Blocked request in Hikashop checkout

-- HikaShop version -- : 5.0.3
-- Joomla version -- : 4.4.3
-- PHP version -- : 8.1.27

Hi,
I have some issue with Akeeba AdminTools which blocks some activities in the hikashop checkout process.

Here is the relevant parts of my question to Akeeba's Nicholas

Hi,
I've got some issues with admin tools blocking some Hikashop checkout activity.
Reason "Login failure" Target URL " mywebsite.com/panier/checkout/submitblock?tmpl=raw "

"tmpl=raw" is in the list of allowed templates

The checkout works for the majority of customers but there is a small minority who triggers this blocking, I don't understand why.
I'm almost (!) sure this is legitimate behaviour.

and his answer

This means that Joomla! tried, but failed, to log a user in.
I think you should ask Nicolas of HikaShop for help. I have a feeling that this may be an AJAX request which takes place after the user's session has expired.

So, Nicolas, what do you think ?
Regards

Why did you think it came from AdminTools ?

Because it's AdminTools which blocks this and I can see it in the AdminTools' Blocked Request Log.

Hi,

Why would a user session expiration lead to AdminTools displaying an Joomla error on the login ?

it's not my own hypothesis

Do you have more information on how this problem happens ? Do you have some screenshots maybe ?

All I know is that the shop is up and running, orders made and paid for the majority but, I don't know why sometimes AdminTools catch these "Login failure" with a target url " mywebsite.com/panier/checkout/submitblock?tmpl=raw ".

Since my last message I've been able to verify that the IP which have been blocked are genuine customers.
I've not had any complaints but I can see that, sometimes and for some of them it triggers the blocking.
What do they do when it arises, I don't know.

And no, I can't reproduce it myself.

Hi, I should have tested more thoroughly before but I've been blinded by the unusual form of the url blocked.
I've tested when connected through a vpn so I could test in the public side and see, with my regular IP, what is logged in AdminTools in real time.

The result is that AdminTools blocks users for "login failure" when user exceed what is set in the WAF Auto Ban, so it's just normal behaviour.

The thing is:
- when the connexion is done in the Hikashop's checkout page the url logged by AdminTools is " mywebsite.com/panier/checkout/submitblock?tmpl=raw " (without username logged)
- when the connexion is done in the regular joomla login form, the url logged by AdminTools is the standard one " mywebsite.com/component/users/?task=user.login&Itemid=101 " (with the username logged, ex. "Username: sfdgsfdgfsdio")

So, sorry, it's just standard behaviour from AdminTools and Hikashop.
I've relaxed the auto-ban rules a little bit and it should do it.

And now we know…

Regards
Marc