Concurrent Requests Cause "Invalid Login Attempt" Errors

[jasonblewis]

Hi,

Thank you for creating this awesome module!

I've encountered an issue when sending multiple concurrent requests to the NetSuite API, and exceeding the allowed concurrency.

Instead of receiving an error related to concurrency limits, I’m seeing errors about invalid login attempts that seem to take a long time to timeout (over 6 seconds):

Error fetching customer 5783: Invalid login attempt. For more details, see the Login Audit Trail in the NetSuite UI at Setup > Users/Roles > User Management > View Login Audit Trail., Duration: 60847ms
Error fetching customer 185050: Invalid login attempt. For more details, see the Login Audit Trail in the NetSuite UI at Setup > Users/Roles > User Management > View Login Audit Trail., Duration: 60900ms
Error fetching customer 155445: Invalid login attempt. For more details, see the Login Audit Trail in the NetSuite UI at Setup > Users/Roles > User Management > View Login Audit Trail., Duration: 61187ms

Steps to Reproduce

1. I’m using the following configuration for the NetsuiteApiClient:

   const config = {
     consumer_key: process.env.NETSUITE_CONSUMER_KEY,
     consumer_secret_key: process.env.NETSUITE_CONSUMER_SECRET,
     token: process.env.NETSUITE_TOKEN,
     token_secret: process.env.NETSUITE_TOKEN_SECRET,
     realm: process.env.NETSUITE_ACCOUNT_ID,
     base_url: `https://${process.env.NETSUITE_ACCOUNT_ID.toLowerCase()}.suitetalk.api.netsuite.com`,
   };
   const client = new NetsuiteApiClient(config);

2. Sending multiple concurrent requests using Promise.all:

   const customerIds = [5783, 185050, 155445]; // Example IDs
   const promises = customerIds.map((id) =>
     client.request({ path: `record/v1/customer/${id}`, method: "GET" })
   );
   await Promise.all(promises);

3. The requests are for retrieving customer records (record/v1/customer/:id).

Environment

• NetSuite Account: Using a Token-Based Authentication (TBA) setup.
• NetSuite Role: The role associated with the token has full permissions to view customer records.
• Concurrency: The issue occurs when sending multiple concurrent requests. in my case around 10 or so but I imagine it depends on the number of concurrent process licences the NetSuite instance has.
• Runtime:
  • Node.js v23.2.0
  • netsuite-api-client@1.0.2
• OS: Linux (Debian 12)

Observations

• The error occurs inconsistently:
  • Sometimes all 10 requests succeed.
  • Other times, all 10 requests fail.
  • Most often, a subset of the requests (e.g., 2-5 out of 10) fail.
• Failed requests consistently return the Invalid login attempt error.
• Login Audit Trail in the NetSuite UI shows failed login attempts tied to the token.
• The duration for failed requests can be significantly long (e.g., 60 seconds).

NetSuite API Response Details

Here are examples of the errors returned by the NetSuite API:

1. Error Response from NetSuite:

   {
     "type": "https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html",
     "title": "Invalid Login",
     "status": 401,
     "detail": "Invalid login attempt.",
     "o:errorCode": "INVALID_LOGIN",
     "o:errorMessage": "Invalid login attempt. See the Login Audit Trail in the NetSuite UI."
   }

2. Login Audit Trail in NetSuite:

   03/12/2024 12:17 PM 	user@example.com 	User Name 	  	192.0.2.1 	Failure 	NonceUsed 	  	MyAppIntegration - User Name User Name, MyApp Developer 	MyAppIntegration
   03/12/2024 12:17 PM 	user@example.com 	User Name 	  	192.0.2.1 	Failure 	NonceUsed 	  	MyAppIntegration - User Name User Name, MyApp Developer 	MyAppIntegration
   03/12/2024 12:17 PM 	user@example.com 	User Name 	  	192.0.2.1 	Failure 	NonceUsed 	  	MyAppIntegration - User Name User Name, MyApp Developer 	MyAppIntegration
   

3. API Activity Logs:

   02/12/2024 5:16 PM	0.005	REJECTEDACCOUNTCONCURRENCY	user@example.com	GET	429	/services/rest/record/v1/customer/155445	view	view
   02/12/2024 5:16 PM	0.767	FINISHED	user@example.com	GET	200	/services/rest/record/v1/customer/2338	view	view
   02/12/2024 5:16 PM	0.005	REJECTEDACCOUNTCONCURRENCY	user@example.com	GET	429	/services/rest/record/v1/customer/185050	view	view
   02/12/2024 5:16 PM	0.801	FINISHED	user@example.com	GET	200	/services/rest/record/v1/customer/933	view	view
   

If I view the response for a rejectedaccountconcurrency one in the Integration Execution Log REST Web Servives, it does appear that ns thinks it's sending an concurrency error.

{"type":"https://www.rfc-editor.org/rfc/rfc9110.html#section-15.5.1","title":"Bad Request","status":429,"o:errorDetails":[{"detail":"Concurrent request limit exceeded. Request blocked. Verify your concurrency limits at Setup > Integration > Integration Management > Integration Governance.","o:errorCode":"CONCURRENCY_LIMIT_EXCEEDED"}]}

Repository for Reproduction

I’ve created a minimal reproducible example to demonstrate the issue:
[GitLab Example Repository](https://gitlab.com/jasonblewis/netsuiteconcurrency)

Questions

1. Could this issue stem from how the module is handling concurrent request signing? or the OAuth 1.0 requiring a timestamp of 1 second resolution, but NetSuite rejects them because even though we have a unique nonce, the timestamp is dupliated from another request?
2. Are there recommended best practices or examples for managing concurrency with this module?
3. Could this variability in errors indicate a token handling issue?
4. Are there known cases where too many concurrent requests might cause token invalidation or signing failures?
5. could it be an issue related to how got handles the request and retrying when it receives an error?

Thanks in advance for your help!