Secure parameter value is getting replaced with empty string in api call

Many of our customers reported that click2call functionality is not working in SuperReceptionist app(product - Freshsales and FreshworksCRM).

On debugging I found that c2c functionality is not working because on calling our c2c api through client.request we use secure config parameter sr_api_key that is not being replaced with actual value while calling the api by freshworks server. On our server we are getting api hit with empty string as api_key value.

"<%= iparam.sr_api_key %>" is getting replaced with actual value in other api call when it is passed in headers but it is replaced with empty string when passed in other api parameter in this case form parameter.

Below is sample api call.

var options = { 
      method: 'POST',
      url: konnect_url+'/konnect/makecall/',
      headers: { 'content-type': 'application/x-www-form-urlencoded' },
        form: { knumber: sr_number,
          api_key: "<%= iparam.sr_api_key %>",
          agent: agent_number,
          customer: customer_number,
          integration: product
        }
    };
    client.request.post(options.url, options).then(
      function(data){
        console.log("data", data);
      },
      function(error){
        console.log("error", error)
      }
     );

api hit is being received at our server with empty api key

Expected - “<%= iparam.sr_api_key %>” should get replaced with actual config value of sr_api_key wherever it is passed while executing api

Actual - “<%= iparam.sr_api_key %>” gets replaced with empty string while executing api if “<%= iparam.sr_api_key %>” is passed in api parameter other than headers

Impact - All our Freshsales and FCRM customers are impacted and not able to initiate click2call from the crm

Requesting to check this on priority

@Saif

2 Likes

@gourav.kumar,

Owing to security issues as updated in the announcement:
Security updates to the platform - 19 May 2021,

Developer Platform will suspend supporting installation parameters made secure in the Request body

I would request you to change it accordingly.

Meanwhile, kindly create a support ticket at marketplace@freshworks.com to allow the app temporarily,

We need an account id, app ID for the same to unblock, but it is a temporary solution,

Hope it helps :slight_smile:

Thanks,
Santhosh

2 Likes

thanks @Santhosh

raising a support ticket for quick resolution. will make changes in the app accordingly.

2 Likes

Thank you for reaching out to us and raising this concern immediately @gourav.kumar.
I do want to apologise on behalf of the Freshworks Platform team for affecting your customer experience due to this change. We unfortunately had little runway to give warning to our partners given the seriousness of the security issue beneath this change.

Now that your app should be temporarily re-enabled to work despite this restriction, please do let us know how we can help you update the same to work without requiring to post these parameters through the request body. Our developer advocates and our app review teams will be on standby to help with this transition.

Meanwhile, stay safe and healthy.

2 Likes

@satwik still secure installation parameter in request body is getting replaced with empty string.
Already created support ticket https://support.freshdesk.com/support/tickets/8789488 but didn’t receive any update so far.

Hello @gourav.kumar. Apologies if it took longer than expected. I believe your app should now be working. We have made the updates on our end. Please do confirm the same when you get a chance.

1 Like

@satwik app is working now.

@satwik Requesting to check how notifications for critical changes that might break app reaches to wider audience. Below are few suggestions

  1. send mail to app owner/developer as well as to app support mail not just to developer forum members
  2. mail related to these should be marked important. This i feel is very important. My work is involved with 10-12 other CRMs. Everyday i get multiple mail from each crm and their sales/marketing/developer forum. This will help app developer upto date with relevant important mails
  3. sending proper error message if something is deprecated or no longer supported. This will save debugging time
  4. send follow up/reminder mail to make sure prev mail is read by intended user.
  5. Give developer proper deadline to accomodate the releavant changes
4 Likes

Thanks for sharing this feedback @gourav.kumar. We are taking each feedback from this experience to heart and I do hope it will show in the coming days and weeks given we have further security-related advancements planned.

Under normal circumstances, we would not break an app experience without sufficient runway to deal with this. We however had guidance that we could not hold back this deployment given the severity of the vulnerability it exposed. I do realize, based on your feedback, how we could have nevertheless done this better, and not just left it to notifications from a forum post. Thank you for working with us to get this immediate problem addressed. We look forward to an updated app that does not require the workaround we have currently applied. Please let us know how we can help with that.

2 Likes

Thank you @satwik

Does not need any help in updating app. I have included this task in our roadmap. willl update when it is completed

1 Like