API Feature request: method to auto-login a user

[FlorisB]

I believe I made this suggestion before a couple years ago in the development forum, but since there was no response, I will do another attempt here.

It would be nice if it was possible for us to have a link in the clientarea of our billing application that points to the Plesk panel, and when clicked would allow the user to access Plesk directly without having to login a second time.
I am aware this is possible by creating a database with all user passwords and redirecting to: /login_up.php3?login_name=somecustomer&passwd=password
But that no longer works if the user changes his Plesk password, and keeping databases with passwords is not preferred from a security point of view anyway.


I propose creating a new API method instead that generates a single-use URL that can be used to login as the user once, and looks like this:


Request:

<packet version="1.5.0.0">
<session>
   <create>
      <login>somecustomer</login>
   <create>
</session>
</packet>

Response:

<packet version="1.5.0.0">
  <session>
    <create>
      <result>
        <status>ok</status>
        <session>
         <autologinurl>https://plesk-server:8443/login.php3?token=gdsdfsdjh43543654sdfdfg</autologinurl>
        </session>
      </result>
    </create>
  </session>
</packet>

When the user is redirected to https://plesk-server:8443/login.php3?token=gdsdfsdjh43543654sdfdfg Plesk should set a session cookie that logs the user in as "somecustomer"

 

[BjornP]

+1 this feature is very much needed for hosters using their own customer portal

 

[SibProgrammer]

Such ability already present, but not documented.

First step is to perform API-RPC call:

<packet>
  <server>
    <create_session>
      <login>admin</login>
      <data>
        <user_ip>MTAuNTAuMS43MQ==</user_ip>
        <source_server></source_server>
      </data>
    </create_session>
  </server>
</packet>

Session token will be created for the user identified by login (admin in example). Parameter user-ip is an IP address of user encoded using base64 algorithm.

Response may look like following:

<?xml version="1.0" encoding="UTF-8"?>
<packet version="1.6.3.3">
  <server>
    <create_session>
      <result>
        <status>ok</status>
        <id>ede520d0fc93ae7aa0524076d631fba2</id>
      </result>
    </create_session>
 </server>
</packet>

Value of id tag will contain session token (ede520d0fc93ae7aa0524076d631fba2 in example).

Now script can redirect users browser to rsession_init.php and user will be logged in control panel. Here is an example of URL for Linux version of product:

https://<server-host-or-ip>:8443/enterprise/rsession_init.php?PHPSESSID=ede520d0fc93ae7aa0524076d631fba2&success_redirect_url=<success_redirect_url>

Or the same but for Windows version:

https://<server-host-or-ip>:8443/enterprise/rsession_init.php?PLESKSESSID=1ba78fc5e27a2af9302717dbe1febb24

Here is the list of options:

• PHPSESSID (Linux only) - session token.
• PLESKSESSID (Windows only) - session token.
• success_redirect_url (optional) - URL where browser will be redirected after successful login procedure.
• failure_redirect_url (optional) - URL where browser will be redirected after failure login attempt. Also this parameter will be used as logout URL.
• no_frames (optional, deprecated) - show admin panel without frames
• locale_id (optional) - locale name (e.g. de-DE)

 

[BjornP]

Such ability already present, but not documented.

great, thanks!!!

EDIT: the problem described following this paragraph has been fixed.
Apparently a reseller does not have sufficient privileges to create tokens for their customers and you have to call these items with admin privileges.

however, i keep getting stuck with a permission denied (1006) error.

the user has an account, the password is correct, i can login through the panel, but i can't get a token.

Mar 12 18:57:29 ::: DEBUG ::: trying to auth user peetersbjorn with encoded ip of MmEwMjphMDNmOjJjNDU6OTgwMDplNDUzOjZkZTc6ZmQxMTozOGEx
Mar 12 18:57:29 ::: DEBUG :::  <packet>
  <server>
    <create_session>
      <login>peetersbjorn</login>
      <data>
        <user_ip>MmEwMjphMDNmOjJjNDU6OTgwMDplNDUzOjZkZTc6ZmQxMTozOGEx</user_ip>
        <source_server></source_server>
      </data>
    </create_session>
  </server>
</packet>
Mar 12 18:57:29 ::: DEBUG ::: <?xml version="1.0" encoding="UTF-8"?>
<packet version="1.6.5.0">
  <server>
    <create_session>
      <result>
        <status>error</status>
        <errcode>1006</errcode>
        <errtext>Permission denied.</errtext>
      </result>
    </create_session>
  </server>
</packet>

any ideas?

 

[SibProgrammer]

Proper way it to create secret key for admin and use it for API-RPC requests (instead of plain password). Method create_session is allowed only for admin. Moreover it doesn't look like a good idea to use user credentials for create_session call, because you need to know not only admin credentials (or token), but password for every user (or generate token for every user).

 

[BjornP]

Moreover it doesn't look like a good idea to use user credentials for create_session call, because you need to know not only admin credentials (or token), but password for every user (or generate token for every user).

i have them logging into their account on my panel, which uses the same username as the control panel.
(and ofcourse has several checks in place to make sure there's no foul play)
then i use the admin token to log in the identified user into plesk.

only sad part is that there seems to be no way to have reseller tokens to create new packages, which means i still have to send the reseller login credentials when adding new subscribers

 

[SibProgrammer]

Ability to use create_session will be allowed for resellers and customers since Plesk 12.0.13.

 

[julsm]

Hi,

The Ability to use create_session NOT work in Plesk 12.0.18 with resellers, the api page show the option only for admin, not reseller http://download1.parallels.com/Plesk/Doc/es-ES/online/plesk-api-rpc/

I tried create session with the plesk 12.0.18 with reseller but the error show :

SimpleXMLElement Object ( [@attributes] => Array (
[version] => 1.6.6.0 )
[server] => SimpleXMLElement Object (
[create_session] => SimpleXMLElement Object (
[result] => SimpleXMLElement Object (
[status] => error
[errcode] => 1006
[errtext] => Permission denied

But if I put the admin credential, the api Works.


Please help.....

Thanks in advance.