Facility to securely submit users passwords to us in ticket system like in whmcs support

[rahulkg]

WHMCS support offers a secure password/user/URL submission on their ticketing system when you are reporting issues, we need to  offer it to our users too and to stop asking them for user/pass in plain text over the ticketing system. So if whmcs consider to develop this module in near future or can we develop from our side ? Please give us further details and suggestions for this work to be done.

[bear]

This is a few years old, but there's a request under consideration: https://requests.whmcs.com/topic/support-ticket-custom-field-type-for-encrypted-data

[brian!]

5 hours ago, rahulkg said:

WHMCS support offers a secure password/user/URL submission on their ticketing system when you are reporting issues, we need to  offer it to our users too and to stop asking them for user/pass in plain text over the ticketing system.

looking at the code in the browser, they're Support Ticket Custom Fields (albeit presented in a nice way!)...

https://docs.whmcs.com/Custom_Fields#Support_Custom_Fields

if you need these values encrypting in the database, then there are addons in the Marketplace that can do that...

• WHMCS Secure Credentials

• Ticket Sensitive Data

the "Secure Credentials" addon's output looks very close to WHMCS own solution, so that might be a good choice - perhaps contact the developer and see if there is a trial version available.

 

[sol2010]

On 1/11/2019 at 2:32 AM, brian! said:

looking at the code in the browser, they're Support Ticket Custom Fields (albeit presented in a nice way!)...

https://docs.whmcs.com/Custom_Fields#Support_Custom_Fields

if you need these values encrypting in the database, then there are addons in the Marketplace that can do that...

the "Secure Credentials" addon's output looks very close to WHMCS own solution, so that might be a good choice - perhaps contact the developer and see if there is a trial version available.

 

 

I use the custom field in the support ticket option, and make it a password field.  This means it is not visible once submitted.  It's fine, but if you want to send secure info to the client, they can't "unlock" the password field as the custom field is *******  in the support area

It would be nice to have a secure field that could be viewed by entering the password again or something.

 

[brian!]

14 hours ago, sol2010 said:

I use the custom field in the support ticket option, and make it a password field.  This means it is not visible once submitted.  It's fine, but if you want to send secure info to the client, they can't "unlock" the password field as the custom field is *******  in the support area

if you're using v8 or later, then those fields will now be encrypted... in earlier versions, they would have been stored just as plain text.

you could show the actual values if you wanted to, but they would have to be decrypted first.

[sol2010]

4 hours ago, brian! said:

Yu could show the actual values if you wanted to, but they would have to be decrypted first.

Oh Brian, you know what the next question is don't you ? 🤣

So how do we decrypt it in the customer side, perhaps requiring a password to be able to view?

[bear]

20 hours ago, sol2010 said:

It would be nice to have a secure field that could be viewed by entering the password again or something.

I'm sure I've misunderstood, but entering it again to retrieve it? If you have it, no need to enter...
Perhaps you mean the admin password?

[sol2010]

@bear

If I send a message to customer and enter something in password field , when they login to the ticket, they can't see it? So how can we decrypt it at the front end?

In the admin, I think it is always visible / once logged in 

Edited March 23, 2021 by sol2010

[bear]

Ah, I get it. Thanks. 

[brian!]

On 23/03/2021 at 18:31, sol2010 said:

So how do we decrypt it in the customer side

the clue was in the word "decrypt"! 🙂

https://developers.whmcs.com/api-reference/decryptpassword/

the real pain is not the decrypting the password part (that's a handful of lines at most), it's the sidebar...

there's no neat simple way to modify the values... there's a long-winded way, but i'm not sure if it wouldn't just be easier(though still a pain) to recreate the whole thing from scratch and format the output as required.

[sol2010]

On 3/26/2021 at 6:01 AM, brian! said:

the clue was in the word "decrypt"! 🙂

https://developers.whmcs.com/api-reference/decryptpassword/

the real pain is not the decrypting the password part (that's a handful of lines at most), it's the sidebar...

 

Could you provide some help on where I need to add the decrypt password code ?

I can see there is a "decryptpassword" file in the includes/api folder - but I'm not sure that is relevent....

If I create a ticket as client name "smith" and add a password in there - then logout and then  in again  as "smith" - I can see the password field I created, but I cannot decrypt it or see how to reveal what was written.....

So how to decrypt ?

 

 

 

 

 

[sol2010]

@brian! If you have 5 minutes, can you elaborate on where the decryptpassword code should be applied?  https://developers.whmcs.com/api-reference/decryptpassword/

[bear]

7 hours ago, sol2010 said:

@brian! If you have 5 minutes

You should probably read his signature?

[sol2010]

On 7/2/2022 at 11:06 PM, bear said:

You should probably read his signature?

Ahh yes, I forgot he's sipping cocktails in Hawaii (garden shed) now.... 😉

[sol2010]

On 7/2/2022 at 11:06 PM, bear said:

You should probably read his signature?

Hey @bear

Do you have any suggestion on how I can  do the decrypt? 

I can't believe there is no simple way for customers to submit encrypted data to us and for us to be able to see it easily.

 

 

 

[sol2010]

Linking this here! 

 

 

 

[bear]

11 hours ago, sol2010 said:

Do you have any suggestion on how I can  do the decrypt? 

None at all, I'm afraid. 

Quote

I can't believe there is no simple way for customers to submit encrypted data to us and for us to be able to see it easily.

I believe it. The product has moved away from what the user wants and towards what WHMCS feels is important. User feedback is ignored, as it's sent to the idea graveyard "feature request", where it sits for literally years with no action, even with hundreds of votes. Meaningless. 

[leemahoney3]

Is this not possible now using the Password custom field? Or do you mean you wish for the custom field to be decrypted on the clients side as well as the admin side?

[sol2010]

13 hours ago, leemahoney3 said:

Is this not possible now using the Password custom field? Or do you mean you wish for the custom field to be decrypted on the clients side as well as the admin side?

No it's not currently possible - unless I'm mistaken.  I have set up a custom field in the support ticket department and the custom field type is "password".  When I log in as test user, I can not see the info I am typing.  Nor after submission.

On both sides - we need to have theso that the user (who is logged in to their account) can check what they sent - and the admin can view the secure info....

this is what we need - how can we add it using a hook ?

 

 

 

this is what I have 

 

 

Edited August 17, 2022 by sol2010

[sol2010]

OK so we can do this with a hook....  but how do I incorporate the code to decryptpassword ?

 

use WHMCS\View\Menu\Item as MenuItem;

add_hook('ClientAreaSecondarySidebar', 1, function(MenuItem $secondarySidebar)
{
     if (!is_null($secondarySidebar->getChild('Custom Fields'))) {
        $secondarySidebar->getChild("Custom Fields")
        ->setLabel("User Information");
});

 

How to incorporate this?  

 

if ($customfield->type === 'password')
     decryptpassword($customfield->customFieldValues->value);

 

 

Also wanting to link this topic here - might be worth just re-doing the entire thing

 

 

Edited August 17, 2022 by sol2010

[leemahoney3]

These forums are becoming a joke, I can't even post code snippets anymore without getting 403's.

Please see my solution for this here: https://pastebin.com/0Tf26CKN

Edited August 17, 2022 by leemahoney3
Cant post code

[leemahoney3]

1 hour ago, leemahoney3 said:

These forums are becoming a joke, I can't even post code snippets anymore without getting 403's.

Please see my solution for this here: https://pastebin.com/0Tf26CKN

Just to note, I've posted a cleaned up version on my GitHub at https://github.com/leemahoney3/whmcs-decrypt-custom-fields-in-tickets

Has the ability to exclude certain custom fields by their name if needed.

[sol2010]

3 hours ago, leemahoney3 said:

Just to note, I've posted a cleaned up version on my GitHub at https://github.com/leemahoney3/whmcs-decrypt-custom-fields-in-tickets

Has the ability to exclude certain custom fields by their name if needed.

Amazing! That looks fantastic.  Thanks for helping.  I will test it and come back to you.  

 

Meanwhile, can you share a screenshot of what this will look like from the client side?

Rather than showing anything by default, we need to check that

a) they are logged in and

b) show a reveal "eye" icon (best practice, rather than showing it by default)

like this: 

 

 

 

Edited August 18, 2022 by sol2010

[leemahoney3]

Only those with access to the ticket should be able to see it.

For the field to be hidden, you can modify the JavaScript to achieve this.

[sol2010]

On 8/19/2022 at 8:05 AM, leemahoney3 said:

Only those with access to the ticket should be able to see it.

For the field to be hidden, you can modify the JavaScript to achieve this.

Thank you

I was successfully able to implement this and it works great.

One question that you may be able to assist with.  Is it possible to provide logged in client the ability to delete the password from the custom field?