API Calls denial?

Hello guys,

to speed up my learning process I wanted to download my pgn files to analyse it with an engine.

Now i think i made too many calls to the API while testing, because I got an "Attempt to use a forbidden header was rejected: cookie" error and my IP got blocked.

Now to my questions

- Is there some way to be able to use the API again?

- How can I avoid doing this again while testing my code?

Are you making simultaneous requests or serial ones?

If I understand you correctly, neither. Just making this one call and getting the information I want. The image displays the whole js code btw.

If you're making API requests sequentially (one after the other) you shouldn't have any difficulty. I've made a load & never had a problem. In other words, I don't think the number of calls you're making is what's caused the failure?

You need a member of the developer's team to answer that question.

To confirm, I have accidentally made four concurrent requests, and received a 429 error on one of them. The current allowed limit per-IP address is three. That's working well for me, and I doubt there are too many users of api.chess.com sharing IP addresses.

As a side note, due to the limit on concurrent connections and to keep things simple in my code:

• Each script I have written so far is single threaded, but does cache the SSL connection once made (a great speedup for many things)
• If I receive a 429 error, the script that gets that error stops at once.

I'm not sure that qualifies as "best practice" but it's my way to try to be a good citizen.

Giles, Mozart does say he received: "Attempt to use a forbidden header was rejected: cookie" error and my IP got blocked.

I think that suggests something more serious than merely making too many simultaneous requests? I'm guessing you didn't get blocked from making API calls after your 'slip up'?

No, and if I didn't note that difference clearly I apologise. Indeed once one of my scripts got the 429 and did the right thing and quit, the other three kept running.

I suspect Mozart ran into some of chess.com's denial of service checking, but I have no clue how. We do know from early days (or a little DNS checking) that chess.com is a Cloudflare customer. I imagine we need to wait for staff to come online on Monday and read this thread and perhaps talk to their network administrators to find out more about what happened.

A change needed to allow the perl http request library to work with its default User-Agent string was made very promptly when it was noticed that it was being blocked. I am confident that if there is a similar configuration issue with respect to api.chess.com and whatever Mozart hit it will be rectified once identified.

(Nowadays I put @skelos into my User-Agent string, so that if I do cause a problem there's a point of contact. Others might prefer an email address, and it's tricky for sharing code. If someone else is running something I wrote it really shouldn't identify itself as me.)

I read but really don't understand Mozart's code. There is too much I don't know about Javascript and Ajax. Possibly something looked like cross site scripting? That's a wild guess, not anything very sensible though.

Giles

A cheap & cheerful fix for that problem that occurs to me is to import whatever ID is used from a separate text file? Then when you share such a script, it won't contain your personal details. A simple error-trap would use a default, generic user-string in the event the file couldn't be found.

I don't have that problem because my version of Python is so geriatric (as you know) that I'm unable to include any kind of user string. I should probably uninstall my current version & download the latest one but my favourite motto is if it ain't broke, don't fix it & so far my use of the API resource has been trouble-free.

Yes, that's more or less the answer. Irritating but so far not a problem. Using an editor on the script is also not out of the question!

@Mozart409 you are trying to use a reserved Cloudflare cookie "cfduid". You can just remove the "headers" parts from you script and you should be able to make calls without being banned.