Is it possible to add wildcards, subnets, CIDR blocks to the API IP address field?
The one-key/one-IP works when using "classic" architecture, but when using public cloud services there are whole blocks of addresses where the requests may come from.
If the answer is "no", can anyone point me to the code that checks the IP address of the sender when and API call is received?
Thank you,
Pablo
Multiple IP addresses on API calls.
This is the exact same problem I'm having and it's driving me mad. It's bad enough OSticket looks like something out of the 90's letalone it being incompatible with modern cloud services.
SORT THIS OUT OSTICKET. I'm going back to zendesk.
agco Is it possible to add wildcards, subnets, CIDR blocks to the API IP address field?
This is not a feature at this time.
agco If the answer is "no", can anyone point me to the code that checks the IP address of the sender when and API call is received?
I would start here:
https://github.com/osTicket/osTicket/blob/43bf186db9e85c8ec218158ea4c0bc3e90bbe3eb/include/api.cron.php#L9
I've figured out how to completely disable IP validation - there doesn't seem to be any information anywhere on the internet about how to do this so here it is to anyone who needs it. This definitely works on the latest version.
Open the file /include/class.api.php
The solution is to remove the three references to:
$_SERVER['REMOTE_ADDR']
That then completely disables any IP validation however the API key will still be validated. You will still need to attach an IP to the API key in the admin panel - just use 99.99.99.99
Just replace this code:
function requireApiKey() {
if(!($key=$this->getApiKey()))
return $this->exerr(401, __('Valid API key required'));
elseif (!$key->isActive() || $key->getIPAddr()!=$_SERVER['REMOTE_ADDR'])
return $this->exerr(401, __('API key not found/active or source IP not authorized'));
return $key;
}
function getApiKey() {
if (!$this->apikey && isset($_SERVER['HTTP_X_API_KEY']) && isset($_SERVER['REMOTE_ADDR']))
$this->apikey = API::lookupByKey($_SERVER['HTTP_X_API_KEY'], $_SERVER['REMOTE_ADDR']);
return $this->apikey;
}Replace with this code:
function requireApiKey() {
if(!($key=$this->getApiKey()))
return $this->exerr(401, __('Valid API key required'));
elseif (!$key->isActive())
return $this->exerr(401, __('API key not found/active or source IP not authorized'));
return $key;
}
function getApiKey() {
if (!$this->apikey && isset($_SERVER['HTTP_X_API_KEY']))
$this->apikey = API::lookupByKey($_SERVER['HTTP_X_API_KEY']);
return $this->apikey;
}Enjoy!
a year later
I was so hopeful this was going to work for me.
We are trying to create a webhook that allows Zapier to take our new spreadsheet rows and create a ticket. Zapier uses Amazon servers so their IP is rarely consistent.
After the code changes you outlined, we were still getting API Error (401) errors.
Are there any additional steps we should take? I wish osTicket would have Zapier integration.
7 months later
hertingford this worked for me thanks! @ntozier personally I think we should have the option to disable the IP validation for API requests. As several other posters have mentioned, this is very common nowadays in modern cloud environments especially those that run containers and use load balancers / floating IPs. It would be nice if there was a simple checkbox to toggle it on or off or else offer a more robust way to make it secure such as requiring a an API ID along with the key.
2 years later
- Edited
hertingford Thanks so much! It worked!
Just beware that with the changes suggested by hertingford your API will be highly vulnerable. The changes will open your helpdesk to many different attacks/vulnerabilities like mass spam, DDOS, etc. Basically, the changes make it to where any IP can make a request to your API.
Cheers.