Details
-
Type:
Improvement
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 5.9.3
-
Fix Version/s: 5.11.0-b1
-
Component/s: Staff Interface
-
Labels:None
Description
The API for Blesta uses http basic auth for authentication. Most web servers nowadays, including those running PHP-FPM, do not support http basic auth out of the box. We should update the API to allow a key based authentication method similar to most modern APIs, where the API key is included in the request headers with each API request.
All API requests should originate over HTTPS. http basic auth was argued in the past to be more secure because the authentication details were not included in every request, this is no longer a real concern. Including the key in the request headers over https is secure.
If the existing API cannot support both http basic auth and this alternative key based auth (preferred moving forward) option, consider implementing a new endpoint for this authentication type. However, the API could look for the request header, and if present, use the API key contained within it, and fall back to http basic auth if it is not present.
Make sure this is added to the documentation.
Note: Use something like:
curl -X POST 'https://yourdomain.com/blesta/api/users/get.json' \
--header 'Authorization: Blesta-API-User [TheAPIUser]' \
--header 'Authorization: Blesta-API-Key [TheAPIKey]' \
...
}'
Activity
Paul Phillips
created issue -
Paul Phillips
made changes -
| Field | Original Value | New Value |
|---|---|---|
| Summary | Update API to allow an alternative authentication method to http basic auth | Update API to allow key based authentication method in addition to current http basic auth |
Paul Phillips
made changes -
| Description |
The API for Blesta uses http basic auth for authentication. Most web servers nowadays, including those running PHP-FPM, do not support http basic auth out of the box. We should update the API to allow another authentication method, such as including the API key to be submitted in the request.
All API requests should originate over HTTPS If the API cannot support both http basic auth and this alternative (preferred moving forward) option, consider implementing a new endpoint for the API's new authentication type. Make sure this is added to the documentation. |
The API for Blesta uses http basic auth for authentication. Most web servers nowadays, including those running PHP-FPM, do not support http basic auth out of the box. We should update the API to allow a key based authentication method similar to most modern APIs, where the API key is included with each API request.
All API requests should originate over HTTPS. http basic auth was argued in the past to be more secure because the authentication details were not included in every request. If the existing API cannot support both http basic auth and this alternative key based auth (preferred moving forward) option, consider implementing a new endpoint for this authentication type. Make sure this is added to the documentation. |
Paul Phillips
made changes -
| Description |
The API for Blesta uses http basic auth for authentication. Most web servers nowadays, including those running PHP-FPM, do not support http basic auth out of the box. We should update the API to allow a key based authentication method similar to most modern APIs, where the API key is included with each API request.
All API requests should originate over HTTPS. http basic auth was argued in the past to be more secure because the authentication details were not included in every request. If the existing API cannot support both http basic auth and this alternative key based auth (preferred moving forward) option, consider implementing a new endpoint for this authentication type. Make sure this is added to the documentation. |
The API for Blesta uses http basic auth for authentication. Most web servers nowadays, including those running PHP-FPM, do not support http basic auth out of the box. We should update the API to allow a key based authentication method similar to most modern APIs, where the API key is included in the request headers with each API request.
All API requests should originate over HTTPS. http basic auth was argued in the past to be more secure because the authentication details were not included in every request, this is no longer a real concern. Including the key in the request headers over https is secure. If the existing API cannot support both http basic auth and this alternative key based auth (preferred moving forward) option, consider implementing a new endpoint for this authentication type. However, the API could look for the request header, and if present, use the API key contained within it, and fall back to http basic auth if it is not present. Make sure this is added to the documentation. |
Paul Phillips
made changes -
| Description |
The API for Blesta uses http basic auth for authentication. Most web servers nowadays, including those running PHP-FPM, do not support http basic auth out of the box. We should update the API to allow a key based authentication method similar to most modern APIs, where the API key is included in the request headers with each API request.
All API requests should originate over HTTPS. http basic auth was argued in the past to be more secure because the authentication details were not included in every request, this is no longer a real concern. Including the key in the request headers over https is secure. If the existing API cannot support both http basic auth and this alternative key based auth (preferred moving forward) option, consider implementing a new endpoint for this authentication type. However, the API could look for the request header, and if present, use the API key contained within it, and fall back to http basic auth if it is not present. Make sure this is added to the documentation. |
The API for Blesta uses http basic auth for authentication. Most web servers nowadays, including those running PHP-FPM, do not support http basic auth out of the box. We should update the API to allow a key based authentication method similar to most modern APIs, where the API key is included in the request headers with each API request.
All API requests should originate over HTTPS. http basic auth was argued in the past to be more secure because the authentication details were not included in every request, this is no longer a real concern. Including the key in the request headers over https is secure. If the existing API cannot support both http basic auth and this alternative key based auth (preferred moving forward) option, consider implementing a new endpoint for this authentication type. However, the API could look for the request header, and if present, use the API key contained within it, and fall back to http basic auth if it is not present. Make sure this is added to the documentation. Note: Use something like: curl -X POST 'https://yourdomain.com/blesta/api/users/get.json' \ --header 'Authorization: Blesta-API-User [TheAPIUser]' \ --header 'Authorization: Blesta-API-Key [TheAPIKey]' \ ... }' |
| Story Points | 5 |
| Sprint | 5.11.0 Sprint 5 [ 204 ] |
| Rank | Ranked higher |