API Authentication with Sencha Ext JS or Sencha Touch

[ashworth102680]

I'm sure it's probably simple that I'm overlooking (usually is), but I'm banging my head against the wall with this simple authentication issue. While I don't expect many here to be expert in Ext JS, I think it's more about how I'm constructing my AJAX calls than anything else.

Code:

Ext.define('MyApp.store.base.MyJsonStore', {
    extend: 'Ext.data.Store',

    config: {
        storeId: 'MyJsonStore',
        proxy: {
            type: 'ajax',
            url: 'http://mywebsite.com:2086/json-api/listaccts',
            method: 'GET',
            username: 'cpanelusergoeshere',
            password: 'h2liku3h4lkquyweilkruyahwukey',
            reader: {
                type: 'json'
            }
        }
    }
});

The error message I keep seeing from the console I'm using is:

Unable to load data using the supplied configuration.
Open in Browser http://mywebsite.com:2086/json-api/listaccts

I've removed any real information in the above code sample, but it gets the general idea across with what I'm trying to do. More or less, build a better cPanel/WHM manager than other mobile options that are currently available to me while mobile and out in the field.

If I can get this working, I'll be able to do some slick stuff with this library for mobile devices. I'll admit REST calls aren't my favorite thing, and I'm not the best out there...but I'm willing to learn.

Also, unless I've misunderstood something, the hash is only required if using root, and even then I've seen other iPhone apps that don't require the hash (curious about that). I don't expect people to be typing the full hash into an iPhone or Android application to be honest.

[cpdan]

It is possible that it is a security token issue:

Making your script work with security tokens in cPanel & WHM - cPanel Integration

[cPanelDavidN]

yeah...not knowing the details of the Ext framework, more specifically their "proxy" base class implementation, I'd have to agree with Dan's answer...that URL security tokens, issues after basic authentication, is altering the needed target URL. However, if the username and password credential were to be embedded in the HTTP Headers, then tokens wouldn't be an issue since such a request will auth and perform the function "listaccts" and return the data, all in one request. It really comes down to how Ext is forming the HTTP request.

Regards,
-DavidN

PS. I highly recommend that you use port 2087 if possible; it is the SSL port for WHM. Otherwise your entire HTTP request (headers included) will be transmitted in plain text, exposing the credentials to anyone sniffing packets.

[cpdan]

PS. I highly recommend that you use port 2087 if possible; it is the SSL port for WHM. Otherwise your entire HTTP request (headers included) will be transmitted in plain text, exposing the credentials to anyone sniffing packets.

Also, use POST instead of GET: Otherwise your query string (which would include the credential parameters) will be easily seen.

[ashworth102680]

Extremely helpful guys. Thank you! I'll test with this today and see if I can't get this working a little better.

I did originally try SSL on 2087, however, the application I'm building wasn't liking that. I wanted to at least get it working first, then tackle the SSL issues. It may have something to do with the fact the cPanel server I'm connecting to doesn't have a valid cert for the hostname, so the application is perceiving the "no valid cert" popup, but I'm not 100% on that.

The servers the app will be connecting to don't necessarily need to have valid certs installed on the server hostname, do they? If so, that may be a deal breaker. Then again...the couple of other apps in the iOS app store don't currently have an issue and I've connected to one of my machines just fine, so maybe I'm imagining things.

[cpdan]

The servers the app will be connecting to don't necessarily need to have valid certs installed on the server hostname, do they?

Not necessarily, how that is handled is 100% up to the browser/ajax code. At times you still get the “untrusted cert” dialog w/ AJAX calls the same as you would if you went to the URL its fetching directly in your browser.

That is true of a request to any URL and not limited to cPanel API URLs.

HTH!

[charsleysa]

When calling the JSON API you do not require a cPanel Session Token.
Also if you can, try to catch the outgoing HTTP packet using something like Wire Shark.
Inspect the packet and make sure that it is formed correctly.

Here is an extract from the API class for PHP

if ( $this->auth_type == 'hash' ) {
$authstr = 'Authorization: WHM ' . $this->user . ':' . $this->auth . "\r\n";
} elseif ($this->auth_type == 'pass' ) {
$authstr = 'Authorization: Basic ' . base64_encode($this->user .':'. $this->auth) . "\r\n";
} else {
throw new Exception('invalid auth_type set');
}

As you can see, when you are using the raw password, it must conform to Basic Authentication standards, but when you use the hash key, you must conform to WHM standards which is cPanels own custom standard for accessing its API.

[KostonConsulting]

Code:

Ext.define('MyApp.store.base.MyJsonStore', {
    extend: 'Ext.data.Store',

    config: {
        storeId: 'MyJsonStore',
        proxy: {
            type: 'ajax',
            url: 'http://mywebsite.com:2086/json-api/listaccts',
            method: 'GET',
            username: 'cpanelusergoeshere',
            password: 'h2liku3h4lkquyweilkruyahwukey',
            reader: {
                type: 'json'
            }
        }
    }
});

I don't see anywhere in the proxy docs that username and password are methods or configuration parameters for ajax proxy. There appears to be a headers config object which should be set to the value of mime base64 encoded

Code:

'user:password'

.

Sencha Docs - Ext JS 4.0