Uploading attachments securely to a ticket | Community
Skip to main content

Uploading attachments securely to a ticket

  • December 8, 2022
  • 10 replies
  • 0 views
T

I am struggling to find a way how I could upload attachments to a ticket securely with my app.

I can't upload an attachment with ZAFClient.Request() because it does not support the header Content-Type to be set as "application/binary", and therefore corrupts the uploads.

So, my only option is to use for example the javascript function fetch to call Zendesk api where I can set the required headers. But because this is not the ZAF client, I need to add a header for authorization.

There is no function to get an authorization header from the ZAFClient, and using Secure settings will not work because the code block where I need to set the authorization header is not in a ZAFClient.Request().

My only option is to set the authorization header as plain text in the code itself. This is extremely bad and makes me nervous. Is there something obvious that I am missing, or is this really the only way to make this work?

Here is my current working (but insecure) way of doing this:

                const response = await fetch("https://DOMAIN.zendesk.com/api/v2/uploads.json?filename=" +
                    this.file.name + "." + this.file.fileExtension,
                    {
                        method: "POST",
                        headers: {
                            "Content-Type": "application/binary",
                            "Authorization": "Basic TOKENHERE"
                        },
                        body: this.file.url
                    });
                const attachmentResult = await response.json();
                ticket.ticket.comment.uploads = [attachmentResult.upload.token];

 

      10 replies

      T
      • Tuomas
      • Author
      • December 30, 2022

      Any comments on this issue?

      Tipene
      • Tipene
      • January 3, 2023

      Hi Tuomas,

      Thanks for reaching out and sorry for the delay in someone getting back to you!

      As it currently stands, the best way to ensure security when using the Attachments API together with a ZAF app would be by using a piece of backend middleware to process the request. This way, your credentials won’t be exposed on the client side. 

      I know this is not an optimal solution and I’m working with our product team to see if we can look in to making changes to the ZAF request method to allow for securely uploading ticket attachments directly from the browser.

      I’ll reply back here once I have any more information that I can share with you.

      Thanks!

      Tipene

      T
      • Tuomas
      • Author
      • January 12, 2023

      Thank you. Yeah, the middleware doesn't fix a lot, yes, the zendesk token would be safe but the connection to the middleware should optimally be secured too, and there we get the next set of issues.

      Please keep me updated, I have found many similar community posts from the past that have struggled with this same issue.

      T
      • Tuomas
      • Author
      • July 6, 2023

      Do you have any updates on this? This is a high concern item for us currently

        Boris18
        • Boris18
        • November 25, 2023

        FYI this also impacts me and is blocking a new app I am working on. Customers don't want data to leave the browser and go to our systems, so we really want to upload a file using the ZAF API. 

        T
        • Tuomas
        • Author
        • July 17, 2024

        No updates? I think this is a massive flaw with the ZAF client / secure string implementation.

        T
        • Tuomas
        • Author
        • December 23, 2024

        Any updates? Why is this blocked in Zafclient?

        Greg29
        • Greg29
        • December 26, 2024

        Hi Tuomas,

         

        I looked into this and it has been something that the dev team has explored in the past, however it is not something that they are prioritizing at this time. While I'm not able to speak to their reasoning for that myself, you can create a formal feedback request here and they may be able to respond to it with more clarity for you there. 

        T
        • Tuomas
        • Author
        • May 21, 2025

        Still trying to get this fixed :(

        D
        • dorian12
        • June 26, 2025

        Hi Tuomas, 

        I may have missed something, but without using a fetch it is possible to retrieve PDFs with :

        	const client = ZAFClient.init();
	const ticketData = await client.get('ticket.id');
    const ticketId = ticketData['ticket.id'];
	const response = await client.request(`/api/v2/tickets/${ticketId}/comments.json`);
    const comments = response.comments;
	comments.forEach(comment => {
		if (comment.attachments) {
			comment.attachments.forEach(att => {
				console.error(att.content_url);
			});
		}
	});

        Available properties : https://developer.zendesk.com/api-reference/ticketing/tickets/ticket-attachments/

        Alternatively, to avoid displaying your TOKEN in the application source code, you can set it as a “secure parameter” in the zcli.apps.config.json file.

        {
  "parameters": [

    {
      "name": "Token",
      "type": "text",
      "required": true,
      "secure": true
    }
  ]
}
        Terms & ConditionsCookie settingsAccessibility statement