API broken v69.0.4

[mskenderian]

Since we dont have a API section in the forum, I thought this would be the best place to post it.

PBX v69.0.4 Debian
Test Computer: Windows

Command: curl -v -u admin:password https://pbxHostname/rest/system/status 

we get permissions denied.

v68 we get the correct response.

 

 

[Vodia PBX]

You need to enable API access for the admin account in 69. Or better create a secondary account for access and enable API access there, possibly add IP address whitelisting as well.

This is because the Basic authentication is just very dangerous in terms of replay attacks. V69 offers passkeys also for the administrators, which should dramatically reduce the risk of getting hacked.

[mskenderian]

Oh I see it. We should of added this change to the release documentation. Since it’s a breaking change. It created hours of frustration. 

[mskenderian]

Is it possible to add a passkey to a script living on a server?

I don’t know how that works?

if you concerned about basic auth, we should just do what everyone else does. Use API keys.

[Vodia PBX]

On 6/2/2023 at 4:43 PM, mskenderian said:

Is it possible to add a passkey to a script living on a server?

I don’t know how that works?

if you concerned about basic auth, we should just do what everyone else does. Use API keys.

The PBX does not care how the client comes up with passkeys. IMHO it's really more for the humans, not so much for the robots. But it might be an interesting exercise if there is already some code e.g. for nodejs. 

For scripts, if you whitelist the server addresses, use encryption and a random password, that should be billions of times safer than Joe Doe recycling his favorite password even when using Basic, which is then as safe as any other token e.g. coming from OAuth.