Alvaro Flano

Member
Apr 24, 2015
7
0
51
Santiago
cPanel Access Level
Root Administrator
I'm trying to call and endpoint created by mi plugin (it is accessible when logged in WHM)

curl -H'Authorization: whm root:MYAPITOKEN' 'https://1.2.3.4:2087/cgi/spamcontrol/api/exim_acl/rule/index.php' --insecure

but it returns a 403: Token authentication is restricted to API calls only. I understood that API tokens are just for calling WHM API, but here (Minimal permissions for managing CSF through API token) it is said that:

While this is technically possible with CGI scripts when the application is registered as a plugin with the AppConfig system, it's up to the third-party developer to verify their specific application supports usage in this manner
How is that done?
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,274
1,295
313
Houston
So when I run the example I am not able to replicate this behavior:

Code:
 curl -H'Authorization: whm root:MYAPITOKEN' 'https://<MyServerIp>:2087/json-api/applist?api.version=1' --insecure
{"data":{"app":["_getpkgextensionform","abort_transfer_session","accesshash","accountsummary","acctcounts","activate_zone_key","add_override_features_for_user","add_zone_key","adddns","addpkg","addpkgext","addzonerecord","api_token_create","api_token_list","api_token_revoke","api_token_update","applist","batch","changepackage","cluster_member_has_trust_with","configureservice","convert_addon_fetch_conversion_details","convert_addon_fetch_domain_details","convert_addon_get_conversion_status","convert_addon_initiate_conversion","convert_addon_list_addon_domains","convert_addon_list_conversions","cors_proxy_get","create_featurelist","create_integration_group","create_integration_link","create_user_session","createacct","deactivate_zone_key","delete_featurelist","delete_ssl_vhost","delpkgext","disable_dnssec_for_domains","disable_mail_sni","domainuserdata","dumpzone","editpkg","editquota","editzonerecord","emailtrack_search","emailtrack_stats","emailtrack_user_stats","enable_dnssec_for_domains","enable_mail_sni","enqueue_deferred_ssl_installations","enqueue_transfer_item","export_zone_dnskey","export_zone_key","fetch_ds_records_for_domains","fetch_ssl_certificates_for_fqdns","fetch_ssl_vhosts","fetch_transfer_session_log","fetch_vhost_ssl_components","fetchcrtinfo","fetchsslinfo","forcepasswordchange","generate_mobileconfig","generatessl","get_available_applications","get_available_authentication_providers","get_available_featurelists","get_best_ssldomain_for_service","get_current_users_count","get_disk_usage","get_domain_info","get_feature_metadata","get_feature_names","get_featurelist_data","get_featurelists","get_integration_link_user_config","get_maximum_users","get_nameserver_config","get_password_strength","get_public_contact","get_public_ip","get_remote_access_hash","get_shared_ip","get_transfer_session_state","get_users_authn_linked_accounts","get_users_links","getdomainowner","getfeaturelist","gethostname","getpkginfo","getresellerips","getzonerecord","has_digest_auth","has_mycnf_for_cpuser","hold_outgoing_email","import_zone_key","installed_versions","installssl","is_sni_supported","killdns","killpkg","limitbw","link_user_authn_provider","list_integration_groups","list_integration_links","list_mysql_databases_and_users","list_styles","list_users","listaccts","listcrts","listmxs","listpkgs","listsuspended","listzones","load_style","lookupnsip","lookupnsips","mail_sni_status","massmodifyacct","matchpkgs","modifyacct","myprivs","nvget","nvset","passwd","pause_transfer_session","read_featurelist","rebuild_mail_sni_config","rebuilduserssldb","release_outgoing_email","remove_integration_group","remove_integration_link","remove_logo","remove_override_features_for_user","remove_style","remove_zone_key","removeacct","removezonerecord","resetzone","resolvedomainname","restartservice","save_style","savemxs","servicestatus","set_default","set_digest_auth","set_nameserver","set_nsec3_for_domains","set_primary_servername","set_public_contact","setresellernameservers","showbw","start_transfer_session","suspend_outgoing_email","suspendacct","systemloadavg","transfer_module_schema","twofactorauth_generate_tfa_config","twofactorauth_get_issuer","twofactorauth_get_user_configs","twofactorauth_policy_status","twofactorauth_remove_user_config","twofactorauth_set_issuer","twofactorauth_set_tfa_config","uapi_cpanel","unlink_user_authn_provider","unset_nsec3_for_domains","unsuspend_outgoing_email","unsuspendacct","update_featurelist","update_integration_link_token","verify_new_username","verify_new_username_for_restore","verify_user_has_feature","version"]},"metadata":{"command":"applist","version":1,"reason":"OK","result":1}}%
I did notice that I am forced to run the --insecure flag when using the IP due to curls SSL validation. I was able to workaround this by just running the command using the hostname though
Code:
curl -H'Authorization: whm root:MYAPITOKEN' 'https://server.myserver.tld:2087/json-api/applist?api.version=1'
 

Alvaro Flano

Member
Apr 24, 2015
7
0
51
Santiago
cPanel Access Level
Root Administrator
That's because you called a valid WHM API endpoint (json-api/applist?api.version=1) and as explained in the post I want to access my own addon endpoint (/cgi/spamcontrol/api/exim_acl/rule/index.php).

I don't mind having to disable SSL checks as I'm using a test server, on production I'll use the server's hostname of course.
 

Alvaro Flano

Member
Apr 24, 2015
7
0
51
Santiago
cPanel Access Level
Root Administrator
So far my solution is to generate a token with the create-user-session ACL and use taht to generate a session so I can access the desired endpoint. But I would rather have a way to do this without having to create a token that has so much power (it can do anything with that token).

Maybe something similiar to how DNS sync works.