OBP-API
OBP-API copied to clipboard
Published
20 hours ago •
OpenBankProject
OpenBankProject
GET users/current returning wrong user when used with DL
This could be an out-by-one-index, latency or caching problem.
In a nut: register new user (POST users), log in using DL, then get current user (GET users/current) returns a different user to that just logged in. Repeatable.
Log from the OBPOnboard app (comments added to the log preceded by #):
# [1] create new user [email protected]
2016-09-03 14:41:17.647 OBPOnboard[2225:761460]
---Request------------------
URL: https://socgen-k-api.openbankproject.com/obp/v2.1.0/users
Method: POST
Content-Length: 79
Content-Type: application/json
Body: {"password":"123456","first_name":"t","email":"[email protected]","last_name":"l"}
----------------------------
2016-09-03 14:41:18.142 OBPOnboard[2225:761460]
Response: 201
Headers: {
"Access-Control-Allow-Headers" = "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,authorization,origin,accept,client-security-token";
"Access-Control-Allow-Methods" = "GET, POST, OPTIONS";
"Access-Control-Allow-Origin" = "*";
"Cache-Control" = "no-cache, private, no-store";
Connection = "keep-alive";
"Content-Length" = 131;
"Content-Type" = "application/json; charset=utf-8";
Date = "Sat, 03 Sep 2016 12:39:35 GMT";
Expires = "Sat, 3 Sep 2016 12:39:35 GMT";
Pragma = "no-cache";
Server = "nginx/1.6.2";
"X-Frame-Options" = SAMEORIGIN;
"X-Lift-Version" = "2.6.3";
}
Body: {"user_id":"4dbe1ed5-243f-4261-998f-235b03ca7876","email":"[email protected]","provider_id":null,"provider":null,"display_name":"t l"}
# [2] new user [email protected] has id 4dbe1ed5-243f-4261-998f-235b03ca7876
# [3] (not shown in log) log in as user [email protected] --> DL token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyIiOiIifQ.RtOQ5cswG9GZRxz68iJPRyihnAJDQLnApSeUuGAHkfM
# [4] ask "who is current user?" ()
2016-09-03 14:42:39.675 OBPOnboard[2225:761460]
---Request------------------
URL: https://socgen-k-api.openbankproject.com/obp/v2.1.0/users/current
Method: GET
Authorization: DirectLogin token="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyIiOiIifQ.RtOQ5cswG9GZRxz68iJPRyihnAJDQLnApSeUuGAHkfM"
Body:
----------------------------
# [5] request an online meeting (concurrent with user request, because this is simple and user is inferred)
2016-09-03 14:42:39.677 OBPOnboard[2225:761460]
---Request------------------
URL: https://socgen-k-api.openbankproject.com/obp/v2.1.0/banks/SGBC/meetings
Method: POST
Authorization: DirectLogin token="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyIiOiIifQ.RtOQ5cswG9GZRxz68iJPRyihnAJDQLnApSeUuGAHkfM"
Content-Length: 50
Content-Type: application/json
Body: {"purpose_id":"onboarding","provider_id":"tokbox"}
----------------------------
# [6] response to "who is current user?" at [4]...
2016-09-03 14:42:39.896 OBPOnboard[2225:761460]
Response: 200
Headers: {
"Access-Control-Allow-Headers" = "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,authorization,origin,accept,client-security-token";
"Access-Control-Allow-Methods" = "GET, POST, OPTIONS";
"Access-Control-Allow-Origin" = "*";
"Cache-Control" = "no-cache, private, no-store";
Connection = "keep-alive";
"Content-Length" = 163;
"Content-Type" = "application/json; charset=utf-8";
Date = "Sat, 03 Sep 2016 12:40:57 GMT";
Expires = "Sat, 3 Sep 2016 12:40:57 GMT";
Pragma = "no-cache";
Server = "nginx/1.6.2";
"X-Frame-Options" = SAMEORIGIN;
"X-Lift-Version" = "2.6.3";
}
Body: {"user_id":"c0b674a7-8977-4092-b033-7032f4101cc2","email":"[email protected]","provider_id":"[email protected]","provider":"kafka","display_name":"[email protected]"}
# ...WTF?! this is not user [email protected] with id 4dbe1ed5-243f-4261-998f-235b03ca7876, and have never logged in as [email protected] - don't know your password.
And here is a second log from the following day, where the user of the previous day is returned:
2016-09-04 07:59:31.855 OBPOnboard[2406:804187]
---Request------------------
URL: https://socgen-k-api.openbankproject.com/obp/v2.1.0/users
Method: POST
Content-Length: 80
Content-Type: application/json
Body: {"password":"123456","first_name":"t","email":"[email protected]","last_name":"l4"}
----------------------------
2016-09-04 07:59:33.063 OBPOnboard[2406:804187]
Response: 201
Headers: {
"Access-Control-Allow-Headers" = "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,authorization,origin,accept,client-security-token";
"Access-Control-Allow-Methods" = "GET, POST, OPTIONS";
"Access-Control-Allow-Origin" = "*";
"Cache-Control" = "no-cache, private, no-store";
Connection = "keep-alive";
"Content-Length" = 132;
"Content-Type" = "application/json; charset=utf-8";
Date = "Sun, 04 Sep 2016 05:57:49 GMT";
Expires = "Sun, 4 Sep 2016 05:57:49 GMT";
Pragma = "no-cache";
Server = "nginx/1.6.2";
"X-Frame-Options" = SAMEORIGIN;
"X-Lift-Version" = "2.6.3";
}
Body: {"user_id":"d080cc48-07ba-411f-8589-17d5e077ac25","email":"[email protected]","provider_id":null,"provider":null,"display_name":"t l4"}
# direct login with this new user is at this point, but not shown in this log
# note that the DL token below is different from the token in the previous log
2016-09-04 07:59:47.053 OBPOnboard[2406:804187]
---Request------------------
URL: https://socgen-k-api.openbankproject.com/obp/v2.1.0/users/current
Method: GET
Authorization: DirectLogin token="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyIiOiIifQ.oMEQHyqQWCCgHbbMjrLttnaj-B83nDQJB6hXdGHvPEI"
Body:
----------------------------
2016-09-04 07:59:47.055 OBPOnboard[2406:804187]
---Request------------------
URL: https://socgen-k-api.openbankproject.com/obp/v2.1.0/banks/SGBC/meetings
Method: POST
Authorization: DirectLogin token="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyIiOiIifQ.oMEQHyqQWCCgHbbMjrLttnaj-B83nDQJB6hXdGHvPEI"
Content-Length: 50
Content-Type: application/json
Body: {"purpose_id":"onboarding","provider_id":"tokbox"}
----------------------------
2016-09-04 07:59:47.289 OBPOnboard[2406:804187]
Response: 200
Headers: {
"Access-Control-Allow-Headers" = "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,authorization,origin,accept,client-security-token";
"Access-Control-Allow-Methods" = "GET, POST, OPTIONS";
"Access-Control-Allow-Origin" = "*";
"Cache-Control" = "no-cache, private, no-store";
Connection = "keep-alive";
"Content-Length" = 181;
"Content-Type" = "application/json; charset=utf-8";
Date = "Sun, 04 Sep 2016 05:58:03 GMT";
Expires = "Sun, 4 Sep 2016 05:58:03 GMT";
Pragma = "no-cache";
Server = "nginx/1.6.2";
"X-Frame-Options" = SAMEORIGIN;
"X-Lift-Version" = "2.6.3";
}
Body: {"user_id":"4dbe1ed5-243f-4261-998f-235b03ca7876","email":"[email protected]","provider_id":"[email protected]","provider":"https://socgen-k-api.openbankproject.com","display_name":"t l"}
# ...this is the user created yesterday, shown in the previous log!
After thorough investigation, the verdict is that the bug is in the south-side socgen connector. Other connectors do not manifest this problem, neither when using mapper instead of kafka connector.
Attached are two python script that can be used for testing.
bug146_meeting.py - runs in loop sending meeting requests bug146.py - logs in as already existing user, creates new user, logs in as new user and shows currently logged in user
