• State Not Answered
  • Replies 2 replies
  • Subscribers 97 subscribers
  • Views 117 views
  • Users 0 members are here
Options
Related

How to call a script without needing authentication on HTML5 Web Portal

zan
1 month ago

Hello,

We need to make a custom API that will call a script on the HTML5 password portal.

The problem is that this API will be called prior to the user logging in to the portal. I have added the IApiProviderFor<QER.CompositionApi.Password.PasswordPortalApiProject> so the API is present in the password portal. 

When I call the custom API I get the error "Your session has expired. Please reload this page and login again.". So I tried using the  AllowUnauthenticated() but I still get denied. 

Is there a way to call the script or an event like this prior to logging in to the portal?

 

Use case for this:

The user will request a passcode that will be sent to his personal mobile phone. So that he can then enter the password portal via the requested passcode.

Thank you for your help,

Zan

Parents
  • 0 15 days ago

    Hi

    Use case

    The customer wants their users to access the password reset portal and request password reset passcode themselves.

    Problem

    When we call the API the session does not exist because the user is not logged in (there is no authentication token).

    Question

    How can we call a custom API or script without an authentication token? Any tips for best practices?

    Best regards,

    Zan

  • 0 3 hours ago in reply to zan

    Hi,

    To call a script in the IM backend, you need an authenticated session. Anything else would be a huge security problem.

    You could do the following:

    - define a system user with sufficient permissions to call the script

    - store a connection string (i.e. in an encrypted web.config section) that connects to IM with this system user

    - define an API endpoint that can be called without authentication, which uses the stored connection string to open an (authenticated) IM session and call the script.

    - perform additional security testing to ensure that your API is not vulnerable to SQL Injection, DDoS or other attack scenarios, as anybody who can reach the API server can now call the script.

    However, I would not recommend this. As you can see, this approach is complex and you really need to consider security. This is the reason that we have implemented the process differently in the standard: call helpdesk or your manager, who can create a passcode for you.

Reply
  • 0 3 hours ago in reply to zan

    Hi,

    To call a script in the IM backend, you need an authenticated session. Anything else would be a huge security problem.

    You could do the following:

    - define a system user with sufficient permissions to call the script

    - store a connection string (i.e. in an encrypted web.config section) that connects to IM with this system user

    - define an API endpoint that can be called without authentication, which uses the stored connection string to open an (authenticated) IM session and call the script.

    - perform additional security testing to ensure that your API is not vulnerable to SQL Injection, DDoS or other attack scenarios, as anybody who can reach the API server can now call the script.

    However, I would not recommend this. As you can see, this approach is complex and you really need to consider security. This is the reason that we have implemented the process differently in the standard: call helpdesk or your manager, who can create a passcode for you.

Children
No Data