search

hmrc / vat-api

Apache License 2.0
67 stars 17 forks source link

Fraud Prevention Headers v3 #834

Closed RichardD2 closed 3 years ago

RichardD2 commented 3 years ago

Yesterday you sent us an email telling us that we need to update our application to use v3 of the fraud prevention headers: Desktop application direct - HMRC Developer Hub

Having updated our application, the fraud prevention test API is now rejecting our requests.

Gov-Client-User-Agent=os-family=Windows&os-version=10.0.19042.0&device-manufacturer=System+manufacturer&device-model=System+Product+Name

INVALID_HEADER
Invalid format. Check the specification. At least 1 separator is percent encoded. Check forward slashes, spaces and round brackets. At least 1 value for OS family is missing At least 1 value for OS version is missing

POTENTIALLY_INVALID_HEADER At least 1 value for device manufacturer is missing At least 1 value for device model is missing

As far as I can see, the header we're sending precisely matches the new specification.

Gov-Client-Local-IPs-Timestamp=2021-01-07T09:51:03.03Z

UNEXPECTED_HEADER Unrecognised header. Check format and spelling

This header is required according to the new specification.

Gov-Vendor-Product-Name=Visma+MTD

UNEXPECTED_HEADER Unrecognised header. Check format and spelling.

This header is required according to the new specification.

Gov-Client-Multi-Factor=

EMPTY_HEADER Value is empty. This may be correct for single factor authentication, for example username and password. If this is the case, you must contact us explaining why you cannot submit this header.

This is a direct desktop application running on a Windows PC. There is no multi-factor authentication. The new specification says that we are now required to send this header with an empty value.

Gov-Vendor-License-IDs=

EMPTY_HEADER Value required

This is a direct desktop application running on a Windows PC. There is no license ID. The new specification says that we are now required to send this header with an empty value.

Are we doing something wrong? Should we be ignoring the emails sent by SDSTeam@hmrc.gov.uk?

rosco1974 commented 3 years ago

Looks like you've jumped the gun! You would think they would apply the changes to the test api before issuing the email to developers.

hmrc-api-team commented 3 years ago

Hi @RichardD2

Please refer to #565:

Questions about Fraud Prevention Headers that require HMRC support should be referred directly to SDSTeam@hmrc.gov.uk. They will not be answered by a member of HMRC on GitHub.

As the MTD API team cannot directly answer any Fraud Prevention questions, this repository will not be monitored for issues related to Fraud Prevention, and any new Issues raised around these Headers will be directed to this Issue and closed.

Please use this Issue instead for any discussion related to Fraud Prevention that does not require immediate HMRC support.

The developers maintaining the code in the vat-api do not work with Fraud Prevention Headers. Please contact SDSTeam@hmrc.gov.uk for any queries about Fraud Prevention Headers.