Token Issue - Githubissues

cowinapi / developer.cowin

This group is created to facilitate technical and integration discussions related to cowin platform. API related contents can be obtained at API setu portal https://apisetu.gov.in/public/marketplace/api/cowin

115 stars 30 forks source link

Token Issue #353

Open somdatt211991 opened 3 years ago

somdatt211991 commented 3 years ago

Please look into the issue .

Why does the user gets invalidated and thrown to login screen when he tries to book the slot as soon as it becomes available , but same token works perfectly fine for fetching the updated list of slots on the dashboard . If token is not valid then user should not be able to fetch the updated list of slots also .

Thanks

Mitalee commented 3 years ago

I think the api can be hit for the slots without the need for the bearer token - the token is needed for the Recaptcha, and it expires every 15 minutes.

What is the harm in keeping a bearer token alive for 24 hours? There's literally no reason why it should be 15 minutes, which causes us to be thrown out to the OTP page EXACTLY while we are booking the slot. Have a throttle mechanism for IP based hits to avoid the bots!

karsumit94 commented 3 years ago

It's like the tatkal booking! You login to IRCTC and wait for the availability. Now as soon as the seats are allocated you get kicked out ! This is good in some way if people are using bots. But the website is having a vulnerability which allows it to book slots using bot.