How not to send the sip access data through the Javascript client?

[misterBlubb]

Hello!

In my WCS5 test implementation the sip login data are visible in the Javascript source code of flashphoner.js.

//SIP config
var sipConfig;
if (options.sipOptions) {
sipConfig = {
sipLogin: "xxxx",
sipAuthenticationName: "xxxx",
sipPassword: "xxxx",
sipDomain: "xxxx",
sipOutboundProxy: "xxxx",
sipPort: "xxxx",
sipRegisterRequired: "true"
}
}


I am looking for a solution to secure this.
My VOIP gateway only allows connections from my server. But that is no help because that SIP login data are the ones from my WCS and finally the WCS connects to the VOIP gateway and that is allowed.
What can I do?

Way how the call is done:
1. a user enters a phone number into a html form on my website
2. via a php request the number is checked if it is allowed to be called (service numbers are not allowed, foreign numbers and so on)
3. if the php returns "okay" the flashphoner.js initializes the call

I could imagine this way as a solution for my security issue:
If the php script allows the requested call it inserts that number and a token into a mySQL table. Then it returnes the token. Then flashphoner.js initializes the connectioon to the WCS but instead of sending the sip login data, it sends the token. On server side the database is requested if that token is exisiting and which phone number is relaited to it. If so, it starts the call.
What do you think about this way? If is works, please tell me in which WCS script(s) I can do the necessary adjustments. Is there any shell script where I can implement the database check and where I could add the sip access data?

Thank you in advance!
Marx

 

[Max]

Good day, Marx.
You can use REST hooks /connect and /call for this purpose. Here is described a detailed example how to authorize user by domain, we slightly modify it:
1. Your client side JavaScript should not send any SIP options when connecting to WCS,
2. Because in your backend script on receiving /connect REST hook we can add SIP options as needed

switch($api_method) {
    case "connect": 
        // Here you authorize user by domain or something if needed
        ...
        // When user authorized, add SIP options
        $incoming_data['sipLogin'] = "xxxxx";
        $incoming_data['sipAuthenticationName'] = "xxxx";
        $incoming_data['sipPassword'] = "xxxx";
        $incoming_data['sipDomain'] = "xxxx";
        $incoming_data['sipOutboundProxy'] = "xxxx";
        $incoming_data['sipPort'] = "xxxx";
        ...
    break;
    ...
}

3. When client enter the number and makes a call with createCall() function, your backend script receives /call REST hook. Here you can check the number and return 403 Forbidden if it is not allowed:

switch($api_method) {
  case "connect":
        ...
    break;
  case "call":
    if(!checkCallee($incoming_data['callee'])) {
         error_log("Callee is not allowed: " . $incoming_data['callee'] . " Connection failed with 403 status.");
         ubnormalResponse(403);
    }
  break;
   ...
}

Certainly, your backend script should be available on your web server and should be registered on WCS with CLI:

ssh -p 2001 admin@localhost
%update app -l http://yourhost/rest-hooks defaultApp
%update app -l http://yourhost/rest-hooks callApp

 

[misterBlubb]

Thank you very much! I think that will help!

 

[misterBlubb]

One stupid question. Do I have to add the folder and file
http://www.mydomainaddresswithoutport.com/rest-hooks/connect
to be able to use the REST hook?

 

[Max]

Good day.
You should create a folder on your backend server, for example /var/www/html/rest-hooks assuming Apache. Then set up your web server to start index.php from this folder. In index.php get REST hook method as

$api_method = array_pop(explode("/", $_SERVER['REQUEST_URI']));

So method URI will look like http://www.mydomainaddresswithoutport.com/rest-hooks/connect

 

[misterBlubb]

That sounds senseful.
Thank you!

 

[misterBlubb]

Working! Thank you for your help! I can sleep better now.

 

[misterBlubb]

Okay, one more question, please!
If I check if a callee number is allowed or not (in status "call") and decide not to allow this call - how can I stop it?

header('HTTP/1.1 403 Forbidden', true, '403');
die();

seems only to work in the connect status but not in call status.

 

[Max]

Good day.
The default policy for calls is LOG when backend returns 403. So, we have to change the policy:
1. Put the file rest_client_config.json near the backend script. The file should contain at least the following:

{
  "call" : {
    "clientExclude" : "",
    "restExclude" : "",
    "restOnError" : "FAIL",
    "restPolicy" : "NOTIFY",
    "restOverwrite" : ""
  }
}

2. Return this file content when handling /connect method

switch($api_method) {
    case "connect":
        // Here you authorize user by domain or something if needed
        ...
        // When user authorized, add SIP options
        ...
        // Return rest_client_config with changed call policy
       $rest_client_config = json_decode(file_get_contents('rest_client_config.json'), true); 
    $incoming_data['restClientConfig'] = $rest_client_config;
    break;
    ...
}
// Return OK response
header('Content-Type: application/json');
echo json_encode($incoming_data);

So, when you return 403 Forbidden status if call is not allowed, call will not be established.

 

[misterBlubb]

Jepp!! That's working like a charme!
Is there a similar easy solution for WCS2? I know, it's old and out of support but may be you can give me a hint. With the WCS2 (on another server) I have the same problem with sip data in the client code. I was searching for old documentation but wasn't able to find something.

 

[Max]

Good day.
You can try to solve the problem on SIP side: your SIP provider should allow SIP calls from your WCS servers IP addresses only. So if clients even can see SIP call details, they cannot make a call bypassing your servers.
For WCS2 it is the only possible solution.