Announcement

Collapse
No announcement yet.

API without authentication

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
  • #1

    API without authentication

    Is it possible for Espo to accept API requests without requiring authentication? I need Espo to accept a request from third-party software that does not offer any of the available authentication methods. I would authenticate the request in a module using custom logic, but the request never gets there because Espo returns a 403. The third-party software is not configurable, so I can't add headers.

    Edit: To clarify, I am talking about API access to the back end via php. The idea is for the request to be accepted by the slim router in application/Espo/Core/Api/Starter.php without needing to authenticate.
    Last edited by bandtank; 01-20-2023, 04:31 PM.
    Tags: None
  • #2
    you could create a custom controller with a noauth parameter in the route.

    Controller & routing - EspoCRM Documentation
    https://docs.espocrm.com/development/frontend/controller/#custom-controller


    • Likes 1

    Comment

    • #3
      Originally posted by Kharg View Post
      you could create a custom controller with a noauth parameter in the route.

      Controller & routing - EspoCRM Documentation
      https://docs.espocrm.com/development/frontend/controller/#custom-controller

      Thanks. That sounds like exactly what I want to do. How do you specify the 'noauth' parameter? It isn't in the documentation as far as I can tell. Are you saying the parameter is defined in the controller, request header, both, or somewhere else?

      Comment

      • #4
        In the routes.json like this
        [
        {
        "route":"/actionbuttons/test",
        "method":"post",
        "params":{
        "controller":"ActionButtonsController",
        "action":"test"
        },
        "noAuth":true
        }
        ]

        Comment

        • #5
          Originally posted by murray99 View Post
          In the routes.json like this
          [
          {
          "route":"/actionbuttons/test",
          "method":"post",
          "params":{
          "controller":"ActionButtonsController",
          "action":"test"
          },
          "noAuth":true
          }
          ]

          Interesting. Thanks. I have never used that file and it has never been a problem, which is confusing. I add php files into custom/Espo/Custom/Controllers and the routes are automatically available.

          Edit: It seems like the routes.json file is only for front end routing. I should clarify that I am talking about back end routing.
          Last edited by bandtank; 01-20-2023, 04:29 PM.

          Comment

          • #6
            Your advice lead me to this page, which shows the implementation information: API actions - EspoCRM Documentation

            Thanks again for your help.

            Comment

            • #7
              Glad you found a solution for your problem!
              Last edited by Kharg; 01-20-2023, 09:49 PM.

              Comment

              • #8
                bandtank (or anyone else who visits this post) In case this is helpful, we configured our install to be able to receive an API request that functions more like "LeadCapture" and less like a formal API request with Basic Auth (or similar).

                Our use case was for a 'free trial' we were offering. The trial was initiated from Cognito Forms via a Webhook.

                So we created a custom controller ("CognitoForm.php") and it has this code in it:

                Code:
                /* Up here is all the class code, constructor, and dependences. Below is just one function */

public function postActionFreeTrial($params,$data,$response)
  {
    if (empty($params['apiKey'])) throw new BadRequest('No API key provided.');
    if (empty($data)) throw new BadRequest('No payload provided.');

    $allowOrigin = $this->getConfig()->get('leadCaptureAllowOrigin', '*');
    $response->headers->set('Access-Control-Allow-Origin', $allowOrigin);

    $apiKey = $params['apiKey'];
    $validKey = $this->getServiceFactory()->create('LeadCapture')->isApiKeyValid($apiKey);

    if ($validKey) {
      $lead = $this->getServiceFactory()->create('Lead')->cognitoFreeTrialLead($data, $apiKey);
     return $lead;
    } else {
      return 'This is not a valid API Key! Make sure you have the right environment and it\'s active!';
   }
}​
                Here, we generate a key using the Entry Point provided by the LeadCapture functionality already provided out of the box.

                Then, in our routes.json file (custom/Espo/Custom/Resources/routes.json)

                Code:
                [
  {
    "route": "/CognitoForm/:action/:apiKey",
    "method": "post",
    "params": {
    "controller": "CognitoForm",
    "action": ":action",
    "apiKey": ":apiKey"
  },
  "conditions": {
    "auth": false
    }
  }
]


                In this case, ":action" is a variable as we have multiple actions going to that controller and we didn't want to have to write a new route everytime we wanted a new entry point.

                To access, we send a POST request from CognitoForms:

                Code:
                POST: https://{espocrm-domain.com}/api/v1/CognitoForm/freeTrial/{apiKeyGeneratedInLeadCaptureAdminPanel}
                where "CognitoForm" is the name of the controller, "freeTrial" the action, and the "apiKey" a key generated using the "LeadCapture" function from the administration interface.

                Anyways, hope this is helpful to someone!
                Last edited by jflores; 01-21-2023, 09:41 PM.
                • Likes 5

                Comment

                Previous template Next
                Working...
                X