Details
-
Type: Improvement
-
Status: Closed
-
Priority: Major
-
Resolution: Fixed
-
Affects Version/s: 5.9.3
-
Fix Version/s: 5.11.0-b1
-
Component/s: Staff Interface
-
Labels:None
Description
The API for Blesta uses http basic auth for authentication. Most web servers nowadays, including those running PHP-FPM, do not support http basic auth out of the box. We should update the API to allow a key based authentication method similar to most modern APIs, where the API key is included in the request headers with each API request.
All API requests should originate over HTTPS. http basic auth was argued in the past to be more secure because the authentication details were not included in every request, this is no longer a real concern. Including the key in the request headers over https is secure.
If the existing API cannot support both http basic auth and this alternative key based auth (preferred moving forward) option, consider implementing a new endpoint for this authentication type. However, the API could look for the request header, and if present, use the API key contained within it, and fall back to http basic auth if it is not present.
Make sure this is added to the documentation.
Note: Use something like:
curl -X POST 'https://yourdomain.com/blesta/api/users/get.json' \
--header 'Authorization: Blesta-API-User [TheAPIUser]' \
--header 'Authorization: Blesta-API-Key [TheAPIKey]' \
...
}'