How can we make a custom controller respond only to requests from certain IP addresses or from Customer Portal code?

• Oracle B2C Service, all versions
• Customer Portal 3.x
• Custom controller
• Custom widget
• PHP and AJAX

• Configuration settings SEC_VALID_ENDUSER_HOSTS and SEC_INVALID_ENDUSER_HOSTS
  • See answer 245: Restricting computers or hosts that can access the Oracle B2C Service console and end-user pages
  • Important: If you have the development cookie, these settings are ignored
  • To test appropriately you would have to stage your controller and view the site in staging mode, or deploy it to use production
• Configuration setting CP_CONTACT_LOGIN_REQUIRED
  • Applies when the implementation for a given interface always requires users to log in
  • Setting this configuration setting to "Yes" would prevent someone who is not logged in from accessing the controller (or any other CP page or controller)
  • Some custom implementations may use alternative means to always redirect users to an external login page for SSO or PTA, so you might not have set this setting previously
  • Make sure to log in or out as needed for testing
• Using security tokens
  • The CP framework offers the ability to create a token for authorization
  • The model is RightNow\Utils\Framework
  • You can generate the token in the backend, for example in a widget controller
    • There are several methods to choose from
    • Documentation: createTokenWithExpiration
      • This token expires in SUBMIT_TOKEN_EXP minutes
      • It is consumed upon use
      • PHP example
        use RightNow\Utils\Framework;
// ...
$tokenId = uniqid();
$token = Framework::createTokenWithExpiration($tokenId, false, true);
$this->data['js'] = array(
    'tokenId' => $tokenId,
    'token' => $token,
);
      • Now you can use it in the widget JavaScript when making the AJAX request to your controller.
      • You will need to get a new token after SUBMIT_TOKEN_EXP minutes or after the token is consumed, see for instance the standard input/FormSubmit widget code
    • Documentation: createToken
      • The token is reusable
      • The token does not expire
      • For the reasons above, createTokenWithExpiration is recommended
      • The PHP example is the same, except the call is
        Framework::createToken($tokenId);
    • For your AJAX request, you could send the token and its ID as form data.
    • createPostToken / isValidPostToken may be another option
  • Now you validate the token in your controller
    • Documentation: isValidSecurityToken
    • Example:
      if (Framework::isValidSecurityToken($token, $tokenId, false) !== true) {
    // do whatever the controller method is supposed to do
} else {
    // do something else, like die();
}
    • Note that the ID you generated earlier is now the second parameter.