WAVE API TEAM THREAD - Authorization issues (403 returned at Cloudflare)
UPDATE - MARCH 4th, 2022:
Wave's engineering team has validated alternative security layers and is implementing changes that will shortly allow us to remove the Cloudflare protections that have been the source of 403 responses experienced by many API users.
We expect that these changes will be implemented no later than Monday, March 14th, and will restore normal service for all API users.
We apologize for the sustained interruption that many have experienced.
**ORIGINAL POST **
Issue:
A number of Wave integration users have been reporting issues receiving an Authorization token, being blocked instead with a 403 response from Cloudflare.
Cause:
All Wave systems are protected by multiple layers of security, and one of these is filtering at Cloudflare.
Beginning this week, we have been seeing elevated levels of “false positives”, with legitimate integration users being flagged/blocked as potentially malicious bot traffic. Not all integrations are impacted, and as yet we have not determined what is causing some to be blocked and not others.
Wave Actions:
Our API engineering and information security teams are currently pursuing two avenues to seek a resolution:
- Tuning and optimization of our protections at Cloudflare to reduce false positives while retaining the necessary security benefits, and
- Investigating alternative and additional security layers that would provide equivalent or greater protections if we greatly reduce or eliminate our Cloudflare filtering.
Time Horizon:
Our API systems team is working on this issue as a priority, however due to the discovery-led nature of the work, we do not currently have a projected resolution date.
Progress / Status Updates
We do understand the challenges and inconvenience that this issue is calling, and apologize if your integration is one that is being impacted.
We will post regular progress / status updates to this thread. Please bookmark and check back regularly.
Comments
Thank you. I've alerted my team to this new thread.
This is promising. Thank you for the transparency. Our domains use Cloudflare, should we move them off CF? Will that help?
There is no indication that using Cloudflare contributes to triggering a false-positive @Ottawa_Mike. I would not suggest making such changes.
@PaulC would you be willing to give a twice weekly update? I have more than 100 platform subscribers who are affected by this outage and I would like to provide them with updates so that they know we are working on it.
@samyak, please feel free to add comments here if needed.
hi @PaulC, 4 days ago i forwarded issue that you are having while connecting waveapps with our application. i am yet to receive response about it. i know you said that your team is working, if in case waveapps api changes. we would like to receive an update about it as well.
@samyak Please review your DMs, and please let me know if you are continuing to see issues. Thanks.
@PaulC - Thank you for your assistance! We are back up and running with our Waveapps integration. We appreciate your attention to this issue.
I'm getting a 403 when I'm trying to authenticate with an app I created. Is there still an issue?
@PaulC
We are still experiencing the same issue - https://community.waveapps.com/discussion/11460/error-1020-from-cloudflare/p1?new=1
Please help us.
@PaulC
Please can you fix the Wave oAuth issue asap?
Because, As I mentioned earlier we have over 300 customers who are using our product. And We received the support ticket from all the customers regarding the issue. https://community.waveapps.com/discussion/11477/wave-oauth-connecting-error
Same issue here. Trying to use
https://api.waveapps.com/oauth2/token/
and 403 forbidden with the message "error code: 1020".Is there an ETA for this? Any header that I can add to resolve this? Any solution?
Also experiencing this issue.
@samyak can you share what we did here please? Sounds like other developers are not getting a response from the waveapps team.
@DavidFeeley @Railz_ai we did solve the issue by sending our site ip to @PaulC who could whitelist your application site.
thanks @samyak @VOICEOVERVIEW
Any updates on this? The ip whitelist does not solve this for development on our side.
@PaulC Can we get an update please? There have been no updates since January 17th.
thanks
Dave
Hello,
Please see update to the post at the head of this thread.
This issue will be resolved for all users no later than Monday, March 14th.
Thank you for bearing with us in this.
@PaulC, thanks, confirmed that token auth is working for me again now.
This worked for us also. Thanks for the solution.