Remove the required admin parameter from localAPI()
-
Thomas shared this idea 7 years ago
- Developers
- 2 Comments
4
Votes
The localAPI() call has a required admin user parameter. This parameter is insecure, prone to errors, lacks traceability and adding a lot of duplicate code to modules written by third party developers.
Internal api calls through localAPI() only ask of a developer to specify the admin user. This can be any admin user with the required permissions but the developer can specify whatever admin he or she wants. I don't trust developers and neither should WHMCS.
WHMCS support recommends to use $_SESSION or WHMCS\Session to get the current administrator. This probably leads to duplicate code in hundreds of modules where it could be handled from localAPI() directly. It's a local API and it must be possible to have it get the information from the session object by itself. This ensures that developers can't go wrong, adds security and removes a lot of duplicate code in the WHMCS ecosystem.
Being able to specify the admin user introduces another problem: audit logs. The localAPI() call is extremely useful when it comes to mimicking WHMCS functionality without having to reinvent the wheel (duplicate code, anyone?). This means calls are made from within the client area too. Since there is no admin user authenticated at the time as a developer you need to specify the admin user yourself. This completely removes the concept of audit logs. All calls are made through the same admin user. Aside from the security issues I have with this there is no way to tell who actually made the change. Having a separate api user for internal api calls seems abundant too. It adds is an extra layer that needs to be developed (over and over again) that can be abused / brute forced.
I've been discussing this with technical support and although every single one of them has been really helpful neither seems to grasp the problems I'm seeing with the current implementation. It's all 'by design' but the design in my personal opinion is flawed.
Internal api calls through localAPI() only ask of a developer to specify the admin user. This can be any admin user with the required permissions but the developer can specify whatever admin he or she wants. I don't trust developers and neither should WHMCS.
WHMCS support recommends to use $_SESSION or WHMCS\Session to get the current administrator. This probably leads to duplicate code in hundreds of modules where it could be handled from localAPI() directly. It's a local API and it must be possible to have it get the information from the session object by itself. This ensures that developers can't go wrong, adds security and removes a lot of duplicate code in the WHMCS ecosystem.
Being able to specify the admin user introduces another problem: audit logs. The localAPI() call is extremely useful when it comes to mimicking WHMCS functionality without having to reinvent the wheel (duplicate code, anyone?). This means calls are made from within the client area too. Since there is no admin user authenticated at the time as a developer you need to specify the admin user yourself. This completely removes the concept of audit logs. All calls are made through the same admin user. Aside from the security issues I have with this there is no way to tell who actually made the change. Having a separate api user for internal api calls seems abundant too. It adds is an extra layer that needs to be developed (over and over again) that can be abused / brute forced.
I've been discussing this with technical support and although every single one of them has been really helpful neither seems to grasp the problems I'm seeing with the current implementation. It's all 'by design' but the design in my personal opinion is flawed.
Featured Comment
This has been implemented in version 7.2.0, which is currently in beta. You can see it in the changelog with the entry:
FEATURE-1096 - Attribute local API calls to "Local API User" if and Admin ID is not provided
Have a great day,
Nate C