Scripted Rest API - attach attachment to a HR case

Nicolas Leduc
Tera Contributor

yesterday

Hello everyone, 

 

We got a request to create a scripted rest API to be able to create a HR case (sn_hr_core_case) and attach an attachment to it afterwards.

 

We didn't have any issue to create the ressources to create the HR case with the check that we needed to do into them (different check and behavior), and after that, we send back the number of the HR case created and if needed we can add also the sys_id of the HR case but that's not necessary since we can retrieve it in the attachment ressouce.

 

We created also the ressource to create the attachment, and that work. Good ? In a way, yes... but if we try to send attachments that normally not authorized, then they are also created. That's where is our issue.

 

Max size, extensions that aren't authorized, check mime type are skipped.

 

I read on the net that's work as design since ServiceNow seem to think that since we decided to script, the security is up to us... a good breach of security in my eyes but OK...

 

I can't find where the security was created, to be able to replicate it or call it in the scripted rest api.

When i check on the net, it's seem that i will need to read the datastream that i get from the request to be able to do all the needed check, but i think that will be a risk on perfomence on the instance since several call can be done, and several APIs could also use that feature...

 

For info, that API is secured using an application registry with client credential and Enforce Token Restrictions.  I added also some others securities that is needed when the Enforce Token Restrictions is activated : 

  • sys_api_access_scope
  • sys_auth_scope
  • sys_api_access_policy
  • std_http_auth
  • sys_rate_limit_rules

We got two others ressouces that can create HR cases and they work correctly with or without the enforce tokens restrictions. If i remove / deactivate one the security, then the call doesn't work anymore, and that what is expected of course.

 

So i don't think the issue is with all that, but i try to understand how we can put in place / use the needed security.

0 Helpfuls
  • 110 Views
2 REPLIES 2

Tanushree Maiti
Kilo Patron

yesterday

Hi @Nicolas Leduc 

 

Refer these resources:

 

https://www.youtube.com/watch?v=gqqA99rKBJU 

How to create a Scripted REST API to attachment? 

https://www.linkedin.com/pulse/day-3-scripted-rest-api-oauth-setup-nikhil-gupta-8ybxf/

 

Please mark this response as Helpful & Accept it as solution if it assisted you with your question.
Regards
Tanushree Maiti
ServiceNow Technical Architect
Linkedin:
ServiceNow Scripted REST APIs: Part 16 - OAuth 2.0
ServiceNow Scripted REST APIs: Part 16 - OAuth 2.0
youtube.com/watch?v=gqqA99rKBJU
Using basic authentication - providing your account credentials with every request - is inherently insecure. In this video we look at how to enable authentication to our API using OAuth, that is, using temporary access tokens. This video demonstrates only one authentication flow for issuing access
0 Helpfuls

Nicolas Leduc
Tera Contributor
In response to Tanushree Maiti

yesterday - last edited yesterday

Hello Tanushree Maiti

 

Honestly, these are interesting link, more particulary the video link (and the youtube channel itself), but that doesn't tackle the specific issue that i mentionned, or i didn't find it at least.

 

Have a nice day,

Nicolas

0 Helpfuls