API key suddenly stopped working

[ghost]

Describe the bug
We had a test running on https://try.iotagency.sigfox.com but it had stopped reporting on the 22nd of January. (The first message that got the 401 arrived at 2019-01-22 10:37:40)

On the SigFox backend we got a 401 message:

[ERROR] - Base station 3849 - 1 second
401 - Unauthorized - #1
POST https://api.try.iotagency.sigfox.com/api/Messages/sigfox HTTP/1.0
authorization : <was valid, redacted for obvious reasons>
content-length : 180
accept-encoding : gzip,deflate
accept-language : fr
host : api.try.iotagency.sigfox.com
user-agent : SIGFOX
accept-charset : UTF-8;q=0.9,*;q=0.7
content-type : application/json

{ "deviceId": "20AEAB", "time": 1548682015, "seqNumber": 9, "data": "101207480000000100000001", "reception": [{ "id": "3849", "RSSI": -118.00, "SNR": 18.11 }], "duplicate": false }

The authorization key was however correct.
I generated a new authorization key and inserted this one in the SigFox backend, and the 401 messages disappeared. The device is now reporting again.

Expected behavior
The key should have continued to work as it had already been running for a couple of days.

[adechassey]

Hello Giovanni,
This is quite strange as the error has already been seen some time ago.
I will keep track of this issue but a new way of managing the developer access tokens has to be implemented in the future anyway. @siyu6974 will have a look at this this week if he can.
I know the Sigfox Backend can also be buggy, do not hesitate to validate twice when updating the callbacks...

[ghost]

Hello Antoine,

Just to clarify, we did not do any changes at the time. The callback was set up somewhere at the end of december and had been running fine up until Jan. 22.
It was only today when I noticed the demo was not working anymore on the dashboard page that I needed to update the callback with a new API key.

Kind regards,
Giovanni.

[adechassey]

Hello Giovanni,

Coming back to this issue, I just figured the tokens where automatically deleted when a user changes his password.
This is a default security functionality implemented by Loopback (the backend framework used).
When I have some time, I will isolate developer access tokens to another collection, preventing this to happen.
I'll let the issue open until I implement the fix.

Best regards,
Antoine

[Vandewaetere]

Hi Antoine,

I just noticed that again the tokens got deleted recently (so our devices stopped reporting because of an authorization error).
I see that there has been some activity on this repository again.
Was our auth. key deleted due to an update? This time I am sure I did not change the password.

In the future can we expect this to happen again?

Kind regards,
Giovanni.

[adechassey]

Hi Giovanni,

Nothing must have been deleted.
The only possible error I see might be a change in the callbacks on the Sigfox Backend..

Best,
Antoine