Redirect after "Create Webmail session" UAPI

[StefanPejcic]

Hello,

Using the UAPI as instructed here: https://api.docs.cpanel.net/openapi/cpanel/operation/create_webmail_session_for_mail_user/

But experiencing a weird problem: after successful post request I am being redirected to:

https://example.com/cpsess8757552889/3rdparty/roundcube/?login=1&post_login=91382039924526

instead of:

https://example.com:2096/cpsess8757552889/3rdparty/roundcube/?login=1&post_login=91382039924526

---

    $ip_address = $_SERVER['REMOTE_ADDR'];
    list($email, $login_domain) = explode('@', $_POST['login_email']);
    $createSessionUrl = "https://$hostname:2083/cpsess1235467/execute/Session/create_webmail_session_for_mail_user?login=" . urlencode($email) . "&domain=" . urlencode($domain) . "&remote_address=" . $ip_address;
// echo $createSessionUrl;
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $createSessionUrl);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HTTPHEADER, array(
        'Authorization: Basic ' . base64_encode(get_option('cpanel_username') . ':' . get_option('cpanel_password'))
    ));
    $response = curl_exec($ch);
    curl_close($ch);

    $data = json_decode($response, true);
    $session = $data['data']['session'];
    $token = $data['data']['token'];

    $postUrl = "https://$hostname:2096" . $token."/login";
    $postData = "session=" . urlencode($session);
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $postUrl);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $postData);
// echo "POST URL: $postUrl<br>";
// echo "POST Data: $postData<br>";
    $response = curl_exec($ch);
    curl_close($ch);
   
    echo $response;
}

an ideal case would be to redirect to $hostname for example:

https://srv.example.com:2096/..

but even

https://example.com:2096/..

would be okay for a start.

Did anyone else play with this UAPI webmail authentification, is there a way to redirect users to the correct url?

Appreciate any feedback!

 

[cPRex]

Hey there! I did want to let you know I've reached out to a developer about this and I'm hoping to have some answers at some point tomorrow or Friday. I'll let you know!

 

[cPanelThomas]

So if I'm understanding your script correctly, you do the create_user_session call, grab the needed bits to construct the URL yourself then hit it and are being redirected to something without the port. Now, you said this was for the roundcube URL, but the URL you were hitting was `/login` if I'm not mistaken from reading the code. Is the account setup to auto-login to roundcube when webmail loads?

If so that would certainly explain the redirection, but perhaps the redirect logic is faulty and stripping off the port?

I went ahead and tried out the code, and I'm not seeing any strangeness like that myself when running this, even for a user I've configured to redirect to roundcube upon login.

Additionally, if I decided to not POST the session and instead tack it on as a GET param, the same result occurs, which at least makes it easy to verify "well now what should this be doing" by then doing the same thing myself for the user manually in a web browser. I got sent into roundcube as expected since I configured the user to do this upon login (and got no funky port-stripping).

Perhaps it would be more valuable to know what cPanel version & theme is in use here (jupiter or paper lantern?), as certainly I would consider a login via session created via API *that you ran over the port* probably shouldn't be redirecting to just the user's domain. If anything, we would have wanted to go to the proxy `webmail` subdomain if we were going to be stripping off the port somehow.

 

[StefanPejcic]

Hello,thank you for the response.

You are correct, im redirected to roundcube because the account is set to auto-redirect, but even with that option disabled im getting the same result.

- cPanel Version102.0 (build 32)
- Tried on both paperlatern and Jupiter

Sunce this Is a WP plugin that is sending the request from another cpanel server, might even be some WordPress-related issue..

I will test the same call via a plain php script hosted locally on the same server, then remote, to try and determine the root cause.

Thank you for the time you took to test the call.

 

[StefanPejcic]

It appears that I misunderstood the documentation, as it clearly says:

1. authenticate as cpanel user
2. submit POST request for an email with $token and $session

but i didn't understand that the response to the post request is a redirect to the webmail, and I was trying to echo it to figure out the next step to do the redirect myself... so curl was redirecting me to the same domain + data..

Modified the code to simply push the user to the post link:

// Step 1. Authenticate

    $createSessionUrl = "https://$hostname:2083/cpsess1235467/execute/Session/create_webmail_session_for_mail_user?login=" . urlencode($email) . "&domain=" . urlencode($domain) . "&remote_address=" . $ip_address;

    $context = stream_context_create([
        'http' => [
            'method' => 'GET',
            'header' => "Authorization: Basic " . base64_encode(get_option('cpanel_username') . ':' . get_option('cpanel_password')) . "\r\n",
        ],
    ]);

    $response = file_get_contents($createSessionUrl, false, $context);

// Step 2. Build the POST request and change user header to it

$data = json_decode($response, true);
    $session = $data['data']['session'];
    $token = $data['data']['token'];
    $postUrl = "https://$hostname:2096" . $token."/login";
    $postData = "session=" . urlencode($session);
    // Redirect the user to the desired URL
    $url = 'https://'.$hostname.':2096'.$token.'/login?session='.urlencode($session);
    //echo $url;
    header('Location: '.$url);

Thank you once again for your time and sorry for bothering you with nonsense.