Open somdatt211991 opened 3 years ago
I think the api can be hit for the slots without the need for the bearer token - the token is needed for the Recaptcha, and it expires every 15 minutes.
What is the harm in keeping a bearer token alive for 24 hours? There's literally no reason why it should be 15 minutes, which causes us to be thrown out to the OTP page EXACTLY while we are booking the slot. Have a throttle mechanism for IP based hits to avoid the bots!
It's like the tatkal booking! You login to IRCTC and wait for the availability. Now as soon as the seats are allocated you get kicked out ! This is good in some way if people are using bots. But the website is having a vulnerability which allows it to book slots using bot.
Please look into the issue .
Why does the user gets invalidated and thrown to login screen when he tries to book the slot as soon as it becomes available , but same token works perfectly fine for fetching the updated list of slots on the dashboard . If token is not valid then user should not be able to fetch the updated list of slots also .
Thanks