Many of our customers reported that click2call functionality is not working in SuperReceptionist app(product - Freshsales and FreshworksCRM).
On debugging I found that c2c functionality is not working because on calling our c2c api through client.request we use secure config parameter sr_api_key that is not being replaced with actual value while calling the api by freshworks server. On our server we are getting api hit with empty string as api_key value.
"<%= iparam.sr_api_key %>" is getting replaced with actual value in other api call when it is passed in headers but it is replaced with empty string when passed in other api parameter in this case form parameter.
api hit is being received at our server with empty api key
Expected - “<%= iparam.sr_api_key %>” should get replaced with actual config value of sr_api_key wherever it is passed while executing api
Actual - “<%= iparam.sr_api_key %>” gets replaced with empty string while executing api if “<%= iparam.sr_api_key %>” is passed in api parameter other than headers
Impact - All our Freshsales and FCRM customers are impacted and not able to initiate click2call from the crm
Thank you for reaching out to us and raising this concern immediately @gourav.kumar.
I do want to apologise on behalf of the Freshworks Platform team for affecting your customer experience due to this change. We unfortunately had little runway to give warning to our partners given the seriousness of the security issue beneath this change.
Now that your app should be temporarily re-enabled to work despite this restriction, please do let us know how we can help you update the same to work without requiring to post these parameters through the request body. Our developer advocates and our app review teams will be on standby to help with this transition.
Hello @gourav.kumar. Apologies if it took longer than expected. I believe your app should now be working. We have made the updates on our end. Please do confirm the same when you get a chance.
@satwik Requesting to check how notifications for critical changes that might break app reaches to wider audience. Below are few suggestions
send mail to app owner/developer as well as to app support mail not just to developer forum members
mail related to these should be marked important. This i feel is very important. My work is involved with 10-12 other CRMs. Everyday i get multiple mail from each crm and their sales/marketing/developer forum. This will help app developer upto date with relevant important mails
sending proper error message if something is deprecated or no longer supported. This will save debugging time
send follow up/reminder mail to make sure prev mail is read by intended user.
Give developer proper deadline to accomodate the releavant changes
Thanks for sharing this feedback @gourav.kumar. We are taking each feedback from this experience to heart and I do hope it will show in the coming days and weeks given we have further security-related advancements planned.
Under normal circumstances, we would not break an app experience without sufficient runway to deal with this. We however had guidance that we could not hold back this deployment given the severity of the vulnerability it exposed. I do realize, based on your feedback, how we could have nevertheless done this better, and not just left it to notifications from a forum post. Thank you for working with us to get this immediate problem addressed. We look forward to an updated app that does not require the workaround we have currently applied. Please let us know how we can help with that.