PHPJunkyard support forum

Script URL: localhost
Mods for HESK version: 3.2.1
HESK version: 2.7.3
Hosting company: Self Hosted/IIS 10
URL of phpinfo.php: n/a
URL of session_test.php: n/a
What terms did you try when SEARCHING for a solution: auth

Write your message below:

To completely eliminate the possibility of someone using the API to generate a ticket that is not supposed to, is there a way to restrict the ticket POST to only those with an auth token?

I saw in the latest notes (3.2.0) that the functionality was taken away?

Thanks,

Tom

In /api/index.php, find:
Change "SecurityHandler::OPEN" to "SecurityHandler::AUTH_TOKEN"

Regarding whether that endpoint should be open or require a token in the future, I'm still debating that personally (hence why the API is still considered to be in beta ). Once I get around to adding "generic" auth tokens (that are not tied to a specific user), I may end up requiring an auth token for all requests again.

mkoch227 wrote: Tue Nov 07, 2017 6:45 pm In /api/index.php, find:

Code: Select all

'/v1/tickets' => action(\Controllers\Tickets\CustomerTicketController::clazz(), RequestMethod::all(), SecurityHandler::OPEN),

Change "SecurityHandler::OPEN" to "SecurityHandler::AUTH_TOKEN"

Regarding whether that endpoint should be open or require a token in the future, I'm still debating that personally (hence why the API is still considered to be in beta ). Once I get around to adding "generic" auth tokens (that are not tied to a specific user), I may end up requiring an auth token for all requests again.

Thank you very much Mike,

I'm guessing I can send the token with "auth_token" => "tokenID", from within the JSON Array?

Thanks,

Tom

The token should be passed in as a request header (X-Auth-Token: <token here>).