Newly introduced iTunes Connect login rate limit on idmsa.apple.com counts successful attempts

Originator:KrauseFx
Number:rdar://35884832 Date Originated:December 6 2017
Status:Open Resolved:Nope
Product:iTunes Connect Product Version:
Classification:Serious Bug Reproducible:Always
 
Apple ID of the User: felix@sunapps.net

Summary:
A few weeks ago, the iTunes Connect login API endpoints on https://idmsa.apple.com/appleauth/auth/signin added a new rate limit. This is great, however it also counts successful attempts, resulting in issues if you login multiple times within a minute for one account on one IP address. This causes issues for larger companies that have a single IP address, and a shared Apple ID. The error message when running into the rate limit is also not clear, as it doesn't indicate the actual error reason

Steps to Reproduce:
- Login on iTunes Connect multiple times within a short amount of time using the same Apple ID and IP address

Expected Results:
- Since the login attempts are done with valid username + passwords, you shouldn't be locked out of your account, even if you login many times within a short amount of time

Actual Results:
- Your account gets locked, and only gets unlocked after a given time, or by logging in from a separate IP address

Version/Build:


Configuration:

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!