How to call a script without needing authentication on HTML5 Web Portal

Hello,

We need to make a custom API that will call a script on the HTML5 password portal.

The problem is that this API will be called prior to the user logging in to the portal. I have added the IApiProviderFor<QER.CompositionApi.Password.PasswordPortalApiProject> so the API is present in the password portal. 

When I call the custom API I get the error "Your session has expired. Please reload this page and login again.". So I tried using the  AllowUnauthenticated() but I still get denied. 

Is there a way to call the script or an event like this prior to logging in to the portal?

 

Use case for this:

The user will request a passcode that will be sent to his personal mobile phone. So that he can then enter the password portal via the requested passcode.

Thank you for your help,

Zan

  • Hi

    Use case

    The customer wants their users to access the password reset portal and request password reset passcode themselves.

    Problem

    When we call the API the session does not exist because the user is not logged in (there is no authentication token).

    Question

    How can we call a custom API or script without an authentication token? Any tips for best practices?

    Best regards,

    Zan

  • Hi,

    To call a script in the IM backend, you need an authenticated session. Anything else would be a huge security problem.

    You could do the following:

    - define a system user with sufficient permissions to call the script

    - store a connection string (i.e. in an encrypted web.config section) that connects to IM with this system user

    - define an API endpoint that can be called without authentication, which uses the stored connection string to open an (authenticated) IM session and call the script.

    - perform additional security testing to ensure that your API is not vulnerable to SQL Injection, DDoS or other attack scenarios, as anybody who can reach the API server can now call the script.

    However, I would not recommend this. As you can see, this approach is complex and you really need to consider security. This is the reason that we have implemented the process differently in the standard: call helpdesk or your manager, who can create a passcode for you.

  • Hello,

    thank you for the reply. We understand the issue but we need to call a script like this. Can you please point me in the direction on how to configure the connectionString to allow us to get the session. 

    I tried to create an API to call the script. But I do not understand how to authenticate inside the API call. I was searching the forum and found some information regarding this issue, but still cannot figure out how to create a custom session.

          // Connection string from web config
          var connectionString = ConfigurationManager.ConnectionStrings["<NAME>"].ConnectionString;
        
          VI.DB.IConnection newConnection = null;
    
          // Authenticate and open the connection
          newConnection.Authenticate(connectionString);
    
          using (newConnection)  // Using the connection within the using block
          {
              var scriptClass = newConnection.Session.Scripts().GetScriptClass(ScriptContext.Scripts);
              var runner = new ScriptRunner(scriptClass, newConnection.Session);
    
              runner.Eval("<NAME>");
          }

    1. I understand how to create a system user with limited permissions.
    2. I assume that in order to call an API without authentication you were referring to .AllowUnauthenticated()?
    3. For the security risks we are aware of the potential risks, is there a better way of doing this, for example calling limitedSQL insted of a script to call a method?

    Thank you for your help,

    Zan

  • Hi,

    To configure the connection string, add two settings to the web.config file of every API Server. One is for the SQL (or appserver) connection, and the other is for the authentication of the system user.

    <connectionStrings>
        <add name="apiconn" connectionString="QBM.AppServer.Client.ServiceClientFactory, QBM.AppServer.Client|URL=">https://server/AppServer/" />
        <add name="apiauth" connectionString="Module=DialogUser;User=my-user;(Password)Password=..." />
    </connectionStrings>

    Then adapt your code slightly to use these two settings:

          var connectionString = ConfigurationManager.ConnectionStrings["apiconn"].ConnectionString;
          VI.DB.IConnection newConnection = VI.DB.DbApp.Instance.Connect(connectionString);

          var authString = ConfigurationManager.ConnectionStrings["apiauth"].ConnectionString;    
          newConnection.Authenticate(authString);

    From a security perspective, LimitedSQL should be used when possible because it offers more granular permissions than scripts. But not everything can go inside of a LimitedSQL, so it depends on what you are doing inside of the SQL code.

  • Hello,

    thank you for your answer. I have solved this problem via a LimitedSQL implementation since the script would be a security issue like you said. 

    Thank you for your help.

    Have a nice day.

    Zan