Getting HTTP 401 'Unauthenticated access!' errors despite having a valid bearer token

[safiyat]

Hi!

So I have written a little script to query the private APIs of COWIN, periodically logging in using the OTP, and renewing the bearer token.

I use the same bearer token for upto ten minutes (a little less than the 15 minutes expiry), with my requests not crossing 75 per 5 minutes.

The issue I am facing is, even if I have just renewed the token, a third of my queries receive a 401 'Unauthenticated access!' error. What's weirder is that these errors are sporadic, and intermittent. One request receives 200, then the next 401, then the one after that receives 200 again.

Some summaries from the queries:

2021-05-30 12:33:32,856 INFO Total requests made: 34
2021-05-30 12:33:32,856 INFO Errors: 11

2021-05-30 12:40:53,786 INFO Total requests made: 34
2021-05-30 12:40:53,786 INFO Errors: 13

2021-05-30 12:46:05,015 INFO Total requests made: 34
2021-05-30 12:46:05,016 INFO Errors: 11

2021-05-30 12:48:31,591 INFO Total requests made: 34
2021-05-30 12:48:31,591 INFO Errors: 12

2021-05-30 12:50:58,228 INFO Total requests made: 34
2021-05-30 12:50:58,228 INFO Errors: 10

Any ideas why this could be the case?

2021-05-30 12:30:45,348 INFO Requesting an OTP for **********.
2021-05-30 12:30:45,350 DEBUG Starting new HTTPS connection (1): cdn-api.co-vin.in:443
2021-05-30 12:30:45,531 DEBUG https://cdn-api.co-vin.in:443 "POST /api/v2/auth/generateMobileOTP HTTP/1.1" 200 48
2021-05-30 12:30:45,536 INFO generate_otp response: {"txnId": "c9abb12b-e60c-4327-bbc9-685d478def8d"}
2021-05-30 12:30:48,109 INFO Awaiting a new OTP message.
2021-05-30 12:31:07,267 INFO Received an OTP.
2021-05-30 12:31:07,274 INFO OTP: 527966
2021-05-30 12:31:07,302 DEBUG Starting new HTTPS connection (1): cdn-api.co-vin.in:443
2021-05-30 12:31:07,561 DEBUG https://cdn-api.co-vin.in:443 "POST /api/v2/auth/validateMobileOtp HTTP/1.1" 200 682
2021-05-30 12:31:07,566 INFO Bearer token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.****************************************.oW0ohyJPusXFlENdtF9MKEKokG_ZLz61l2Xb9K1eWXU
2021-05-30 12:31:07,828 INFO CONF updated in the main: {'GENERAL': {'cutoff_slots': '5', 'mobile': '**********', 'auth_token': 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.****************************************.oW0ohyJPusXFlENdtF9MKEKokG_ZLz61l2Xb9K1eWXU'}, 'LOGGING': {'log_file': '/tmp/cowin.log', 'log_level': 'DEBUG'}, 'EMAIL': {'smtp_server': 'smtp.gmail.com', 'port': '587', 'sender_email_id': 'bot.************@gmail.com', 'receiver_email_id': '************@gmail.com', 'email_password': '**********'}, 'TELEGRAM': {'bot_token': '1603147***:AAHDnx*********1ajx4a6ZCr-********', 'main_client_chat_id': '52920****', 'api_id': '510****', 'api_hash': '*******0f40afbcafe4f49f*********'}}
2021-05-30 12:31:07,828 INFO Following the interval of 4 seconds.
2021-05-30 12:31:11,830 INFO ######################################################################################################################################################
2021-05-30 12:32:58,661 INFO District: Gurugram
2021-05-30 12:32:58,669 DEBUG Starting new HTTPS connection (1): cdn-api.co-vin.in:443
2021-05-30 12:32:58,900 DEBUG https://cdn-api.co-vin.in:443 "GET /api/v2/appointment/sessions/calendarByDistrict?district_id=188&date=01-06-2021 HTTP/1.1" 200 None
2021-05-30 12:32:58,906 INFO Following the interval of 4 seconds.
2021-05-30 12:33:02,910 INFO ######################################################################################################################################################
2021-05-30 12:33:02,910 INFO District: Gurugram
2021-05-30 12:33:02,915 DEBUG Starting new HTTPS connection (1): cdn-api.co-vin.in:443
2021-05-30 12:33:03,197 DEBUG https://cdn-api.co-vin.in:443 "GET /api/v2/appointment/sessions/calendarByDistrict?district_id=188&date=08-06-2021 HTTP/1.1" 401 23
2021-05-30 12:33:03,200 ERROR Exception requesting for Gurugram.
2021-05-30 12:33:03,200 ERROR Dataset: {"district_id": 188, "district_name": "Gurugram", "date": "08-06-2021", "filters": [{"vaccine": "COVISHIELD", "dose": "available_capacity_dose2", "min_age_limit": 18, "chat_ids": ["********"]}]}
2021-05-30 12:33:03,200 ERROR request: b'Unauthenticated access!'
2021-05-30 12:33:03,200 DEBUG Traceback (most recent call last):
  File "/*************/GitHub/cowin_slot_checker/check_slots.py", line 168, in fetch_results
    'Received error code %d.' % request.status_code)
requests.exceptions.RequestException: Received error code 401.

2021-05-30 12:33:03,201 INFO Following the interval of 4 seconds.
2021-05-30 12:33:07,205 INFO ######################################################################################################################################################
2021-05-30 12:33:07,205 INFO District: Dehradun
2021-05-30 12:33:07,238 DEBUG Starting new HTTPS connection (1): cdn-api.co-vin.in:443
2021-05-30 12:33:07,435 DEBUG https://cdn-api.co-vin.in:443 "GET /api/v2/appointment/sessions/calendarByDistrict?district_id=697&date=30-05-2021 HTTP/1.1" 200 None
2021-05-30 12:33:07,459 INFO Following the interval of 4 seconds.
2021-05-30 12:33:11,462 INFO ######################################################################################################################################################
2021-05-30 12:33:11,462 INFO District: Ernakulam
2021-05-30 12:33:11,468 DEBUG Starting new HTTPS connection (1): cdn-api.co-vin.in:443
2021-05-30 12:33:11,713 DEBUG https://cdn-api.co-vin.in:443 "GET /api/v2/appointment/sessions/calendarByDistrict?district_id=307&date=30-05-2021 HTTP/1.1" 200 None
2021-05-30 12:33:11,720 INFO Following the interval of 4 seconds.
2021-05-30 12:33:15,724 INFO ######################################################################################################################################################
2021-05-30 12:33:15,724 INFO District: Lakshadweep
2021-05-30 12:33:15,730 DEBUG Starting new HTTPS connection (1): cdn-api.co-vin.in:443
2021-05-30 12:33:15,942 DEBUG https://cdn-api.co-vin.in:443 "GET /api/v2/appointment/sessions/calendarByDistrict?district_id=311&date=30-05-2021 HTTP/1.1" 401 23
2021-05-30 12:33:15,946 ERROR Exception requesting for Lakshadweep.
2021-05-30 12:33:15,947 ERROR Dataset: {"district_id": 311, "district_name": "Lakshadweep", "date": "30-05-2021", "filters": [{"dose": "available_capacity_dose1", "min_age_limit": 18, "chat_ids": ["********"]}]}
2021-05-30 12:33:15,947 ERROR request: b'Unauthenticated access!'
2021-05-30 12:33:15,947 DEBUG Traceback (most recent call last):
  File "/*************/GitHub/cowin_slot_checker/check_slots.py", line 168, in fetch_results
    'Received error code %d.' % request.status_code)
requests.exceptions.RequestException: Received error code 401.

2021-05-30 12:33:15,947 INFO Following the interval of 4 seconds.
2021-05-30 12:33:19,948 INFO ######################################################################################################################################################
2021-05-30 12:33:19,949 INFO District: Hyderabad
2021-05-30 12:33:19,955 DEBUG Starting new HTTPS connection (1): cdn-api.co-vin.in:443
2021-05-30 12:33:20,154 DEBUG https://cdn-api.co-vin.in:443 "GET /api/v2/appointment/sessions/calendarByDistrict?district_id=581&date=30-05-2021 HTTP/1.1" 200 None
2021-05-30 12:33:20,172 INFO Following the interval of 4 seconds.
2021-05-30 12:33:24,177 INFO #*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*
2021-05-30 12:33:32,856 INFO No desirable data found.
2021-05-30 12:33:32,856 INFO Start time: 12:31:07     End time: 12:33:32      Time taken: 0:54:16.861703
2021-05-30 12:33:32,856 INFO Total requests made: 34
2021-05-30 12:33:32,856 INFO Errors: 11
2021-05-30 12:33:32,856 INFO

I have attached the complete logs below.

cowin.log

[AdityaPimpalkar]

Hey, what request headers did you add for the validateMobileOtp API? I am getting a "Endpoint request timed out" after I call that API

Here is the code for validateMobileOtp -

function validateOtp() {
  var requestOptions = {
    method: "POST",
    headers: {
      Accept: "application/json",
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      otp: sha256(document.getElementById("otp").value),
      txnId: localStorage.getItem("txnId"),
    }),
    redirect: "follow",
  };

  fetch(
    "https://cdn-api.co-vin.in/api/v2/auth/validateMobileOtp",
    requestOptions
  )
    .then((response) => response.text())
    .then((result) => localStorage.setItem("token", JSON.parse(result).token))
    .catch((error) => console.log("error", error));
}

Here this the code for generateMobileOTP -

function generateOtp {
var requestOptions = {
  method: "POST",
  headers: {
    Accept: "application/json",
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    mobile: "888******",
    secret:
      "U2FsdGVkX1+z/4Nr9nta+2DrVJSv7KS6VoQUSQ1ZXYDx/CJUkWxFYG6P3iM/VW+6jLQ9RDQVzp/RcZ8kbT41xw==",
  }),
  redirect: "follow",
};

fetch("https://cdn-api.co-vin.in/api/v2/auth/generateMobileOTP", requestOptions)
  .then((response) => response.text())
  .then((data) => localStorage.setItem("txnId", data.txnId))
  .catch((error) => console.log("error", error));
}

Could you help me with this? Thanks

[safiyat]

@AdityaPimpalkar

I have a standard set of headers that I use for all the requests. I add the auth token to it once I have it.

The standard set of headers that I use:

{
  "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:88.0) Gecko/20100101 Firefox/88.0",
  "Accept": "application/json",
  "Accept-Language": "en-US",
  "Referer": "https://apisetu.gov.in/public/api/cowin",
  "Origin": "https://apisetu.gov.in",
  "DNT": "1",
  "Connection": "keep-alive",
  "Pragma": "no-cache",
  "Cache-Control": "no-cache",
  "TE": "Trailers"
}

When sending a request to generate OTP, this is the body:

{
        'mobile': mobile,
        'secret': token
}

When validating the same to get the bearer token,

{
        'otp': hashed_otp,
        'txnId': txn_id
}

From the excerpts you have shared, my suggestion is to add a user agent in the headers. And make sure it is some recognized browser. Use mine, if you don't want to look any further.

For a little more details: https://github.com/cowinapi/developer.cowin/issues/344#issuecomment-851023292

Somebody help with my problem as well. It is still unsolved.

[dileepps]

Public API from Cowin gives only cached data, so may not be very accurate. Once after login you get exact availability details. I have used Public Api and developed a site for statistical analysis. http://dreamninja.shop/cowin/ I find it very difficult to use Private API's due to OTP validation and also restrictions in number of calls. Still I have developed a beta app similar to Cowin bot for Chrome which I will share in a week.

[safiyat]

@dileepps you may have misread my post. I am using private APIs for getting the data.

Somebody help with my problem as well. It is still unsolved.

[badinenisaivardhan]

hey @safiyat the issue is with the implementation of Authorization Bearertoken : eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.**** use authorization as header and value as Bearer token Authorization : Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.**** Hope This will work ..>!

[safiyat]

hey @safiyat the issue is with the implementation of Authorization Bearertoken : eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.**** use authorization as header and value as Bearer token Authorization : Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.**** Hope This will work ..>!

@badinenisaivardhan I have used it. Yes. That is why I was getting 200 in some of the protected API hits. I think the issue lies somewhere else.

Somebody help with my problem as well. It is still unsolved.