SimonBest

Registered
Mar 19, 2014
2
0
1
cPanel Access Level
Root Administrator
We need to make calls to the JSON API from within a plugin. The intention is to modify the DNS of a user's domain using /json-api/editzonerecord.

The code we have been provided requires that the WHM root password is entered into a configuration page, within WHM, and then stored in plain text on the server. This is clearly a terrible idea and we have already had people refuse to install the plugin as a result.

My question is, can the JSON API be used without any direct authentication, instead relying on the fact that a user is logged in?

If not then would using a remote access hash key be the best way forward?

Thank you for any advice that you can provide.
 

SimonBest

Registered
Mar 19, 2014
2
0
1
cPanel Access Level
Root Administrator
Thanks you for the response.

I had a look at the documentation, but the Internal Session Tool seems to be used to make API calls from external scripts.

I'm making API calls from a PHP script within a cPanel plugin. The calls will always be made from the cPanel server and from a logged-in user session.

Is there any way to make API calls from within a logged-in session without requiring the cPanel reseller to manually enter hash codes or passwords?
 

KostonConsulting

Well-Known Member
Verifed Vendor
Jun 17, 2010
255
1
68
San Francisco, CA
cPanel Access Level
Root Administrator

rustyhex2

Member
Dec 12, 2013
8
0
1
cPanel Access Level
Root Administrator
I haven't tested this but if you're already logged in, try passing the /cpsessXXXX/ part of the URL with your request. i.e. instead of GET https://host:2083/xml-api/cpanel?, call GET https://host:2083/cpsessXXX/xml-api/cpanel and see if it allows you to proceed without sending auth data.
I tried this and it doesn't work. Curl request from the whm plugin php script ends up with "Access denied". Pasting the same query string to browser works fine. error_log is empty.

Code:
https://IP:2087/cpsessXXX/json-api/createacct?username=user&password=pass&domain=test.com&useregns=0&reseller=0
 
Last edited: