Security in Handlers
The application developer in event handlers must ensure that the handler is being called by Bitrix24 and not by malicious actors. To achieve this, Bitrix24 passes an additional parameter application_token when invoking handlers.
The first time, the parameter is sent to the event handler OnAppInstall along with the authorization data of the user who installed the application. Using this authorization data, the OnAppInstall event handler can verify the validity of the received access_token and then store the application_token for future reference, allowing it to compare the received application_token with the stored one in its other event handlers.
This is particularly relevant in the event handler OnAppUninstall, as no authorization data is passed to it (the application has already been removed from Bitrix24). Therefore, in the case of OnAppUninstall, verifying the application_token against the stored value becomes the only way to ensure that the event handler was indeed called by Bitrix24.
Continue Learning
- Get a list of available events
- Register a new event handler event.bind
- Get a List of Registered Event Handlers event.get
- Unbind Registered Event Handler event.unbind
- Features, Advantages, and Disadvantages of Offline Events
- Get a list of offline events event.offline.list
- Get a List of Offline Events with `event.offline.get`
- Clear records in the offline event queue event.offline.clear
- Register Errors for Processing Offline Events event.offline.error
- Event of Queue Change onOfflineEvent