Kameleoon Application File Integrity
Introduction
The Automation API can be used to check the integrity of the Kameleoon application file that is loaded in your website. By doing so, you ensure that our application file has not been tampered with and can be safely used inside your website.
The integrity check is achieved by retrieving a hash code based on the contents of the application file and then comparing it to the hash code of the application file being integrated on your website. Both hash codes should be equal in all cases.
This document will help you to implement this health check and thus secure the application file from tampering.
Sample implementation of the integrity check
const API_SSX_URL = 'https://api.kameleoon.com';
const SITE_CODE = 'SITE_CODE';
const HASH_TYPE = 'SHA256';
const CLIENT_ID = 'CLIENT_ID';
const CLIENT_SECRET = 'CLIENT_SECRET';
let token = null;
const doRequest = (url, method, data, callback) => {
const xmlHttp = new XMLHttpRequest();
xmlHttp.onreadystatechange = function () {
if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
callback(JSON.parse(xmlHttp.responseText));
}
}
xmlHttp.open(method, url, true);
if (token) {
xmlHttp.setRequestHeader('Authorization', 'Bearer ' + token);
xmlHttp.setRequestHeader('Content-type', 'application/json');
} else {
xmlHttp.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
}
xmlHttp.send(data);
}
const obtainHash = (callback) => {
doRequest(`${API_SSX_URL}/oauth/token`,
'POST',
`grant_type=client_credentials&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}`, (response) => {
token = response.access_token;
doRequest(`${API_SSX_URL}/sites/${SITE_CODE}/hash`, 'PATCH', `{"hashType": "${HASH_TYPE}"}`, (response) => {
callback(response);
});
});
}
obtainHash((hashCode) => {
// Some method to compare the hash code
checkHash(hashCode);
});
<?php
$API_SSX_URL = 'https://api.kameleoon.com';
$SITE_CODE = 'SITE_CODE';
$HASH_TYPE = 'SHA256';
$CLIENT_ID = 'CLIENT_ID';
$CLIENT_SECRET = 'CLIENT_SECRET';
$tokenRequest = curl_init($API_SSX_URL . "/oauth/token");
curl_setopt($tokenRequest, CURLOPT_POST, 1);
curl_setopt($tokenRequest, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($tokenRequest, CURLOPT_POSTFIELDS, "grant_type=client_credentials&client_id=" . $CLIENT_ID . "&client_secret=" . $CLIENT_SECRET);
$tokenOutput = curl_exec($tokenRequest);
curl_close($tokenRequest);
$token = json_decode($tokenOutput)->access_token;
$hashRequest = curl_init($API_SSX_URL . "/sites/" . $SITE_CODE . "/hash");
curl_setopt($hashRequest, CURLOPT_CUSTOMREQUEST, 'PATCH');
curl_setopt($hashRequest, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($hashRequest, CURLOPT_POSTFIELDS, json_encode(array(
'hashType' => $HASH_TYPE
)));
curl_setopt($hashRequest, CURLOPT_HTTPHEADER, array(
'Content-Type: application/json',
'Authorization: Bearer ' . $token
));
$hashOutput = curl_exec($hashRequest);
curl_close($hashRequest);
$hash = json_decode($hashRequest)->hashCode;
// Some method to compare the hash code
checkHash($hash);
The hash code of the original Kameleoon application file can be obtained by a call to our Automation API. So you will first need to get access to the Automation API (via OAuth 2.0) and read the corresponding documentation.
Once you're familiar with the Automation API, refer to the specific section about application file integrity for details.
As can be seen from the example on the right, once you make a request to the API to get the hash code, you can compare it to the hash code computed on your side to make sure that the file wasn't tampered with in any way.