bunq API on a mobile platform which can get lot's of different IP addresses depending on which network it's connected I kind of get the point from a security view.

Anyway, at work we have multiple IP addresses (with different ISP's). Sometimes the router/firewall box puts a connection on a different line. For example when the main line is congested (because all PC's are downloading Windows updates or whatever) it will move some connections to a different line.

So it might well be that the session was not actually expired but a click somewehere in bunqDesktop went out on a different line. Unfortunately I have no way of knowing this for sure, as I can't check which IP address was used to send the request at the router. Or perhaps better worded as: I don't know how I can know this for sure.

I know this is a rather daft setup at my work, but I can't change the way it works :disappointed:

OGKevin commented 6 years ago

@JeroenEeuwes you can just enable wild card ip. So that that api key can be used from any IP address.

OGKevin commented 6 years ago

BunqDesktop will never know the diff between, invalid api key, invalid IP address nor expired session by looking at the error returned by bunq.

Crecket commented 6 years ago

I might add a settings page to add IP addresses to the current session, but that'll only work if you set the IPs in advance

ntimo commented 6 years ago

I might add a settings page to add IP addresses to the current session, but that'll only work if you set the IPs in advance

@Crecket you could register the IP address when creating a new session automatically :) I could host a service that would return the IP address if you need that? And for session created before this feature a function to manually add the IP would be great indeed. This way bunqDesktop could warn you in advance before connecting to bunq that it won't work because the IP changed.

JeroenEeuwes commented 6 years ago

@OGKevin I know, but the bunq app itselfs warns you to not do this willy-nilly. So I'd rather not :pensive:

@Crecket I'm not really sure what you mean with that. I think the IP gets assigned to the key when you scan the QR with the bunq App. Is there a way to assign more IP addresses to one API key? I can't find it inside the bunq App (besides allow all addresses). I do know all the IP addresses used at my work (until they change of course).

JeroenEeuwes commented 6 years ago

@ntimo I don't think that'll work all the time. Because the request to bunq can go out on line A and the request to your service can go out on line B. So they don't need to match at all. Did I already mention we have a daft network setup? If not: we have a daft network setup.

Crecket commented 6 years ago

@JeroenEeuwes I mean that the bunq API allows you to add whitelisted IP address to a session, but in order to do that you need to be on a valid IP address obviously. So I could let you manually add known IP addresses beforehand if you knew them in advance

JeroenEeuwes commented 6 years ago

@Crecket Ok, that would work for me. But this is not possible in the bunq App, I think? if it was somehow possible from bunqDesktop that would be ok for me.

It would also be great if the switch API key in bunqDesktop could show the IP address(es) that are valid for that key.

OGKevin commented 6 years ago

@Crecket you could register the IP address when creating a new session automatically ๐Ÿ˜Š

This is not true, you can only register IP addresses during the first device-server call.

@OGKevin I know, but the bunq app itselfs warns you to not do this willy-nilly. So I'd rather not ๐Ÿ˜”

fair enough. Thats why I use a VPN ๐Ÿ˜

@JeroenEeuwes I mean that the bunq API allows you to add whitelisted IP address to a session

Nein ๐Ÿ˜ญ, only on the first device-server call, if you want to add more IP address later on, you must be logged in with a valid session, then you can make PUT call to add more IPs. To an endpoint I dont know out of my head right now.

Crecket commented 6 years ago

@OGKevin that's what I'm saying though ๐Ÿ˜‹ it is only helpful if you're already on a valid session

JeroenEeuwes commented 6 years ago

Last night at home I got a lot of these errors, even though my IP address was not changed at all. So even disregarding the daft setup at my work it seems it is not always working.

OGKevin commented 6 years ago

Bunqโ€™s authentication system seems alright. So if you get an invalid api or ip address, then itโ€™s really invalid. ๐Ÿค” how are you sure that your ip didnโ€™t change.

Op 30 aug. 2018 om 07:33 heeft Jeroen Eeuwes notifications@github.com het volgende geschreven:

Last night at home I got a lot of these errors, even though my IP address was not changed at all. So even disregarding the daft setup at my work it seems it is not always working.

โ€” You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

JeroenEeuwes commented 6 years ago

At home I only have 1 ISP. If I go to any of the "what is my ip address" sites they will actually show the IP address that will be used for all requests.

I have a dyndns updater running on my router and the IP address hasn't been changed in over a year. Before that I think it hadn't changed in over three years.

So even though I don't actually have a static IP address it's not like it is different every day.

Crecket commented 6 years ago

It might just be the session expiring, I noticed it yesterday at random which is why I left this open

JeroenEeuwes commented 6 years ago

I think I found another path into this situation today. When reinstalling the app I made a copy of my settings file and saw a log file in the same directory and took a peek when things went awry.

I usually don't log out of programs when I take my laptop somewhere else. bunqDesktop doesn't seem to handle this very well.

This is what happened today. I was logged in at place A. Then I put my laptop to sleep and went to place B and started working again. When I clicked on the (still open) bunqDesktop I had to enter my password again and the login failed. I expected that because of course the selected API was for place A.

I tried a few times to change this to another API key, but that didn't work, I kept getting the same errors. In the logfile this looks like this (I removed several lines in between each error)?:

13:10:24:333 suspend 13:46:01:404 resume 13:46:11:908 bunqJSClient run 13:47:36:963 bunqJSClient run 13:47:36:964 current apiKey not null and changed 13:47:36:965 === Loading session data === [...] 13:47:38:477 bunq API error: User credentials are incorrect. Incorrect API key or IP address. [...] 13:47:43:093 bunq API error: User credentials are incorrect. Incorrect API key or IP address. [...] 13:47:49:607 bunq API error: User credentials are incorrect. Incorrect API key or IP address. [...] 13:47:53:899 bunq API error: User credentials are incorrect. Incorrect API key or IP address. [...] 13:47:58:063 bunq API error: User credentials are incorrect. Incorrect API key or IP address. [...] 13:48:02:017 bunq API error: User credentials are incorrect. Incorrect API key or IP address. [...] 13:48:21:089 bunq API error: You entered an invalid code too many times. Please wait 10 minutes before trying again. 13:48:21:094 undefined 13:48:21:131 ReferenceError {} 13:48:21:134 -> #destroyApiSession(true)

So I closed bunqDesktop, waited 15 minutes and tried again. I was able to change the key and log in. Perhaps bunqDesktop can relay the message about having to wait 10 minutes? I only found out about it in the logfile.

Crecket commented 6 years ago

What happens is that the timing is off to keep the session alive, so it keeps sending requests every ~5 minutes depending on your logout time

So after a while it gets blocked automatically

JeroenEeuwes commented 6 years ago

The events from the logfile I pasted are all from under 1 minute. I don't think this was an automatic request, I was actively trying to change the API key and log in.

Crecket commented 6 years ago

I modified the JS client to simply create a new session when required. Instead of the old system of keeping the session alive which obviously fails when the system goes in sleep mode.

If a few people test it tomorrow and we get decent feedback than I'll close this issue

JeroenEeuwes commented 6 years ago

It seems to be working better when doing "nothing". However, sometimes I still get errors. payment info

This is the info from the logfile (with some numbers changed):

09:56:49:072 undefined 09:56:49:201 undefined 09:56:49:324 undefined 09:56:49:445 undefined 09:56:49:759 undefined 09:56:49:873 undefined 09:56:49:999 undefined 09:56:50:008 undefined 09:56:58:552 GET: /v1/user/xxxxxx/monetary-account/yyyy/payment/zzzzz 09:56:58:552 === Testing session installation sessionToken = blabla 09:56:58:553 Session invalid: expired 09:56:58:553 this.sessionExpiryTime.getTime() = 1535788499015 09:56:58:554 currentTime.getTime() = 1535788618553 09:56:58:555 === Attempting to fetch session 09:56:58:555 POST: /v1/session-server 09:56:58:690 bunq API error: Authentication token already has a user session. 09:56:58:694 undefined

I'm making wild guesses, but I think the sessionExpiryTime doesn't always get updated when a new request is made within the time limit. This was the last thing I saw in the logfile that looks like a valid request:

09:54:54:281 GET: /v1/user/xxxxx/monetary-account 09:54:54:282 === Testing session installation sessionToken = blabla 09:54:54:284 Session valid: true

Crecket commented 6 years ago

The original scenarios for this bug have been fixed so I'm closing this now. There still might be some edge cases which I don't know of but those will need their own issue on here