Jump to content

API broken v69.0.4


Recommended Posts

You need to enable API access for the admin account in 69. Or better create a secondary account for access and enable API access there, possibly add IP address whitelisting as well.

This is because the Basic authentication is just very dangerous in terms of replay attacks. V69 offers passkeys also for the administrators, which should dramatically reduce the risk of getting hacked.

Link to comment
Share on other sites

On 6/2/2023 at 4:43 PM, mskenderian said:

Is it possible to add a passkey to a script living on a server?

I don’t know how that works?

if you concerned about basic auth, we should just do what everyone else does. Use API keys.

The PBX does not care how the client comes up with passkeys. IMHO it's really more for the humans, not so much for the robots. But it might be an interesting exercise if there is already some code e.g. for nodejs. 

For scripts, if you whitelist the server addresses, use encryption and a random password, that should be billions of times safer than Joe Doe recycling his favorite password even when using Basic, which is then as safe as any other token e.g. coming from OAuth.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...