Is it possible to set an iparam from on our install handler with serverless app?

stevemc · April 22, 2021, 4:27am

I am trying to store the webhook URL to an iparam so I can display in the iparams.html. This way a user can copy the webhook URL from the iparams page which is easy to get to.

here is my onAppInstall method:

  onAppInstallHandler: function(payload) { 
    // Get webhook URL and store in iparams
    res=generateTargetUrl();
    res.then(generateTargetUrlSuccess, generateTargetUrlFail )
    function generateTargetUrlSuccess(url) { 
        console.log("Webhook:", url);
    	????? HOW DO I SET "url" on iparams ??????
    }
    function generateTargetUrlFail(err) { renderData(err) }
  },

Is this callable in a serveless app:

utils.set(‘webhook’, {value: url});

Or alternatively, if I store in DB using following, can I load the value from DB into iparams.html:

res=$db.set('webhook', {'url': url})

or is there another convenient place to store the webhook url?

shravan.balasubraman · April 22, 2021, 8:52am

Hey Steve.

Storing the webhook URL in iparams is not an ideal solution to this problem. Installation parameters serve a different purpose and are often used by the end-users. Webhook URL is an abstraction that the user should not be aware of.

My suggestion would be to take the webhook URL from the serverless logs. Alternatively, you can include an app/app.js & app/template.html that runs in the ticket_background placeholder. Set the webhook URL through $db in the same way you have mentioned, and then get in the app.activated event and log it. You can fetch it from the browser logs anytime you want it.

Hope this helps. Let me know if it works. Cheers

stevemc · April 22, 2021, 5:29pm

I already print webhook to the log so this should be ok but I was thinking it would be a good place to store the webhook in case it was lost in external system. This is a very convenient place for someone to go find the webhook, copy it and paste it into external system like zapier or the Freshworks CRM. Is there a security issue around storing the webhook in the iparams? Is this technically possible to do from serverless app and if so, can you describe how.

shravan.balasubraman · April 23, 2021, 4:08am

As mentioned, there are security concerns in displaying the webhook URL publicly. Anyone with access to it can post events to it and modify things. However, you can display the webhook URL if you want inside a ticket sidebar placeholder and retrieve it, if getting it from logs is not straight forward

stevemc · April 23, 2021, 4:30am

I see. I had assumed that the App used same api key as the freshdesk account but now I understand that was a bad assumption.

stevemc · April 25, 2021, 12:47am

@shravan.balasubraman, Most apps have you enter API key in iparams. Why would the API key be any less sensitive than the webhook?

I noticed that I no longer see the webhook in the logs after a day. So if a user forgets to get the webhook then they cannot ever get it.

Security implications aside, is there a way to set an iparam value from a serveless app server.js file?

Is the following API accessible from servless app:

utils.set(‘<iparam_key>’, {<attribute>: <value>});

shravan.balasubraman · April 27, 2021, 5:22am

Hey @stevemc

To answer your first question, you should always set the api_key as a secure iparam and use only client.request to make requests securely. That way the API key is never exposed

For the second question, no. The iparams are something that should be modified only by the app user during installation. A developer should not be able to modify it. The app code should only be able to read the iparam values.

stevemc · April 28, 2021, 6:23pm

Thanks. As a workaround I have the user get url from log at install time and paste into field in iparams. Since that’s a secure storage I feel this is a good way to maintain it.

Since I’m writing serverless app I use $request (same as client.request I assume) for the REST calls and yes, we store api key in iparams only.