Jump to content

Facility to securely submit users passwords to us in ticket system like in whmcs support


rahulkg

Recommended Posts

WHMCS support offers a secure password/user/URL submission on their ticketing system when you are reporting issues, we need to  offer it to our users too and to stop asking them for user/pass in plain text over the ticketing system. So if whmcs consider to develop this module in near future or can we develop from our side ? Please give us further details and suggestions for this work to be done.

Link to comment
Share on other sites

5 hours ago, rahulkg said:

WHMCS support offers a secure password/user/URL submission on their ticketing system when you are reporting issues, we need to  offer it to our users too and to stop asking them for user/pass in plain text over the ticketing system.

looking at the code in the browser, they're Support Ticket Custom Fields (albeit presented in a nice way!)...

https://docs.whmcs.com/Custom_Fields#Support_Custom_Fields

if you need these values encrypting in the database, then there are addons in the Marketplace that can do that...

the "Secure Credentials" addon's output looks very close to WHMCS own solution, so that might be a good choice - perhaps contact the developer and see if there is a trial version available.

 

Link to comment
Share on other sites

  • 2 years later...
On 1/11/2019 at 2:32 AM, brian! said:

looking at the code in the browser, they're Support Ticket Custom Fields (albeit presented in a nice way!)...

https://docs.whmcs.com/Custom_Fields#Support_Custom_Fields

if you need these values encrypting in the database, then there are addons in the Marketplace that can do that...

the "Secure Credentials" addon's output looks very close to WHMCS own solution, so that might be a good choice - perhaps contact the developer and see if there is a trial version available.

 

 

I use the custom field in the support ticket option, and make it a password field.  This means it is not visible once submitted.  It's fine, but if you want to send secure info to the client, they can't "unlock" the password field as the custom field is *******  in the support area

It would be nice to have a secure field that could be viewed by entering the password again or something.

 

Link to comment
Share on other sites

14 hours ago, sol2010 said:

I use the custom field in the support ticket option, and make it a password field.  This means it is not visible once submitted.  It's fine, but if you want to send secure info to the client, they can't "unlock" the password field as the custom field is *******  in the support area

if you're using v8 or later, then those fields will now be encrypted... in earlier versions, they would have been stored just as plain text.

you could show the actual values if you wanted to, but they would have to be decrypted first.

Link to comment
Share on other sites

4 hours ago, brian! said:

Yu could show the actual values if you wanted to, but they would have to be decrypted first.

Oh Brian, you know what the next question is don't you ? 🤣

So how do we decrypt it in the customer side, perhaps requiring a password to be able to view?

Link to comment
Share on other sites

20 hours ago, sol2010 said:

It would be nice to have a secure field that could be viewed by entering the password again or something.

I'm sure I've misunderstood, but entering it again to retrieve it? If you have it, no need to enter...
Perhaps you mean the admin password?

Link to comment
Share on other sites

@bear

If I send a message to customer and enter something in password field , when they login to the ticket, they can't see it? So how can we decrypt it at the front end?

In the admin, I think it is always visible / once logged in 

Edited by sol2010
Link to comment
Share on other sites

On 23/03/2021 at 18:31, sol2010 said:

So how do we decrypt it in the customer side

the clue was in the word "decrypt"! 🙂

https://developers.whmcs.com/api-reference/decryptpassword/

the real pain is not the decrypting the password part (that's a handful of lines at most), it's the sidebar...

hfZhiMJ.png

there's no neat simple way to modify the values... there's a long-winded way, but i'm not sure if it wouldn't just be easier(though still a pain) to recreate the whole thing from scratch and format the output as required.

Link to comment
Share on other sites

  • 1 year later...
On 3/26/2021 at 6:01 AM, brian! said:

the clue was in the word "decrypt"! 🙂

https://developers.whmcs.com/api-reference/decryptpassword/

the real pain is not the decrypting the password part (that's a handful of lines at most), it's the sidebar...

 

Could you provide some help on where I need to add the decrypt password code ?

I can see there is a "decryptpassword" file in the includes/api folder - but I'm not sure that is relevent....

If I create a ticket as client name "smith" and add a password in there - then logout and then  in again  as "smith" - I can see the password field I created, but I cannot decrypt it or see how to reveal what was written.....

So how to decrypt ?

 

 

 

 

 

Link to comment
Share on other sites

  • 3 weeks later...
  • 4 weeks later...
  • 3 weeks later...
11 hours ago, sol2010 said:

Do you have any suggestion on how I can  do the decrypt? 

None at all, I'm afraid. 

Quote

I can't believe there is no simple way for customers to submit encrypted data to us and for us to be able to see it easily.

I believe it. The product has moved away from what the user wants and towards what WHMCS feels is important. User feedback is ignored, as it's sent to the idea graveyard "feature request", where it sits for literally years with no action, even with hundreds of votes. Meaningless. 

Link to comment
Share on other sites

13 hours ago, leemahoney3 said:

Is this not possible now using the Password custom field? Or do you mean you wish for the custom field to be decrypted on the clients side as well as the admin side?

No it's not currently possible - unless I'm mistaken.  I have set up a custom field in the support ticket department and the custom field type is "password".  When I log in as test user, I can not see the info I am typing.  Nor after submission.

On both sides - we need to have theso that the user (who is logged in to their account) can check what they sent - and the admin can view the secure info....

this is what we need - how can we add it using a hook ?

 

oFLRd.png

 

 

this is what I have 

 

 

639768799_showpassword-SubmitTicket.thumb.png.eb945e802e926657d695800577dbbb85.png909464567_showpassword-myaccount.png.9dd1f2cb26509c719556efaf68647863.png

Edited by sol2010
Link to comment
Share on other sites

OK so we can do this with a hook....  but how do I incorporate the code to decryptpassword ?

 

use WHMCS\View\Menu\Item as MenuItem;

add_hook('ClientAreaSecondarySidebar', 1, function(MenuItem $secondarySidebar)
{
     if (!is_null($secondarySidebar->getChild('Custom Fields'))) {
        $secondarySidebar->getChild("Custom Fields")
        ->setLabel("User Information");
});

 

How to incorporate this?  

 

if ($customfield->type === 'password')
     decryptpassword($customfield->customFieldValues->value);

 

 

Also wanting to link this topic here - might be worth just re-doing the entire thing

 

 

Edited by sol2010
Link to comment
Share on other sites

1 hour ago, leemahoney3 said:

These forums are becoming a joke, I can't even post code snippets anymore without getting 403's.

Please see my solution for this here: https://pastebin.com/0Tf26CKN

Just to note, I've posted a cleaned up version on my GitHub at https://github.com/leemahoney3/whmcs-decrypt-custom-fields-in-tickets

Has the ability to exclude certain custom fields by their name if needed.

Link to comment
Share on other sites

3 hours ago, leemahoney3 said:

Just to note, I've posted a cleaned up version on my GitHub at https://github.com/leemahoney3/whmcs-decrypt-custom-fields-in-tickets

Has the ability to exclude certain custom fields by their name if needed.

Amazing! That looks fantastic.  Thanks for helping.  I will test it and come back to you.  

 

Meanwhile, can you share a screenshot of what this will look like from the client side?

Rather than showing anything by default, we need to check that

a) they are logged in and

b) show a reveal "eye" icon (best practice, rather than showing it by default)

like this: oFLRd.png

 

 

 

Edited by sol2010
Link to comment
Share on other sites

On 8/19/2022 at 8:05 AM, leemahoney3 said:

Only those with access to the ticket should be able to see it.

For the field to be hidden, you can modify the JavaScript to achieve this.

Thank you

I was successfully able to implement this and it works great.

One question that you may be able to assist with.  Is it possible to provide logged in client the ability to delete the password from the custom field?

 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use & Guidelines and understand your posts will initially be pre-moderated