dunkeltron
commented
5 months ago @uncheckederror I think we've migrated fully to the new token scheme can we mark this closed? Or would you rather we wait for information on how to persist the tokens?
Closed uncheckederror closed 5 months ago
dunkeltron
commented
5 months ago @uncheckederror I think we've migrated fully to the new token scheme can we mark this closed? Or would you rather we wait for information on how to persist the tokens?
uncheckederror
commented
5 months ago @uncheckederror I think we've migrated fully to the new token scheme can we mark this closed? Or would you rather we wait for information on how to persist the tokens?
I am going to close this and then open a new issue for figuring out how to persist information between page loads in FusionPBX. Thanks for your work on this!
https://github.com/AccelerateNetworks/fusionpbx-webtexting/blob/82170b891e25100c65110e53ef480d1c77cf01fd/providers/accelerate-networks.php#L63C1-L64C1
The above line seems to grab the auth token for POSTing requests to the Messaging API at sms.callpipe.com from the SESSION. I am not sure where the value comes from, but I know that it is no longer going to work. We need to find all the places that consume this token for interacting with sms.callpipe.com and update them.
To get a token from the new version of sms.callpipe.com you'll need to submit a username and password for a valid account in the ops.acceleratenetworks.com app to the /login endpoint. You'll need to POST a JSON body like this:
In response you'll receive something like this:
Where currently we add an Authorization header to the outbound message request and give it the value
"Bearer ".$_SESSION['webtexting']['acceleratenetworks_api_key']['text']We'll need to update this to replace "$_SESSION['webtexting']['acceleratenetworks_api_key']['text']" with the value of the "accessToken" field from /login response JSON. But this "accessToken" will only be valid from the point in time when the /login endpoint responds to you, until the "expiresIn" time span elapses. In this case 3600 seconds or 1 hour. At any time prior to that expiration the "accessToken" will be valid.
To get a new accessToken without repeating the login you can use the refresh token on the /refresh endpoint.
And get back another:
Alternatively you can just repeat the login process, but you don't want to repeat the login process every time you need to make an request to sms.callpipe.com as that would be wasteful. You need some method to manage getting and refreshing a valid token that lives outside of the HTTP call, perhaps you could store everything in the session and then login or refresh if the session values are invalid just before making the outbound HTTP call.
IIRC, the old tokens never expired so the same token was used all the time to auth requests to sms.callpipe.com, but that will not work anymore and it was sad from a security PoV that we were doing that before.
I have not deployed the updated token scheme to sms.callpipe.com as it will break the current version of webtexting. If you want to try it out while building this feature you can run the Messaging project locally. https://github.com/AccelerateNetworks/NumberSearch/tree/master/Messaging
@danry25 I think we'll need to deploy the new sms.callpipe.com first, which will break webtexting, and then an updated version of webtexting that can handle this new token scheme shortly there after to minimize downtime. We should probably do this after hours.