← Domain guides

Login Guide

Login Guide

A walk-through on login flow and operations to help understand login and debug issues

Banno Online receives a 401 Unauthorized and error code 11 indicating needs a new Referer / Origin added

First, verify that the institution’s row in the institution_allowed_originstable in the origins database on the postgres-espresso server contains the correct origin.

For example, in the following output, if the supplied origin were http in the HTTP Request, the API would return an HTTP-401 since http... does not match https..., i.e. the HTTP Request’s Header value would not match, in this scenario, the DB’s origin value.

origins=> select * from institution_allowed_origins limit 1;
            institution_id            |               origin                |       deleted_at       
--------------------------------------+-------------------------------------+------------------------
 0fc6b610-e76d-11e4-9041-0a0027000002 | https://chrome-production.banno.com | 2016-08-19 15:50:50+00
(1 row)

Add the new referer to the institution_allowed_origins table in the appropriate region in the origins database on the postgres-espresso server.

Search Application Logs for when the logged in and what happened during login

Using the saved search Application Logs in Kibana search for "NEW LOGIN FLOW" AND ("userid" OR username OR nettellerId)

Remove the "NEW LOGIN FLOW" AND part to just search for "userid" OR username OR nettellerId and find a message with an IP (IP address of end user) or CID (correlation Id)

Alternatively you can search for "api login message" AND ("userid" OR username OR nettellerId)

Or if you want a high level view of for a user just search for ("userid" OR username OR nettellerId)

Note: Make sure to filter out any thing to do with mobile/grip admin logs as they can mislead you.

Find Nginx Records

Open a new kibana search in the same timeframe as above using the saved search Consumer API Nginx Access You can filter by the remote_addr by the IP or the request_id by the CID found above.

IP Address is more useful for filtering for consumer users who are not test users at a bank because a lot of bank test users end up with the same IP

You can search by login or fetch to match only requests for a specific endpoint. For mobile requests the http_user_agent is useful to filter out FIs you are not looking for. For online request they typically start with /a/consumer/api eg /a/consumer/api/login and have a http_referrer of like the online banking website they came from eg https://secure.statebankspencer.com/login

Find the authy events for a user using slack task

use /st authy-events production user-id in #auto-jabberwocky room to find authy events for a user

Note: this will only find the events for their current authyId. See below for finding all the authyId’s for a userId

If problems with the command run /st help for help instructions

Find Banno 2FA (oob2fa) interactions for a user in application logs

search kibana with save search Application Logs in the timeframe using app_name: oob2fa AND "bannoUserId" in order to find all the authyId’s I’ll add AND authyId If you need to find events for an authyId that is not their current then you need to use postman to get it

Finding authy events for an authyId using Postman

Do a GET to https://api.authy.com/protected/json/reporting/events?query[objects.user.s_authy_id][eq]=authyId where the authyId at the end is the one you’re looking for You’ll need to pass the X-Authy-API-Key header for the FI which you’ll need to login to the twilio admin console and find it in the authy application settings for that FI

Get the Banno People Activity (history) for the user from day in question from Support

A lot of times it’s useful to see the login/2fa history events for user to understand what is going on

Determine if a cash management user is in hold status

Overview

For NetTeller Cash Management users for Silverlake and Core Director (may not be supported until all FI’s on required version) core provider types
we check if they are in hold status during login and fetch. If they are in hold status we return an http status code Forbidden (403) with an error code 22.

** Note that we re-used error code 22 as to not require client changes and error code 22 also means locked.

Client Messaging

Mobile and Online clients should display the following message:

Something in your account needs to be corrected or updated. At this time a staff member is required to further assist you.

Support

Using kibana saved search Consumer Api Cash Management Hold Status Replace the userId in the first part of the message which should look like:

message:"[user-id]" AND message:"from calling get cash management user"

the message looked up should look roughly like

Result was Some(CashManagementUser(Some(true))) from calling get cash management user with netTellerId NetTellerId(785200000273) 
and CashManagementUserId(schale) for UserId(eb9908e0-3770-11e8-8d52-02422f6950f7) 
and requestId afaab45ecb70b64328321f03f5130eb5

Things to observe:

  • if it says CashManagementUser(Some(true)) it means they are in hold status
  • save the requestId as that will be needed for the next search

Open a new kibana window and use saved search jXchange Api Cash Management Hold Status

Replaces the first part with the requestId from above and should look like: message:"[requestId]" AND message:"IntnetFinInstIdUsrInq"

** note we merged a tracking pr which enabled searching by requestId for future requests, but wasn’t in place for original roll out

You should see a message with the jxchange request and response.

Things to observe:

  • <BusCorrelId>[requestId]</BusCorrelId> in the request
  • Check the <CashMgmtUsrState>[value]</CashMgmtUsrState> in the Response
  • value Y (Silverlake) or Act (Core Director) indicates the user is in held status