1.0 Authentication

Owned by PeterF (Deactivated)
Sept 06, 2016
2 min read

Deprecated: The recording API has been replaced by the new Noojee API.

The recording API will no longer be supported post the release of 4.0

Authentication is based on a pre-shared api key which is used to generate a one time hash. The hash is then passed along with any of the recording api calls as a security token which proves you are authorised to access recordings by the fact that you know the pre-shared api key.

Making a call to one of the recording API's is therefor a three step process.

1) Obtain a timestamp

2) Create a hash of the pre-shared API Key and the timestamp

3) submit one of the API methods passing in the calculated hash to prove you have authority to access the recordings.

Obtaining a timestamp

A timestamp is only valid for 10 seconds and the timestamp used must be sync with the PBX. For this reason the timestamp must be retrieved from the RecordingApi.

TODO: elaborate what this actually implies: Authentication is limited to no more than 5 concurrent authentication attempts.

To obtain a time stamp you need to POST the following request.

https://127.0.0.1:8080/servicemanager/rest/Time

which returns a long time stamp

1392356108888

Hash the key and timestamp

Next you must has the API-Key and timestamp. To do this create hash, generated a concatenated string with the api key and timestamp separated by a colon (:) then use a sha256Hex operation to generate the hash which is passed as a security token.

hash = sha256Hex(apiKey+":"+timeStamp);

Using the the timestamp and hashing the api key ensures that the API-Key is never exposed. The timestamp is used to prohibit replay attacks.

Submiting a method

Now that you have the security token you can pass it to one of the recording api methods.

an example call to stop recording would look like this

https://127.0.0.1:8080/servicemanager/rest/RecordingAPI/stop?extenOrUniqueId=410&timeStamp=1392356108888&hash=595a4f537c3af3a2e34333db9aef07e1a596504a01191cb0a5e3960a65f6a4e

It should further be noted that the API will only accept POST requests.