We are developing an integration app to pipedrive market place. We have done the Oauth authentication and have the access token. Now, when a user from pipedrive call our API from an basic action is there any way to find which user the request coming from with security. (User id can be passed to the url but that is not secure as anyone can call the API with the user_id as a parameter). We are looking for an option such as a token to identify the user.
Hello
Have you thought about header request to pass on the user info?
Regards
Shan Prem
Paalam Consultancy Ltd
UK
Paalam is a business automation niche consultancy specialises in CRM automation. We would be happy to help you in your automations.
If you’re referring to app basic action, when a user uses an action, their redirected to the URL provided here (some URL in your app)
and vendors usually check user’s authentication on their side.
As it’s possible to pass any userId/companyId to the URL, a vendor should check if a user has an account on their side that is connected to Pipedrive’s userId/companyId.
For example, imagine I have an account in your app, but someone (who also have an account in your app) tries to hack me and pass their Pipedrive’s userId/companyId in app redirect URL. As I installed your app, you should have a connection between my Pipedrive userId/companyId and your app’s userId. Once there is a request to action URL, first, you check if my user exists in your app (I belive this is already done), and if yes, is that user connected to Pipedrive’s companyId/userId from url. If both are “yes”, then it’s me who opened your app from Pipedrive.
1 Like
Yes, I referred to app basic action.
I understand the point that from the user_id and the company_id, I can get the one to one mapping for the user from Pipedrive account to my own app.
A sample redirect URL looks like https://<our_app_url>?companyId=xxxx&resource=deal&selectedIds=xx&userId=xxxxx&view=details
Here if we use the company_id and user id to identify the user, any user who has not logged in to pipedrive also can pass another ones company_id and user_id. Does pipedrive provide or suggest any mechanisms to avoid it? Or should we handle it by asking the user to login to our application using his credentials?
Correct, first, you ask a user to login to your app (if not logged in), and after compare companyId/userId from URL to authorized user’s connected Pipedrive company.
Basic action URL is just a link to your app where an app can show connected Pipedrive data if a user in your app made a connection to Pipedrive.
If someone tries to pass a companyId/userId that are not connected to correct Pipedrive user, app should not respond with this data.
1 Like