We are using iparams in our Freshdesk custom app (serverless). While their values are not visible to anyone with Freshdesk access due to the api_key type, how are these values stored internally? Could there be any potential security issues with this?
Additionally, we are making a call to an external service from within the app using onTicketUpdateHandler. Here’s the code sample for reference. I’d like to know if these calls are server-to-server or browser-to-server. Does the call happen from server whenever a ticket changes or it happens from the browser of agent who makes changes in the ticket?
const username = args.iparams.username;
const password = args.iparams.password;
const base64Credentials = Buffer.from(`${username}:${password}`).toString('base64');
const headers = {
"Content-Type": "application/json",
"Authorization": `Basic ${base64Credentials}`
};
axios.post('our_exposed_endpoint_url', webhookPayload, { headers })
.then(response => {
console.log('Assignment Changed Successfully from ' + args['data']['ticket']['changes']["responder_id"][0] +
' to ' + args['data']['ticket']['changes']["responder_id"][1] +
' with response: ', response.data);
})
.catch(error => {
console.error('Error occurred while making the POST request:');
if (error.response) {
console.error('Status Code:', error.response.status, ' Response Data:', error.response.data);
}
});
Lastly, we want to restrict access to our API endpoint so that only Freshdesk servers can hit it. For this, we plan to implement IP whitelisting. How can we find the list of IP addresses used by Freshdesk for the custom app when it is launched?