REMINDER
Pass current Appdrag admin user name to API?
-
Any way to do this? (So we can track who made changes)
-
Hello, In which context do you execute your API calls? I need that detail to know how you could achieve that.
-
I'm assuming, via custom admin button (Configure left menu).
A while back (old chat) you mentioned that when using custom menu, that the current user tokens are submitted to the URL? I asked for docs but never heard back.
-
Oh I see, let me discuss it internally about what we can expose and provide in the documentation (it's added to my notes with the link of this post to give updates)
-
Thanks, appreciated.
I think the safest way to do it is like I described in the other thread.
-
You're welcome, yes and as you have the user token you might call AppDrag API to get user information (will see if we provide another way and/or expose this API call)
-
@wassim Super! Can't wait
-
@ThomasD I wrote a support article on how to create custom admin interfaces and I added an example on Authentication with the user token and AppDrag API.
-
Thanks, I had hoped for something properly secure, but it will do.
Passing security tokens in the URL also means that it would be stored in customers bookmarks and the ISP and DNS provider will have access to the token.
-
@ThomasD: Since we are using SSL, the url parameters are NOT visible for a Man-In-The-Middle attack, nor for your ISP, VPN or DNS provider ...
https://stackoverflow.com/questions/499591/are-https-urls-encrypted
So no, it's not a security risk or a lower security to do it that way in this context
-
Yeah, in the recent versions of TLS it does encrypt it fully. However, DNS might leak it since encrypted DNS resolution isn't that much of a standard yet. And browsers will still save the token in browser history.
If it's overkill to encrypt it properly, maybe, but it's an additional protection against 3rd party attacks, since no one can just take the token (from a browser) and send it without the shared secret.
