Basic Auth not accepted in Webhook API URL
298 views
Skip to first unread message
Fen
Oct 3, 2011, 3:56:40 PM10/3/11
to MailChimp API Discuss
Hi -
I'm working on Mailchimp<>CiviCRM integration for Democracy Now! and
am not able to enter the webhook API endpoint URL for the list at
https://us2.admin.mailchimp.com/lists/tools/webhooks?id=468753
The webhook API URL is http://NAME:PASSWD@dnow-dev.... (with NAME and
PASSWD set properly, of course).
wget can access the site fine with this form of URL.
I'd rather not take this development site off of Basic Authentication
if possible. If the interface can;t be changed to allow Basic Auth
enabled URLs, perhaps you can provide an IP address that I can open
for receiving webhook API calls?
I'm working on Mailchimp<>CiviCRM integration for Democracy Now! and
am not able to enter the webhook API endpoint URL for the list at
https://us2.admin.mailchimp.com/lists/tools/webhooks?id=468753
The webhook API URL is http://NAME:PASSWD@dnow-dev.... (with NAME and
PASSWD set properly, of course).
wget can access the site fine with this form of URL.
I'd rather not take this development site off of Basic Authentication
if possible. If the interface can;t be changed to allow Basic Auth
enabled URLs, perhaps you can provide an IP address that I can open
for receiving webhook API calls?
Fen
Oct 3, 2011, 4:46:52 PM10/3/11
to MailChimp API Discuss
I added the following two lines to the htaccess file and it seems to
be working:
Allow from 173.231.135.70
Allow from 173.231.135.71
...but as the IPs might change, I would rather have the basic auth
name/pass in the URL.
be working:
Allow from 173.231.135.70
Allow from 173.231.135.71
...but as the IPs might change, I would rather have the basic auth
name/pass in the URL.
jesse
Oct 4, 2011, 7:51:46 AM10/4/11
to MailChimp API Discuss
As you realize, backend server IP addresses will change without
notice. You are welcome to jury rig something to do reverse lookups,
etc. but we do not recommend doing any egress/ingress whitelisting.
The Webhooks page does include a section entitled "Securing Webhooks",
which is a start:
http://apidocs.mailchimp.com/webhooks/
Aside from what's listed there (which is plenty sufficient) you could
also consider using non-standard ports. That - especially using SSL -
is far more secure than using Basic Auth.
jesse
notice. You are welcome to jury rig something to do reverse lookups,
etc. but we do not recommend doing any egress/ingress whitelisting.
The Webhooks page does include a section entitled "Securing Webhooks",
which is a start:
http://apidocs.mailchimp.com/webhooks/
Aside from what's listed there (which is plenty sufficient) you could
also consider using non-standard ports. That - especially using SSL -
is far more secure than using Basic Auth.
jesse
Fen
Oct 4, 2011, 9:32:22 AM10/4/11
to MailChimp API Discuss
Hi Jesse -
Thanks for the reply. We use SSL on many of our production servers,
but our development servers - which contain cleaned data devoid of
e.g., client emails and passwords - simply use Basic Auth to protect
them during development. It is for the development server that I am
asking this question, as I don't want to test on the production server
for obvious reasons.
I have incorporated a secret key, but wonder why you don't accept
Basic Auth secured URLs as e.g. wget and curl both use them without
issue. This would not only help me, but could potentially help others
working on integration issues. Please consider updating your URL
format regex to allow a basic auth name:passwd, e.g. adding something
like this after 'Protocol://':
(?#Username:Password)(?:\w+:\w+@)?
By the way, I am working on CiviCRM <> Mailchimp integration which is
no small task and pushing the limits of what Democracy Now! - a non-
profit - can fund. In fact, Smart Groups integration - a very useful
feature - may have to be left out. Unfortunately, I have heard
nothing - not even an acknowledgment - back from the Mailchimp
Integration Fund for which I applied several weeks ago. One would
think that at least an acknowledgement could be expected. You can see
the current state of the work at http://drupal.org/sandbox/fen/1233314
- my initial code has a Drupal-specific front-end, but the guts are
all CiviCRM and once complete I'd like to pull the Drupal code out
enabling it to work with any CiviCRM installation, whether based on
Drupal, Joomla or Wordpress. I would think this would be of great
interest to Mailchimp - please pass this on to the appropriate
parties.
Thanks,
=Fen
f...@civicactions.com
Thanks for the reply. We use SSL on many of our production servers,
but our development servers - which contain cleaned data devoid of
e.g., client emails and passwords - simply use Basic Auth to protect
them during development. It is for the development server that I am
asking this question, as I don't want to test on the production server
for obvious reasons.
I have incorporated a secret key, but wonder why you don't accept
Basic Auth secured URLs as e.g. wget and curl both use them without
issue. This would not only help me, but could potentially help others
working on integration issues. Please consider updating your URL
format regex to allow a basic auth name:passwd, e.g. adding something
like this after 'Protocol://':
(?#Username:Password)(?:\w+:\w+@)?
By the way, I am working on CiviCRM <> Mailchimp integration which is
no small task and pushing the limits of what Democracy Now! - a non-
profit - can fund. In fact, Smart Groups integration - a very useful
feature - may have to be left out. Unfortunately, I have heard
nothing - not even an acknowledgment - back from the Mailchimp
Integration Fund for which I applied several weeks ago. One would
think that at least an acknowledgement could be expected. You can see
the current state of the work at http://drupal.org/sandbox/fen/1233314
- my initial code has a Drupal-specific front-end, but the guts are
all CiviCRM and once complete I'd like to pull the Drupal code out
enabling it to work with any CiviCRM installation, whether based on
Drupal, Joomla or Wordpress. I would think this would be of great
interest to Mailchimp - please pass this on to the appropriate
parties.
Thanks,
=Fen
f...@civicactions.com
Reply all
Reply to author
Forward
0 new messages