CUC Forums

RE: Validate user with mailbox# and PIN?

Roger Northrop Posts: 6 Join Date: 1/9/12 Recent Posts	Validate user with mailbox# and PIN? validate tui mailbox pin Answer 11/1/12 12:56 PM Mark as an Answer Submit Reply with Quote Quick Reply I am trying to validate users who do not know their web username and password, but since all of the API calls seem to require those values to authenticate, how can I validate that a user entered the correct mailbox and pin? If I authenticate with admin credentials, I can use the API to query for the user that matches the mailbox they entered (dtmfaccessid) and get their objectID. But after that how can I confirm that they entered the correct TUI pin for their mailbox? I see the API call to PUT a new pin and I tried a GET with the same URL and it returns some xml but not the actual pin. I was hoping some call would let me retrieve the current value of their pin so I could compare, if nothing else. Thanks for your help!
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Jeff Lindborg Posts: 26 Join Date: 10/3/09 Recent Posts	RE: Validate user with mailbox# and PIN? Answer 11/1/12 2:40 PM as a reply to Roger Northrop. Mark as an Answer Submit Reply with Quote Quick Reply This is, of course, no way to get any open credential (PIN or Password) out of the database – such a practice would get us a visit from the Security Team Education Squad… not good. Most systems out there secure credentials in the same way – they are stored as one-way hashes. You cannot “decrypt” a credential, only provide a proposed password which is then hashed using the same algorithm/key/salt value etc… and it’ll tell you if they match or not. There is a stored procedure in the database for doing this (i.e. if you’re connected via ODBC for instance) – I’ll have to hunt and see if the same functionality is exposed via REST but right off hand I don’t think it is. Authentication against the GUI interfaces are restricted to your GUI PW (which is necessarily more secure than your PIN given the broader potential character set) by design – understood your purpose in trying to work around that here but also understand that by design clients aren’t supposed to be able to slip around that out of the box.
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top

Roger Northrop Posts: 6 Join Date: 1/9/12 Recent Posts	RE: Validate user with mailbox# and PIN? Answer 11/1/12 4:20 PM as a reply to Jeff Lindborg. Mark as an Answer Submit Reply with Quote Quick Reply Thanks! I didn't see anything in the REST API to handle that but hoping I missed something. Do you know where I can find any documentation to see what would be involved with using the Stored Procedure? I'm not sure if this application will allow for me to connect directly to the database but I can look into that.
	Sign in to vote. Flag Please sign in to flag this as inappropriate. Top