Hello.
Is there a way to pass the itemID to the Plumsail Webpart without using the URL querystring parameter to pass such info? This is for security reasons and was wondering if there's any other way we can pass the itemID to the Plumsail Webpart.
Thanks,
stormanh
Dear @stormanh,
Right now, it can either be a constant or a querystring parameter, no other options. What are the security concerns? What alternative options do you see as more secure?
We might be able to offer paid support to implement other options, but we need to know the exact requirements before we can offer anything.
Hi @Nikita_Kurguzov.
Thanks for this info. Is there a way to encrypt a querystring parameter so that users cannot easily identify and modify it's value in the browser which would allow them to load/access another item?
Thanks,
stormanh
Dear @stormanh,
Not at the moment, though we can look into something like that - I'll have to ask the dev team.
A more secure option might be to manage user permissions on an item level, so the users simply don't have access to all the items. Otherwise, a malicious user can simply use the REST API and get a hold of items even without using any forms, as long as they have correct permissions to access them.
I've base-64 encoded the querystring to put some obfustification over the data, to stop casual exploring and changes plus it hides hidden field data. I've also added a CRC check on the data and included it in the querystring, so that will tell me whether the data has changed from the submitted form.
Both of these were done using javascript at both ends (Plumsail JS and also Zapier). It's not perfect; I did look at encryption algorithms in JS but wasn't very happy with options
Mark
Sure thing.
In Plumsail, I have a function that takes the URL parameter and
On my website, I have a web form to capture a name, phone number, referrer name and email. I use a Zapier "Catch Hook" trigger to get this data, register the name/phone/email in a CRM and then create a new lead. This forms the basis for a querystring that I want to pass to a Plumsail form, to prefill some data. I also include a field for the lead ID
In Zapier I do a "Run Javascript" action to create the query string then do a CRC32 check. I copied a CRC32 function that worked.
//crc32 function
var crc32=function(r){for(var a,o=[],c=0;c<256;c++){a=c;for(var f=0;f<8;f++)a=1&a?3988292384^a>>>1:a>>>1;o[c]=a}for(var n=-1,t=0;t<r.length;t++)n=n>>>8^o[255&(n^r.charCodeAt(t))];return(-1^n)>>>0};
//create querystring
let data = "?name="+inputData.n_name+"&phone="+inputData.n_phone+"&email="+inputData.n_email+"&referral="+inputData.n_referral+"&leadid="+inputData.n_leadid;
//add crc to it
data = data+"&CRC="+crc32(data);
I then used the Buffer object to create a base64 encoded version
let buff = new Buffer(data);
return {output_b64: buff.toString('base64')};
then appended this to my Plumsail form URL as the querystring
https://forms.plumsail.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx?querystring
--- End Zapier JS ---
In my Plumsail JS I do the opposite - grab the querystring, base64 decode it, extract the CRC value, rebuild the original querystring and check whether the CRC matches. I can then use the passed-in parameters in the next form in Plumsail:
function param_unpack(my_param) {
//decodes base64 string and returns key-value pairs for URL-like parameters
// does a sensibility check - crc check of data field inputs
var temp;
var inputstring;
try {
temp = new URLSearchParams(atob(my_param));
}
catch(err) {
return 'Bad data - could not decode input - err name is '+err.name+' and error message is '+err.message;
}
// check CRC
//build string to crc from
try {
inputstring = '?name='+temp.get('name')+'&phone='+temp.get('phone')+'&email='+temp.get('email')+'&referral='+temp.get('referral')+'&leadid='+temp.get('leadid');
}
catch(err) {
return 'Bad data - no fields in input';
}
//compare calc crc with input crc
if (temp.get('CRC') != crc32(inputstring)) {
return 'Bad data - CRC check failed';
}
else {
return temp;
}
}
function crc32(r){for(var a,o=[],c=0;c<256;c++){a=c;for(var f=0;f<8;f++)a=1&a?3988292384^a>>>1:a>>>1;o[c]=a}for(var n=-1,t=0;t<r.length;t++)n=n>>>8^o[255&(n^r.charCodeAt(t))];return(-1^n)>>>0};
--- End Plumsail JS
Note I chose the CRC function as it works the same with Zapier and Plumsail JS, but it does error for some non alphanumeric characters (eg '+')
Good luck, hope that helps