Uploaded image for project: 'Blesta Core'
  1. Blesta Core
  2. CORE-5141

Update API to allow key based authentication method in addition to current http basic auth

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 5.9.3
    • Fix Version/s: 5.11.0-b1
    • Component/s: Staff Interface
    • Labels:
      None

      Description

      The API for Blesta uses http basic auth for authentication. Most web servers nowadays, including those running PHP-FPM, do not support http basic auth out of the box. We should update the API to allow a key based authentication method similar to most modern APIs, where the API key is included in the request headers with each API request.

      All API requests should originate over HTTPS. http basic auth was argued in the past to be more secure because the authentication details were not included in every request, this is no longer a real concern. Including the key in the request headers over https is secure.

      If the existing API cannot support both http basic auth and this alternative key based auth (preferred moving forward) option, consider implementing a new endpoint for this authentication type. However, the API could look for the request header, and if present, use the API key contained within it, and fall back to http basic auth if it is not present.

      Make sure this is added to the documentation.

      Note: Use something like:

      curl -X POST 'https://yourdomain.com/blesta/api/users/get.json' \
      --header 'Authorization: Blesta-API-User [TheAPIUser]' \
      --header 'Authorization: Blesta-API-Key [TheAPIKey]' \
      ...
      }'

        Activity

          People

          • Assignee:
            abdy Abdy Franco
            Reporter:
            admin Paul Phillips
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - Not Specified
              Not Specified
              Remaining:
              Remaining Estimate - 0 minutes
              0m
              Logged:
              Time Spent - 2 days, 5 hours, 29 minutes
              2d 5h 29m

                Agile