01.1 Authentication - Hash method (Older version only)

Owned by Ross Kennewell (Deactivated)
Last updated: Mar 27, 2017
2 min read

Authentication is based on a pre-shared api key which is used to generate a one time hash. The hash is then passed along with any of the Noojee API calls as a security token which proves you are authorised to access the Noojee API by the fact that you know the pre-shared api key.

Making a call to one of the Noojee API's is therefor a three step process.

1) Obtain a timestamp

2) Create a hash of the pre-shared API Key and the timestamp

3) submit one of the API methods passing in the calculated hash to prove you have authority to access the Noojee API within 10 seconds.

Obtaining a timestamp

The timestamp must be retrieved from the Noojee Api.

NOTE: The Time call returns plain/text not json.

A timestamp and Hash combination is initially valid for 10 seconds, for this reason the timestamp used must be in sync with the PBX.

Once a timestamp and Hash combination has been used by calling any of the API methods it will remain valid for 1 hour.

TODO: elaborate what this actually implies: Authentication is limited to no more than 5 concurrent authentication attempts.

To obtain a time stamp you need to POST the following request.

https://127.0.0.1:8080/servicemanager/rest/Time

which returns a long time stamp

1392356108888

You can do a simple test using curl:

 curl -i  -X POST http://127.0.0.1/servicemanager/rest/Time

Hash the key and timestamp

Next you must hash the API-Key and timestamp. To do this generate a concatenated string with the api key and timestamp separated by a colon (:) then use a sha256Hex operation to generate the hash which is passed as a security token.

hash = sha256Hex(apiKey+":"+timeStamp);

Using the the timestamp and hashing the api key ensures that the API-Key is never exposed.

Submiting a method

Now that you have the security token you can pass it to one of the recording api methods.

an example call to stop recording would look like this

https://127.0.0.1:8080/servicemanager/rest/CallManagementAPI/stop?extenOrUniqueId=410&timeStamp=1392356108888&hash=595a4f537c3af3a2e34333db9aef07e1a596504a01191cb0a5e3960a65f6a4e

It should further be noted that the API will only accept POST requests.

Each method call must include the Timestamp and the hash. Each hour the timestamp and hash must be refreshed to avoid auth failures.