English (US)

Uploading attachments securely to a ticket

Tuomas Savonius

I am struggling to find a way how I could upload attachments to a ticket securely with my app.

I can't upload an attachment with ZAFClient.Request() because it does not support the header Content-Type to be set as "application/binary", and therefore corrupts the uploads.

So, my only option is to use for example the javascript function fetch to call Zendesk api where I can set the required headers. But because this is not the ZAF client, I need to add a header for authorization.

There is no function to get an authorization header from the ZAFClient, and using Secure settings will not work because the code block where I need to set the authorization header is not in a ZAFClient.Request().

My only option is to set the authorization header as plain text in the code itself. This is extremely bad and makes me nervous. Is there something obvious that I am missing, or is this really the only way to make this work?

Here is my current working (but insecure) way of doing this:

                const response = await fetch("https://DOMAIN.zendesk.com/api/v2/uploads.json?filename=" +
                    this.file.name + "." + this.file.fileExtension,
                    {
                        method: "POST",
                        headers: {
                            "Content-Type": "application/binary",
                            "Authorization": "Basic TOKENHERE"
                        },
                        body: this.file.url
                    });
                const attachmentResult = await response.json();
                ticket.ticket.comment.uploads = [attachmentResult.upload.token];

 

5 Comments

  • Tuomas Savonius

    Any comments on this issue?

    0
  • Tipene Hughes
    Zendesk Developer Advocacy

    Hi Tuomas,

    Thanks for reaching out and sorry for the delay in someone getting back to you!

    As it currently stands, the best way to ensure security when using the Attachments API together with a ZAF app would be by using a piece of backend middleware to process the request. This way, your credentials won’t be exposed on the client side. 

    I know this is not an optimal solution and I’m working with our product team to see if we can look in to making changes to the ZAF request method to allow for securely uploading ticket attachments directly from the browser.

    I’ll reply back here once I have any more information that I can share with you.

    Thanks!

    Tipene

    0
  • Tuomas Savonius

    Thank you. Yeah, the middleware doesn't fix a lot, yes, the zendesk token would be safe but the connection to the middleware should optimally be secured too, and there we get the next set of issues.

    Please keep me updated, I have found many similar community posts from the past that have struggled with this same issue.

    0
  • Tuomas Savonius

    Do you have any updates on this? This is a high concern item for us currently

    1
  • Boris Berenberg

    FYI this also impacts me and is blocking a new app I am working on. Customers don't want data to leave the browser and go to our systems, so we really want to upload a file using the ZAF API. 

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post
Powered by Zendesk