Getting 403 responses on endpoints we were once able to access

[Nathan Donato]

Hi,

I'm an engineer with a third party application that uses the DrChrono API to import data from our customers.

We've recently started to get the following response for a few (but not all) of our customers when attempting to hit endpoints we were able to access just last month:

Status: 403

Message: "You do not have permission to perform this action."

I know we have a valid token, since we're able to hit `/api/users` without issue. Since the users endpoint doesn't require any scopes or permissions, I'm assuming it's an issue with one of those. We don't believe any permissions changed, and we didn't specify any scopes, so we should have access to all of them if I'm understanding the documentation correctly.

The reason I'm confident no permissions have changed is because one of our internal test accounts had this same issue. It was resolved by de-authorizing our application in the DrChrono app and then creating a new authorization from scratch. Since this would require a lot of user action, this isn't an ideal solution for us, so I was curious if you had any insights into what the issue is and what a better solution would be.

Thanks,
Nathan Donato

[Denis Malinovskiy]

I know that we fixed some bugs in the API permissions checks, so maybe it's the reason.  It's difficult to tell for sure.

--
You received this message because you are subscribed to the Google Groups "drchrono Medical Healthcare API SDK" group.
To unsubscribe from this group and stop receiving emails from it, send an email to drchrono-api...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Denis Malinovskiy

Software Engineer, drchrono

[Ben West]

Thanks for the response Denis. As I'm sure you understand, this is a big issue for us as it causes the integration with drchrono to completely stop working.

 

Is there a way that we can troubleshoot this? How can we prevent this from happening in the future?

[Denis Malinovskiy]

It's not 100% clear for my why it happened in the first place so I can't give you recommendations.

[Ben West]

Is there a way that we can see what permissions we currently have with our token?

[Denis Malinovskiy]

Yes, but permissions vary for each doctor using your app.  

[Ben West]

Sure, could you tell us how we can see those permissions? We did not see any documentation on the API page

[Denis Malinovskiy]

It's only available to us, unfortunately.

[Michael Nusimow]

Hi Ben,

  Is this happening for all of your users or just a few specific users?

The individual users can see what permissions they gave you (and disconnect and reconnect the app) with: https://drchrono.com/api-authorization-management/

Also check what permissions your app has live in: https://drchrono.com/api-management/

--

Michael Nusimow / CEO and Cofounder
917.586.1476 / mic...@drchrono.com / @nusimow

[Ben West]

Thanks Michael. I just tried this for a test account, and it seems like once I de-authorize then the application is not listed anymore in drchrono. If our customer did try to de-authorize, is there an easy way for them to reauthorize afterwards?

[Denis Malinovskiy]

I don't think we have an easy way to reauthorize the app, Ben.

[Michael Nusimow]

Hi Ben,

  The end-user can just do another OAuth session like they did the first time (but there isn't an automated way to deauth and reauth.)