Rate limit and other API questions about dashlane-cli HOT 8 CLOSED

@Mikescops Just FYI - I had a little time to finish my pet project C++ implementation.
https://github.com/uniflare/dashlane-c-cli

You mentioned you would be interested in seeing it. It's not perfect but does what I need. I may add/clean up some stuff in future if I get more time :).

Let me know if you see anything that should be changed (eg, legally or w/e).

from dashlane-cli.

That's super cool, I'll have deeper look at it and I have forwarded your project to our legal department to have a check (I'd say it's the first time we get such contribution 🎉 ).

from dashlane-cli.

Hello,

1. rate limits depends on what you do, I'll need more info
2. for now the API is not open (we're exploring this), the API keys are currently property of the company they can't be used elsewhere
3. sorry, we don't make conditions like this in our security
4. at this stage we don't support this for external contributors

I'm sorry it makes things harder for you at this stage but we're looking to open more and more integrations in the future, we're just not ready for it yet.

from dashlane-cli.

Thanks for the quick reply!

1. Rate limit is presented for running sync multiple times with the same data (with a clean database). Every request now shows ERROR: Rate limit exceeded.
2. Ah that's a shame, understandable. This means I cannot use this as a basis for integration into another application? Does this mean I must use this standalone with no modification? I guess I just need general clarification on the terms of using this. An assumption was for integration as it is open source under Apache 2, but if we cannot use the keys in our own applications, then would any modification also fall under this restriction?
3. Understandable.
4. Not such an issue, but would be super handy in future for custom integrations.

No problem, I just want to be able to integrate this into a program (C++) that will one time start several apps and services after being given an initial login. I can see this being useful also for CI systems that require confidential data like sambda keys etc. (Currently quite easy with keepass, although obviously keepass is not in the cloud).

from dashlane-cli.

1. The sync (GetLatestContent) is limited to 20 queries per minute, if you're not going above this intentionally you might want to check loops in your code
2. The code is open-source, the keys are not from a legal standpoint. But, nothing (material) prevents you to use them for your personal use case, you can't just ship those keys outside.
3. That also relates to having API keys per customer, we can allow such behaviour because your personal keys are not supposed to leak outside of your own application.
4. I understand, I'm taking notes of this request, it's a good idea.

Ok i understand, the CLI is still very experimental so any feedback on your use case is welcomed. For now the CLI is made for humans but I'm looking at different use cases for CIs indeed.
You can also share some POCs when you have so we can experiment it.

from dashlane-cli.

Thanks again for the quick response and clarifying my questions!

Regarding;

1. It doesn't get this far now, it quits on attempting to get authentication methods. I will post the request and response at the end.
2. Ah okay that makes sense. Then if I were to publish my code to GitHub, I would need to omit the the API keys?

To clarify, this is a hobby project, but if successful, I may discuss options with some stakeholders at the office.
I have so far mapped almost 1 to 1 in C++ with the CLI, some parts still to map but most of it is there. Since I do not have API documentation and some of the methods used I am unfamiliar with, I need to test again the API itself to see what goes wrong where. Perhaps I have triggered some security measure? (I don't expect you to discuss security implementation, just wondering what the next steps might be) - It has been several hours and still getting this response.

My aim for now is to get a 1 to 1 port from TypeScript to C++ working, and then move on to separating functionality into a modular library that can be linked by other applications. This will allow me to test various applications more easily.

Here is the request data, that results in a rate limit exceeded error (it is only a single request):

Connected to api.dashlane.com port 443
SSL certificate verify ok.


POST /v1/authentication/GetAuthenticationMethodsForDevice HTTP/1.1
Host:api.dashlane.com
Accept: */*
content-type:application/json
user-agent:Dashlane C CLI v1.0.0
Authorization:DL1-HMAC-SHA256 AppAccessKey=[REDACTED],Timestamp=1678728359,SignedHeaders=content-type;user-agent,Signature=[REDACTED]
Content-Length: [REDACTED]

{"login":"[REDACTED]","methods":["email_token","totp","duo_push","dashlane_authenticator"]}


Got reply:

HTTP/1.1 429 Too Many Requests
Date: [REDACTED]
Content-Type: application/json
Content-Length: 152
Connection: keep-alive
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Content-Security-Policy: default-src 'none';
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: no-referrer
Vary: Origin
CF-Cache-Status: DYNAMIC
Set-Cookie: [REDACTED]; path=/; expires=[REDACTED]; domain=.dashlane.com; HttpOnly; Secure; SameSite=None
Server: cloudflare
CF-RAY: 7a75fabdebb13681-FRA

{"requestId":"104a4e9d-f251-488f-88a3-75c70bcc5cd4","errors":[{"type":"rate_limit_error","code":"rate_limit_exceeded","message":"Rate limit exceeded"}]}

from dashlane-cli.

1. Same question already answered here then https://github.com/Dashlane/dashlane-cli/issues/53#issuecomment-1436591844\
2. Yes you should exclude them then

Any particular reason for using C++ and not another language? (I guess that's your main language looking where you work at)
I'm exploring a potential switch to Rust, not sure yet but I know this can allow to be integrated with most languages if we split the library part from the CLI (and be C friendly then).

The rate limit is really hard on the endpoints that are not authenticated, this is on purpose. I understand this can be difficult to debug, i recommend having multiple test accounts for this (the free tier is more than enough to do this kind of tests).

from dashlane-cli.

Ah I see, thanks for the details - that makes a lot of sense! And thanks for clarifying the publishing guidelines.
And yes, I choose C++ because I am familiar with it, and build all my more complex tools with it. I also like to learn more things, and working on this has already taught me more about the language etc.

Indeed, making a library, whether dynamic or static, would certainly be very welcome. We could simply invoke the CLI, but in its current form, doing multiple transactions would incur multiple invocations and would require parsing data structures through pipes etc. I've not used Rust, but if it can expose at least C like interfaces that would be great.

I will try your suggesting on testing the port, and eventually the proof of concept.

Then, you have answered all my questions, and in record time. So I will close this ticket.

Thanks again!

from dashlane-cli.