Discussions

 View Only
  • 1.  Where does the Auth ticket come from?

    Posted 06-01-2017 20:44
    I trying to create a url similiar to below......but I do not know where to get the "auth_ticket" info (ticket=[Auth_Ticket]) -- where do I get this info to enter?   Thanks


    https://target_domain/db/target_dbid?a=API_GenResultsTable&ticket=
    auth_ticket&apptoken=app_token&qid=5&jht=1&query=
    {'6'.CT.'done'}AND{'14'.CT.'USA'}&clist=7.8&slist=6&options=sortorder-A


  • 2.  RE: Where does the Auth ticket come from?

    Posted 06-02-2017 01:52
    You don't have to worry about supplying the ticket if you are already logged into QuickBase through a browser. In this case the ticket will already have been set in an https only cookie and will be sent to the QuickBase server automatically.


  • 3.  RE: Where does the Auth ticket come from?

    Posted 06-05-2017 01:50
    but if you really wanted a ticket you can get one via this request .

    https://<em>target_domain</em>/db/main?a=API_Authenticate&username=PTBarnum<br>&password=TopSecret&hours=24<br>

    Where you can set the length of how long the ticket is valid.

    THis come in handy if you want to send an email notification with a link that expires.


  • 4.  RE: Where does the Auth ticket come from?

    Posted 06-05-2017 01:51
    It messed up the formatting:
    https://target_domain/db/main?a=API_Authenticate&username=PTBarnum&password=TopSecret&hours=24


  • 5.  RE: Where does the Auth ticket come from?

    Posted 06-05-2017 11:17
    Placing a URL in an email that includes a username and password is a very bad idea as it needlessly exposes the credentials to future discovery and use. In practical terms, the only place to use API_Authenticate is use from a server or some other place outside the browser.


  • 6.  RE: Where does the Auth ticket come from?

    Posted 06-05-2017 14:55
    You don't put the username and password in the URL that is sent, just the Auth ticket that is set to expire in x number of hours.  
    #ComeOnMan


  • 7.  RE: Where does the Auth ticket come from?

    Posted 06-05-2017 15:11
    Placing a ticket in a URL sent via email is an equally bad idea and it may well violate the terms of service. This is called ticket or session sharing. Anyone with the ticket has full access to the QuickBase session for the duration of time the ticket is valid. Email is an insecure way of sending credentials, session information or other sensitive information.

    The only ways to securely access QuickBase is through the GUI login at which time the ticket will be immediately saved in a https only coookie or to immediately grab the ticket when API_Authenticate is called from a server or other place outside of a browser. The security access model used by QuickBase is designed to not share tickets with anyone.

    I teach information security and know what I am talking about here. QuickBase has excellent security practices and the only way you are going to get in trouble is through human error - such as sharing credentials or tickets in an unauthorized manner.


  • 8.  RE: Where does the Auth ticket come from?

    Posted 06-05-2017 15:22
    The same violation of terms of service are broken when you do "Everyone On The Internet".

    If you design it right, it works great and maintains your security much better than you'd think.