Date Header Buffer
Hi, from the documentations, it is stated that:
Messages are further validated by timestamps, to help guard against replay attacks. Messages are only considered valid if they are processed at the point in time corresponding to their Date request header. A small buffer is used in this calculation to allow for minor clock drifts, discrepancies between client and server clocks, and data transfer round trip times. It is advised that when integrating with the World-Check One API, the machines involved in API communication are properly time synchronised via NTP to help prevent any message validity issues.
Can I know what is the exact buffer time? One of my request is hitting Unauthorized although the Authorisation header generated is correct. So I'm suspecting its the date timestamp being stale.
Thank you!
The buffer time is about 40-50 seconds after which we consider the timestamp to be outdated.
Request you to pass the correct time by synchronizing your server clock or the system clock as per the NTP or the GMT clock and see if you are getting a 2XX response in return.
You can check if the HMAC signature you are sending is correct, by using Postman too.
Hi @Irfan.Khan, upon investigating the timestamp and the response returned:
Request timestamp: Sat, 01 Sep 2018 18:16:00 GMT
Response returned at: 2018-09-01 18:17:40.110507
There is a 1 minute 40 seconds interval. Can I ask your team to check when did you receive our request? This happened in production environment so we would like to prevent the same issue from happening again.
Thank you.
Thank you for your response.
It is highly unlikely that the request would take 1 minute 40 second to reach the WC1 API server. Also, the response time of our API is generally in a range of 200 ms to 600 ms while some POST requests may take longer but not more than 700 ms.
One of the ways of identifying if the timestamp sent in the date header value is out of sync is to compare the request date header value and the response date header value. In this case, I see the timestamp to be out of sync by 1 minute and 40 second.
After the necessary change to synchronize the server clock/network or the system with NTP, your HTTP requests should be honored correctly.
Only this particular request (out of many successful requests) took 1 minute 40 seconds. Our server time is already synced with NTP.
Thank you for the clarification.
Can you kindly provide me the endpoint or the API call that took the response time of 1 minute and 40 second?
Also, was this API call a part of concurrent requests sent at the same time or it was just a single request? If yes, how many requests were sent concurrently.
Please specify the response code of the API call so that I can check the server logs.
Only this particular request (out of many successful requests) took 1 min 40 seconds. The system time is also synced to NTP. Is there any way you can get the log from your side?
Kindly provide me the below information so that I check this.
1. The API call or the endpoint that was requested.
2. Was this API a part of concurrent request or it was just a single request sent at that second.
3. Please specify the response code that you received for the API call in question.
1. API call: https://rms-world-check-one-api.thomsonreuters.com/v1/cases/0a3687c4-654c-19ee-9964-174d0032903d/results
2. It was a single request at that second.
3. The response returned 401 Unauthorized status code
Thank you for your patience.
I had written to the dev team to check the logs to identify the root cause. They have responded that they would need the raw request and response for the reported API call so that they can investigate further.
Kindly provide us the raw request and response so that we can proceed further with this.
Thanks.
The request headers is as follows (apikey has been removed):
[{ "Key":"Cache-Control", "Value":["no-cache"] },{ "Key":"Authorization", "Value":["Signature keyId=\"removed\",algorithm=\"hmac-sha256\",headers=\"(request-target) host date\",signature=\"TMdAA00uHhLSfygvLa/89tdU0a3Pw0WbupsZcHkjsQc=\""] },{ "Key":"Date", "Value":["Sat, 01 Sep 2018 18:16:00 GMT"] }]
For the response, we only log the http status code which is 401 Unauthorized.
Thank you for the requested info.
It is interesting to see that you were returned only 401 unauthorized in the response header as we generally return a lot of other info in it.
I have forwarded the details to our dev team and will get back to you with updates as soon as I have them.
Thanks
Following up to see if you were to fetch the requested information.
We would need the raw response header received and the method and the request params that were sent in the API to proceed further.
Also, can you kindly let us know if you are still experiencing the reported incident.
Apologies for the late reply.
Method: GET
Request params: none
Unfortunately, we do not log the raw response header from World Check.
As for your last question, we are not experiencing the reported incident any longer, but it will be good to know why it happened previously.
Thank you for the information.
I am still awaiting a response from the dev team on this. I have escalated the case to be looked into priority and should have an answer for you soon.
Updates to follow.