[solved] Additional security in the API

MAPIIIAJI · April 4, 2021, 3:18pm

Anton, hello!
I noticed one peculiarity when sending SMS via API.
Namely, some of the required directives are u (username) and h (api token). It so happens that even if a person knows the API token, but at the same time does not know the username, he will be able to generate and send SMS. In a word, there is no link between the username and the API-token in the system. It seems to me it would be great to write logic that checks for the presence of two directives and their binding to each other. This will give additional security and reliability to the system.

Respectfully,
Jamshid Tursunov

anton · April 5, 2021, 4:54am

See config.php:

github.com

playsms/playsms/blob/1.4.3/web/config-dist.php#L80


// limit the number of queue processed by sendsmsd in one time
$core_config['sendsmsd_queue']	= 10;
// limit the number of chunk per queue
$core_config['sendsmsd_chunk']	= 20;
// chunk size
$core_config['sendsmsd_chunk_size'] = 100;
// webservices require username
$core_config['webservices_username']	= true;

Option $core_config['webservices_username'] sets to default that the username should be included in API, if its false then username is not required.

If thats not the case then its a bug.

anton

MAPIIIAJI · April 7, 2021, 4:50am

Thanks Anton, it was set to “false”
Topic is closed

Respectfully,
Jamshid Tursunov

system · June 6, 2021, 4:50am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Open Sender ID in playsms 1.3.1 Install and Upgrade	4	1404	November 23, 2015
Send sms through API Help	3	1773	August 25, 2016
Sms id send to gateway URL Dev	2	1135	January 28, 2019
Send sms with senderid Help	6	1326	March 25, 2020
Integrate playsms to API gateway only Help	7	984	April 14, 2020

[solved] Additional security in the API

Related Topics