JSON API Security

S

SimonBest

Registered
Mar 19, 2014
2
0
1
cPanel Access Level
Root Administrator
We need to make calls to the JSON API from within a plugin. The intention is to modify the DNS of a user's domain using /json-api/editzonerecord.

The code we have been provided requires that the WHM root password is entered into a configuration page, within WHM, and then stored in plain text on the server. This is clearly a terrible idea and we have already had people refuse to install the plugin as a result.

My question is, can the JSON API be used without any direct authentication, instead relying on the fact that a user is logged in?

If not then would using a remote access hash key be the best way forward?

Thank you for any advice that you can provide.
 
cPanelMichael

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,267
463
Hello :)

You could use the access hash authentication combined with the internal session tool. This is documented here:

API Authentication

Thank you.
 
S

SimonBest

Registered
Mar 19, 2014
2
0
1
cPanel Access Level
Root Administrator
Thanks you for the response.

I had a look at the documentation, but the Internal Session Tool seems to be used to make API calls from external scripts.

I'm making API calls from a PHP script within a cPanel plugin. The calls will always be made from the cPanel server and from a logged-in user session.

Is there any way to make API calls from within a logged-in session without requiring the cPanel reseller to manually enter hash codes or passwords?
 
K

KostonConsulting

Well-Known Member
Verifed Vendor
Jun 17, 2010
255
1
68
San Francisco, CA
cPanel Access Level
Root Administrator
R

rustyhex2

Member
Dec 12, 2013
8
0
1
cPanel Access Level
Root Administrator
I haven't tested this but if you're already logged in, try passing the /cpsessXXXX/ part of the URL with your request. i.e. instead of GET https://host:2083/xml-api/cpanel?, call GET https://host:2083/cpsessXXX/xml-api/cpanel and see if it allows you to proceed without sending auth data.
Click to expand...
I tried this and it doesn't work. Curl request from the whm plugin php script ends up with "Access denied". Pasting the same query string to browser works fine. error_log is empty.

Code: 
https://IP:2087/cpsessXXX/json-api/createacct?username=user&password=pass&domain=test.com&useregns=0&reseller=0
 
Last edited:
You must log in or register to reply here.
Thread starter Similar threads Forum Replies Date
N JSON API Manipulation? Developer Experience 3
behinam UAPI: SyntaxError in JSON.parse Developer Experience 1
N API call to get a json equivalent of View Sent Summary Developer Experience 7
D SOLVED Manage Json Result from API Developer Experience 4
K SOLVED Invalid JSON in WHM Api 1? Developer Experience 5
Similar threads
JSON API Manipulation?
UAPI: SyntaxError in JSON.parse
API call to get a json equivalent of View Sent Summary
SOLVED Manage Json Result from API
SOLVED Invalid JSON in WHM Api 1?
Top Bottom