DEV Community

Cover image for Story time with Treblle: The curious case of password reset
Vedran Cindrić for Treblle

Posted on

Story time with Treblle: The curious case of password reset

While working in our previous development company we were developing a new platform for a dear client. Our role was to develop the entire back-end with an API for mobile apps. Another development company, on a different side of the planet, was tasked to develop the mobile apps. At the beginning we had a lot of common challenges like communication, syncing time zones, documentation questions and others. I asked the client if we could add Treblle on the API side so we would eliminate some of these problems.

As soon as we added Treblle and made a few calls to the API it was 100x easier. The documentation was auto generated and updated, the mobile devs saw what they were doing. More importantly we also saw what they were doing so it was easier to understand how they were using the API and what problems they were facing. Interestingly enough our client also got into APIs and started to learn what we're doing, when we're working and when not 😎. He was also a huge fan of the fact he could see the API response time because he felt like the app was slow and thought it was on the back-end side. Turns out it wasn't. Anyway…

The app we were working on was already on the App store and the mobile team was preparing to do a new important update. When you are sending apps to the App Store if your app requires a login you HAVE to provide Apple with a login combination. We knew that, so we provided the credentials since day one and never changed them.

The mobile team uploaded the new build, sent the app for review and after 2-3 days the build was rejected. The reason Apple specified was "Login credentials were incorrect". Our client called me and was super irritated by the fact that the app got rejected. He started asking me why we changed the login data and explaining how he needed the update live ASAP. Now when something like this happens there aren’t a lot of options you have as a developer.

One option is to investigate what happened by trying to login and reporting back to the client if it worked. What's even crazier is - if it works then why couldn't Apple login?! If it doesn’t work then you have to investigate your own team and the mobile apps team to see who changed the credentials and how. Finally you have to come back to your client and tell him xyz happened, we know what it was, we fixed it and 100% it won’t happen again.

The first thing I thought was let's use Treblle to see all the login attempts in the last 24 hours. With Treblle you can view all requests between the API and apps including location and device data. Immediately I saw a request that happened a few hours ago, from an iOS device from Sunnyvale, California (Apple HQ). I also saw that they did in fact use the phone number we provided them for login, and that the API did return an error message saying that the login credentials were incorrect?!

This is where it got interesting. With Treblle you can click on any request and find "More requests like this". Treblle will then go and find all requests made to the API from the same user. Taking into account things like IP, location and even the user ID. Because I could see requests in chronological order, as they were made by the Apple testers, I saw that the first thing they did was made a call to an API endpoint that resets the password 🤣 I was shocked. I triple checked and realized exactly what happened. The app had a password reset option on the login screen. Apple testers clicked on reset password first. That sent an SMS with the new password. Since we used a made up phone number they didn’t get the SMS and didn’t think it would change the password.

At that point I sent my client a link to the request on Treblle and explained to him what happened and what they did. We made a fix which wouldn’t change the password straight away but rather send a reset link in the SMS first. Not something my client wanted but got the job done. We sent the app for review and it got approved the next day😎 And yes, the first thing Apple did was the tried to reset the password 🚀.

If we didn't have Treblle I can guarantee you we would have never known what happened. More importantly without Treblle we would have never been able to “prove” to the client what exactly happened. No other tool could help us figure this out that fast and easy. With Treblle it was clear as day to us, to him and to the mobile team. Since then the client always asked if Treblle was added to the API 💪🏻

Discussion (1)

Collapse
cindreta profile image
Vedran Cindrić Author

Let me know if you find these stories interesting and you want me to keep sharing these, alongside the articles of course : )