Validate user with mailbox# and PIN?

Version 1
    This document was generated from CDN thread

    Created by: Roger Northrop on 01-11-2012 07:56:05 AM
    I
    am trying to validate users who do not know their web username and password,
    but since all of the API calls seem to require those values to authenticate,
    how can I validate that a user entered the correct mailbox and pin? If I
    authenticate with admin credentials, I can use the API to query for the user
    that matches the mailbox they entered (dtmfaccessid) and get their objectID.
    But after that how can I confirm that they entered the correct TUI pin for
    their mailbox? I see the API call to PUT a new pin and I tried a GET with the
    same URL and it returns some xml but not the actual pin. I was hoping some call
    would let me retrieve the current value of their pin so I could compare, if
    nothing else.
    Thanks
    for your help!

    Subject: RE: Validate user with mailbox# and PIN?
    Replied by: Jeff Lindborg on 01-11-2012 09:40:06 AM
    This is, of course, no way to get any open credential (PIN or Password) out of the database – such a practice would get us a visit from the Security Team Education Squad… not good.  Most systems out there secure credentials in the same way – they are stored as one-way hashes.  You cannot “decrypt” a credential, only provide a proposed password which is then hashed using the same algorithm/key/salt value etc… and it’ll tell you if they match or not.
    There is a stored procedure in the database for doing this (i.e. if you’re connected via ODBC for instance) – I’ll have to hunt and see if the same functionality is exposed via REST but right off hand I don’t think it is.  Authentication against the GUI interfaces are restricted to your GUI PW (which is necessarily more secure than your PIN given the broader potential character set) by design – understood your purpose in trying to work around that here but also understand that by design clients aren’t supposed to be able to slip around that out of the box.

    Subject: RE: Validate user with mailbox# and PIN?
    Replied by: Roger Northrop on 01-11-2012 11:20:49 AM
    Thanks!  I didn't see anything in the REST API to handle that but hoping I missed something.  Do you know where I can find any documentation to see what would be involved with using the Stored Procedure?  I'm not sure if this application will allow for me to connect directly to the database but I can look into that.