Recent searches


No recent searches

Uploading attachments securely to a ticket



Posted Dec 08, 2022

I am struggling to find a way how I could upload attachments to a ticket securely with my app.

I can't upload an attachment with ZAFClient.Request() because it does not support the header Content-Type to be set as "application/binary", and therefore corrupts the uploads.

So, my only option is to use for example the javascript function fetch to call Zendesk api where I can set the required headers. But because this is not the ZAF client, I need to add a header for authorization.

There is no function to get an authorization header from the ZAFClient, and using Secure settings will not work because the code block where I need to set the authorization header is not in a ZAFClient.Request().

My only option is to set the authorization header as plain text in the code itself. This is extremely bad and makes me nervous. Is there something obvious that I am missing, or is this really the only way to make this work?

Here is my current working (but insecure) way of doing this:

                const response = await fetch("https://DOMAIN.zendesk.com/api/v2/uploads.json?filename=" +
                    this.file.name + "." + this.file.fileExtension,
                    {
                        method: "POST",
                        headers: {
                            "Content-Type": "application/binary",
                            "Authorization": "Basic TOKENHERE"
                        },
                        body: this.file.url
                    });
                const attachmentResult = await response.json();
                ticket.ticket.comment.uploads = [attachmentResult.upload.token];

 


2

8

8 comments

Any comments on this issue?

0


image avatar

Tipene Hughes

Zendesk Developer Advocacy

Hi Tuomas,

Thanks for reaching out and sorry for the delay in someone getting back to you!

As it currently stands, the best way to ensure security when using the Attachments API together with a ZAF app would be by using a piece of backend middleware to process the request. This way, your credentials won’t be exposed on the client side. 

I know this is not an optimal solution and I’m working with our product team to see if we can look in to making changes to the ZAF request method to allow for securely uploading ticket attachments directly from the browser.

I’ll reply back here once I have any more information that I can share with you.

Thanks!

Tipene

0


Thank you. Yeah, the middleware doesn't fix a lot, yes, the zendesk token would be safe but the connection to the middleware should optimally be secured too, and there we get the next set of issues.

Please keep me updated, I have found many similar community posts from the past that have struggled with this same issue.

0


Do you have any updates on this? This is a high concern item for us currently

1


FYI this also impacts me and is blocking a new app I am working on. Customers don't want data to leave the browser and go to our systems, so we really want to upload a file using the ZAF API. 

0


No updates? I think this is a massive flaw with the ZAF client / secure string implementation.

0


Any updates? Why is this blocked in Zafclient?

0


image avatar

Greg Katechis

Zendesk Developer Advocacy

Hi Tuomas,

 

I looked into this and it has been something that the dev team has explored in the past, however it is not something that they are prioritizing at this time. While I'm not able to speak to their reasoning for that myself, you can create a formal feedback request here and they may be able to respond to it with more clarity for you there. 

0


Please sign in to leave a comment.

Didn't find what you're looking for?

New post