400 Bad Request: ITEM_LOGIN_REQUIRED error code

[mkoval]

I get the following 400 response from Plaid even though I just refreshed my access token <24 hours ago:

io.ktor.client.plugins.ClientRequestException: Client request(POST https://development.plaid.com/transactions/get) invalid: 400 Bad Request. Text: "{
  "display_message": null,
  "error_code": "ITEM_LOGIN_REQUIRED",
  "error_message": "the login details of this item have changed (credentials, MFA, or required user action) and a user login is required to update this information. use Link's update mode to restore the item to a good state",
  "error_type": "ITEM_ERROR",
  "request_id": <snip>
  "suggested_action": null
}"

I think this means that I will need to repeat the authentication flow in the Plaid example app to update the credentials in config file. Have you found a workaround for this?

[dvankley]

I think this means that I will need to repeat the authentication flow in the Plaid example app to update the credentials in config file.

I would think so, yes.

Have you found a workaround for this?

A workaround for what? I've not seen this exact behavior (credentials expiring within 24 hours) before, although it's not out of the realm of possibility. I wouldn't say it's a bug per se unless you can confirm it's systemic, and even then it's probably going to be a problem with Plaid or the financial institution rather than the connector. The connector does very little with auth aside from passing in the token the user provides. Some of my accounts have their credentials expire more frequently than they seem they should (i.e. when I haven't changed my password), but it hasn't reached the level of more than mild irritation for me.

[thechickenmoo]

I assume this is what needs to be done. I haven't had the chance to see if the plaid quickstart app has a "mode" for this or not.

https://plaid.com/docs/link/update-mode/#using-update-mode

EDIT:

I googled some more since I had a minute.

https://stackoverflow.com/questions/66181817/how-do-i-invoke-link-update-mode-in-the-plaid-sandbox-quickstart-app-node-js

This has some more direct instructions, but I didn't get them working myself. I'm probably doing something wrong, but maybe it will help you?

[dvankley]

In the past I have re-run the Plaid Quickstart app, authorized the financial institution in question as I did during initial setup, and replaced the account id in the connector's config file. I haven't tried the update flow, although maybe it allows you to keep the same account id while still fixing the credentials.

[dvankley]

I added a bit more detail in the README here: https://github.com/dvankley/firefly-plaid-connector-2/commit/8dc33fc22aff4a1a7edfff6550a7081be562e9e9.

[mkoval]

I spent some time debugging this. I think some financial institutions (at least Citi in my case) invalidate credentials pretty quickly (<24 hours) if you enable 2FA. I think this is on the Plaid side in this case: Citi has an actual API that doesn't have this problem (which other apps use), but Plaid doesn't seem to use it.

I ended up taking @dvankley's suggestion of re-running the quickstart app to generate a new account ID. It's pretty frustrating to have to update a YAML file and restart the connector every time I want to sync transactions, so I may write small app that supports the link flow.

Thanks for the help!

[thechickenmoo]

I did the same, and so far, my institution doesn't invalidate as long as it's connecting often (the synced mode). I noticed as well that it does take up another of the 100 live credentials allowed in the developer program each time you generate a new link.

On November 12, 2023 11:56:41 AM PST, Michael Koval @.***> wrote:

I spent some time debugging this. I think some financial institutions (at least Citi in my case) invalidate credentials pretty quickly (<24 hours) if you enable 2FA. I think this is on the Plaid side in this case: Citi has an actual API that doesn't have this problem (which other apps use), but Plaid doesn't seem to use it.

I ended up taking @dvankley's suggestion of re-running the quickstart app to generate a new account ID. It's pretty frustrating to have to update a YAML file and restart the connector every time I want to sync transactions, so I may write small app that supports the link flow.

Thanks for the help!

-- Reply to this email directly or view it on GitHub: https://github.com/dvankley/firefly-plaid-connector-2/issues/39#issuecomment-1807223302 You are receiving this because you are subscribed to this thread.

Message ID: @.***>

[mkoval]

Oofph, I didn't realize that every re-authentication consumes another credential slot. It is interesting that synced mode does not have this problem for you. I have been running in batch mode, so perhaps I'll try that.

[dvankley]

I spent some time debugging this. I think some financial institutions (at least Citi in my case) invalidate credentials pretty quickly (<24 hours) if you enable 2FA. I think this is on the Plaid side in this case: Citi has an actual API that doesn't have this problem (which other apps use), but Plaid doesn't seem to use it.

Interesting, I didn't know that. I use Citi but don't use 2FA and don't run into that problem, although it does seem to invalidate more often than my other institutions.

I did the same, and so far, my institution doesn't invalidate as long as it's connecting often (the synced mode).

I suppose that's why I don't run into the issue, as I primarily use polled/synced mode. It seems odd that a consumer not using a credential would cause it to expire...

[dvankley]

I noticed as well that it does take up another of the 100 live credentials allowed in the developer program each time you generate a new link.

That's alarming. I had not noticed that before, but my account status does seem to bear that out. Unfortunately it looks like removing items also doesn't reclaim the quota usage, which is frustrating.

I will definitely try the update flow next time, as that seems like the only way to avoid what effectively amounts to a time bomb (aside from making new Plaid accounts or contacting Plaid support).

If this is something that makes sense to build into the connector I would also consider that if it makes sense.

Thanks for the heads up on this, and keep me updated on how things proceed for you.

[markwoodward86]

Just to add, it seems that CIBC in Canada invalidates the token round about every 6 hours by my estimation. Ill do some more investigating tomorrow as to whether that can be circumvented.

[markwoodward86]

confirming a 6 hour auth token for CIBC bank for me. I understand this is not the issue of the developers here but this does unfortunately render this application useless for me. Good work though, i will revisit in future to see if anything can be done about expiring auth tokens.

[dvankley]

@markwoodward86 sorry to hear that. Does your account use MFA or any additional level of security like that? As mentioned above, that can cause early credential invalidation. Ideally Plaid and/or the financial institutions would implement a workaround to this (like service-level accounts with reduced permissions), but not much I can do until they do. You could also try reaching out to Plaid support as mentioned here because that doesn't seem like correct behavior.

[markwoodward86]

@dvankley i actually did a little more digging on the support site for Plaid and found that they are aware of this issue. Support case 123004 was opened a few months ago.

https://dashboard.plaid.com/activity/status/institution/ins_37

It appears that transaction success rate for CIBC is at 44%. CIBC force MFA with push or text notifications for every log in and times out in a browser with 5 minutes of inactivity. It is overkill but i kinda like their security minded approach. Hopefully they come to an agreement with Plaid in the near future.

[dvankley]

@markwoodward86 good find!

[dvankley]

Added some more detail to the readme in https://github.com/dvankley/firefly-plaid-connector-2/commit/ce41da8e6a05b6c6b0555420b68ec16695a2cf86

[dvankley]

One of my accounts' credentials expired so I had the opportunity to dig into this a little more.

I created a fork of Plaid quickstart that supports passing in an access token as the input_access_token URL parameter to trigger the update flow. Currently I've only implemented it for the java backend. It appears to work for me for the account that had expired, and I'll plan on using and maintaining this method going forward. I'll consider trying to get this merged upstream into quickstart, although I'm not sure I'll find the motivation to implement it for every flavor of backend.

I updated the connector readme in https://github.com/dvankley/firefly-plaid-connector-2/commit/2732b526dcb4b651fe62231377b1507b6ba348a9 to reflect this.

[markwoodward86]

@dvankley I have followed your latest instructions and will report back here in 6 - 24 hours with my observations from a CIBC Bank perspective. Thank you for your continued efforts on this, it is much appreciated.

[markwoodward86]

I confirm this is working but due to CIBC specifically it only lasts me a few hours (cue sad face). I could easily keep re-authenticating via the quickstart interface without the need for constantly changing the application.yml in the connector, and perhaps more importantly, burning a developer token in Plaid, which is a massive help compared to the previous set up. Unfortunately for me specifically this is still more hassle than it is worth because of the CIBC police.