The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

JSON API Security

Discussion in 'cPanel Developers' started by SimonBest, Mar 19, 2014.

  1. SimonBest

    SimonBest Registered

    Joined:
    Mar 19, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    We need to make calls to the JSON API from within a plugin. The intention is to modify the DNS of a user's domain using /json-api/editzonerecord.

    The code we have been provided requires that the WHM root password is entered into a configuration page, within WHM, and then stored in plain text on the server. This is clearly a terrible idea and we have already had people refuse to install the plugin as a result.

    My question is, can the JSON API be used without any direct authentication, instead relying on the fact that a user is logged in?

    If not then would using a remote access hash key be the best way forward?

    Thank you for any advice that you can provide.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,678
    Likes Received:
    654
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
  3. SimonBest

    SimonBest Registered

    Joined:
    Mar 19, 2014
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thanks you for the response.

    I had a look at the documentation, but the Internal Session Tool seems to be used to make API calls from external scripts.

    I'm making API calls from a PHP script within a cPanel plugin. The calls will always be made from the cPanel server and from a logged-in user session.

    Is there any way to make API calls from within a logged-in session without requiring the cPanel reseller to manually enter hash codes or passwords?
     
  4. KostonConsulting

    KostonConsulting Well-Known Member

    Joined:
    Jun 17, 2010
    Messages:
    255
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    San Francisco, CA
    cPanel Access Level:
    Root Administrator
  5. rustyhex2

    rustyhex2 Member

    Joined:
    Dec 12, 2013
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    I tried this and it doesn't work. Curl request from the whm plugin php script ends up with "Access denied". Pasting the same query string to browser works fine. error_log is empty.

    Code:
    https://IP:2087/cpsessXXX/json-api/createacct?username=user&password=pass&domain=test.com&useregns=0&reseller=0
     
    #5 rustyhex2, Apr 28, 2014
    Last edited: Apr 28, 2014
Loading...

Share This Page