Alvaro Flano

Member
Apr 24, 2015
7
0
51
Santiago
cPanel Access Level
Root Administrator
I'm trying to call and endpoint created by mi plugin (it is accessible when logged in WHM)

curl -H'Authorization: whm root:MYAPITOKEN' 'https://1.2.3.4:2087/cgi/spamcontrol/api/exim_acl/rule/index.php' --insecure

but it returns a 403: Token authentication is restricted to API calls only. I understood that API tokens are just for calling WHM API, but here (Minimal permissions for managing CSF through API token) it is said that:

While this is technically possible with CGI scripts when the application is registered as a plugin with the AppConfig system, it's up to the third-party developer to verify their specific application supports usage in this manner
How is that done?
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,296
1,272
313
Houston
So when I run the example I am not able to replicate this behavior:

Code:
 curl -H'Authorization: whm root:MYAPITOKEN' 'https://<MyServerIp>:2087/json-api/applist?api.version=1' --insecure
{"data":{"app":["_getpkgextensionform","abort_transfer_session","accesshash","accountsummary","acctcounts","activate_zone_key","add_override_features_for_user","add_zone_key","adddns","addpkg","addpkgext","addzonerecord","api_token_create","api_token_list","api_token_revoke","api_token_update","applist","batch","changepackage","cluster_member_has_trust_with","configureservice","convert_addon_fetch_conversion_details","convert_addon_fetch_domain_details","convert_addon_get_conversion_status","convert_addon_initiate_conversion","convert_addon_list_addon_domains","convert_addon_list_conversions","cors_proxy_get","create_featurelist","create_integration_group","create_integration_link","create_user_session","createacct","deactivate_zone_key","delete_featurelist","delete_ssl_vhost","delpkgext","disable_dnssec_for_domains","disable_mail_sni","domainuserdata","dumpzone","editpkg","editquota","editzonerecord","emailtrack_search","emailtrack_stats","emailtrack_user_stats","enable_dnssec_for_domains","enable_mail_sni","enqueue_deferred_ssl_installations","enqueue_transfer_item","export_zone_dnskey","export_zone_key","fetch_ds_records_for_domains","fetch_ssl_certificates_for_fqdns","fetch_ssl_vhosts","fetch_transfer_session_log","fetch_vhost_ssl_components","fetchcrtinfo","fetchsslinfo","forcepasswordchange","generate_mobileconfig","generatessl","get_available_applications","get_available_authentication_providers","get_available_featurelists","get_best_ssldomain_for_service","get_current_users_count","get_disk_usage","get_domain_info","get_feature_metadata","get_feature_names","get_featurelist_data","get_featurelists","get_integration_link_user_config","get_maximum_users","get_nameserver_config","get_password_strength","get_public_contact","get_public_ip","get_remote_access_hash","get_shared_ip","get_transfer_session_state","get_users_authn_linked_accounts","get_users_links","getdomainowner","getfeaturelist","gethostname","getpkginfo","getresellerips","getzonerecord","has_digest_auth","has_mycnf_for_cpuser","hold_outgoing_email","import_zone_key","installed_versions","installssl","is_sni_supported","killdns","killpkg","limitbw","link_user_authn_provider","list_integration_groups","list_integration_links","list_mysql_databases_and_users","list_styles","list_users","listaccts","listcrts","listmxs","listpkgs","listsuspended","listzones","load_style","lookupnsip","lookupnsips","mail_sni_status","massmodifyacct","matchpkgs","modifyacct","myprivs","nvget","nvset","passwd","pause_transfer_session","read_featurelist","rebuild_mail_sni_config","rebuilduserssldb","release_outgoing_email","remove_integration_group","remove_integration_link","remove_logo","remove_override_features_for_user","remove_style","remove_zone_key","removeacct","removezonerecord","resetzone","resolvedomainname","restartservice","save_style","savemxs","servicestatus","set_default","set_digest_auth","set_nameserver","set_nsec3_for_domains","set_primary_servername","set_public_contact","setresellernameservers","showbw","start_transfer_session","suspend_outgoing_email","suspendacct","systemloadavg","transfer_module_schema","twofactorauth_generate_tfa_config","twofactorauth_get_issuer","twofactorauth_get_user_configs","twofactorauth_policy_status","twofactorauth_remove_user_config","twofactorauth_set_issuer","twofactorauth_set_tfa_config","uapi_cpanel","unlink_user_authn_provider","unset_nsec3_for_domains","unsuspend_outgoing_email","unsuspendacct","update_featurelist","update_integration_link_token","verify_new_username","verify_new_username_for_restore","verify_user_has_feature","version"]},"metadata":{"command":"applist","version":1,"reason":"OK","result":1}}%
I did notice that I am forced to run the --insecure flag when using the IP due to curls SSL validation. I was able to workaround this by just running the command using the hostname though
Code:
curl -H'Authorization: whm root:MYAPITOKEN' 'https://server.myserver.tld:2087/json-api/applist?api.version=1'
 

Alvaro Flano

Member
Apr 24, 2015
7
0
51
Santiago
cPanel Access Level
Root Administrator
That's because you called a valid WHM API endpoint (json-api/applist?api.version=1) and as explained in the post I want to access my own addon endpoint (/cgi/spamcontrol/api/exim_acl/rule/index.php).

I don't mind having to disable SSL checks as I'm using a test server, on production I'll use the server's hostname of course.
 

Alvaro Flano

Member
Apr 24, 2015
7
0
51
Santiago
cPanel Access Level
Root Administrator
So far my solution is to generate a token with the create-user-session ACL and use taht to generate a session so I can access the desired endpoint. But I would rather have a way to do this without having to create a token that has so much power (it can do anything with that token).

Maybe something similiar to how DNS sync works.