Whitelisting domains in freshdesk

Amaresh_S_M · October 1, 2021, 12:55pm

I am building an app for Freshdesk, I am using some APIs to fetch details from 3rd party service (Shopify) so I whitelisted those third-party domains inside the manifest.json file to avoid errors. But when I tried to use the API inside the app it throws an error “This domain has not been whitelisted”.

Whitelisted domains in the manifest.json file.

  "whitelisted-domains": [
    "https://*.freshdesk.com",
    "https://www.freshworksapps.com",
    "https://*.myshopify.com"
  ]

API endpoint URL (from where I am trying to get data) - https://addfd_api_key:asdf_passowrd@sample-store2.myshopify.com/admin/api/2021-07/orders.json
Shopify’s URL format is https://{apikey}:{password}@{hostname}/admin/api/{version}/{resource}.json.

Since the URL contains ‘:’ and ‘@’ I tried whitelisting with ‘:’,’@’.

  "whitelisted-domains": [
    "https://*.freshdesk.com",
    "https://www.freshworksapps.com",
    "https://*:*@*.myshopify.com"
  ]

But the above-whitelisted syntax throws an error: [ERROR] Whitelisted domains must not have more than one subdomain: https://:@*.myshopify.com.

let me if am missing anything.

Raviraj · October 2, 2021, 7:32am

Hi @Amaresh_S_M,

Both the methods that you have tried would not work for the API endpoint that you have shared. Ideally, using credentials in the API URL is not considered secure.

Since multiple dynamic attributes are used in the URL before the domain, I will get the right way to whitelist this domain or what alternative can be considered.

Could you share the API documentation link for the mentioned API and which authentication mechanism are you using here and why chose them?

Amaresh_S_M · October 4, 2021, 3:42am

Thanks @Raviraj Yes, In frontend using credentials in the URL is not secure, when we use client.request method the API call is initiated from the server I am right ? So I tried using that way. Also there is an alternative to this approach using Shopify-Access-Token.

Shpify API Documentation link - Basic HTTP authentication

Raviraj · October 4, 2021, 8:24am

@Amaresh_S_M Shopify also supports adding credentials in the Authorization header it seems. Were you able to try that out only with the store name in the URL?

Is the Shopify Access Token part of OAuth based on authentication? If so, it would not be supported for multiple stores, I assume. Could you validate that part as well if you would want to support multiple stores in Shopify?

Amaresh_S_M · October 18, 2021, 8:25am

@Raviraj Thanks used credentials in the header it worked for me.

system · January 16, 2022, 8:25am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.