JSON API Security

SimonBest

• March 19, 2014 05:13

We need to make calls to the JSON API from within a plugin. The intention is to modify the DNS of a user's domain using /json-api/editzonerecord. The code we have been provided requires that the WHM root password is entered into a configuration page, within WHM, and then stored in plain text on the server. This is clearly a terrible idea and we have already had people refuse to install the plugin as a result. My question is, can the JSON API be used without any direct authentication, instead relying on the fact that a user is logged in? If not then would using a remote access hash key be the best way forward? Thank you for any advice that you can provide.

• 

  cPanelMichael

  • March 19, 2014 17:28

  Hello :) You could use the access hash authentication combined with the internal session tool. This is documented here: API Authentication Thank you.

  0
• 

  SimonBest

  • March 20, 2014 17:29

  Thanks you for the response. I had a look at the documentation, but the Internal Session Tool seems to be used to make API calls from external scripts. I'm making API calls from a PHP script within a cPanel plugin. The calls will always be made from the cPanel server and from a logged-in user session. Is there any way to make API calls from within a logged-in session without requiring the cPanel reseller to manually enter hash codes or passwords?

  0
• 

  KostonConsulting

  • April 17, 2014 06:07

  I haven't tested this but if you're already logged in, try passing the /cpsessXXXX/ part of the URL with your request. i.e. instead of GET and see if it allows you to proceed without sending auth data.

  0
• 

  rustyhex2

  • April 28, 2014 17:47

  [QUOTE]I haven't tested this but if you're already logged in, try passing the /cpsessXXXX/ part of the URL with your request. i.e. instead of GET and see if it allows you to proceed without sending auth data.
  I tried this and it doesn't work. Curl request from the whm plugin php script ends up with "Access denied". Pasting the same query string to browser works fine. error_log is empty. https://IP:2087/cpsessXXX/json-api/createacct?username=user&password=pass&domain=test.com&useregns=0&reseller=0
  

  0

Please sign in to leave a comment.