Where does the Auth ticket come from?

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Acknowledged
I trying to create a url similiar to below......but I do not know where to get the "auth_ticket" info (ticket=[Auth_Ticket]) -- where do I get this info to enter?   Thanks


https://target_domain/db/target_dbid?a=API_GenResultsTable&ticket=
auth_ticket&apptoken=app_token&qid=5&jht=1&query=
{'6'.CT.'done'}AND{'14'.CT.'USA'}&clist=7.8&slist=6&options=sortorder-A
Photo of rocketc

rocketc

  • 494 Points 250 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of Ⲇanom the ultimate (Dan Diebolt)

Ⲇanom the ultimate (Dan Diebolt), Champion

  • 26,322 Points 20k badge 2x thumb
You don't have to worry about supplying the ticket if you are already logged into QuickBase through a browser. In this case the ticket will already have been set in an https only cookie and will be sent to the QuickBase server automatically.
Photo of Matthew Neil

Matthew Neil

  • 31,438 Points 20k badge 2x thumb
but if you really wanted a ticket you can get one via this request .

https://<em>target_domain</em>/db/main?a=API_Authenticate&username=PTBarnum<br>&password=TopSecret&hours=24<br>

Where you can set the length of how long the ticket is valid.

THis come in handy if you want to send an email notification with a link that expires.
Photo of Matthew Neil

Matthew Neil

  • 31,438 Points 20k badge 2x thumb
It messed up the formatting:
https://target_domain/db/main?a=API_Authenticate&username=PTBarnum&password=TopSecret&hours=24
(Edited)
Photo of Ⲇanom the ultimate (Dan Diebolt)

Ⲇanom the ultimate (Dan Diebolt), Champion

  • 26,242 Points 20k badge 2x thumb
Placing a URL in an email that includes a username and password is a very bad idea as it needlessly exposes the credentials to future discovery and use. In practical terms, the only place to use API_Authenticate is use from a server or some other place outside the browser.
Photo of Matthew Neil

Matthew Neil

  • 31,438 Points 20k badge 2x thumb
You don't put the username and password in the URL that is sent, just the Auth ticket that is set to expire in x number of hours.  
#ComeOnMan
Photo of Ⲇanom the ultimate (Dan Diebolt)

Ⲇanom the ultimate (Dan Diebolt), Champion

  • 26,242 Points 20k badge 2x thumb
Placing a ticket in a URL sent via email is an equally bad idea and it may well violate the terms of service. This is called ticket or session sharing. Anyone with the ticket has full access to the QuickBase session for the duration of time the ticket is valid. Email is an insecure way of sending credentials, session information or other sensitive information.

The only ways to securely access QuickBase is through the GUI login at which time the ticket will be immediately saved in a https only coookie or to immediately grab the ticket when API_Authenticate is called from a server or other place outside of a browser. The security access model used by QuickBase is designed to not share tickets with anyone.

I teach information security and know what I am talking about here. QuickBase has excellent security practices and the only way you are going to get in trouble is through human error - such as sharing credentials or tickets in an unauthorized manner.
Photo of Matthew Neil

Matthew Neil

  • 31,438 Points 20k badge 2x thumb
The same violation of terms of service are broken when you do "Everyone On The Internet".

If you design it right, it works great and maintains your security much better than you'd think.