Skip to content
On this page

Securing Custom Workflow Actions

When adding custom Workflow Actions to your process, security can easily become an issue. AlphaTrust® e-Sign includes several querystring parameters that you can use to make API calls into AlphaTrust® e-Sign to update or display data for your user. There's nothing to prevent your user from changing the IDs in the querystring to some other ID to try to get other users data for malicious purposes. For this reason, we include a querystring value named ps_securitytoken. This is a security token that you can pass in to AlphaTrust® e-Sign web service method and get back the actual values that should be in the querystring. This way you know for certain that the user has not modified these values because they come directly from AlphaTrust® e-Sign and you can safely use it to query and present or update data.

For example, your custom Workflow Action querystring might look something like this:

?ps_action=CUSTOM&ps_actno=1&ps_actstep=1&TransID=1000261829&DocID=1000467602&SigID=1000681444&at=E8CFF493453046170EA384F625F214A66463B1D3&PartID=1000154729&pat=0D8DB3C997E3A719330448A0BAB16D0C4CF19ED6&ps_securitytoken=7394fd62-dc98-45a1-9c13-7bdd7bfc7aba&ps_r=4484327

You would just need to get the ps_securitytoken value and pass it into the GetTransactionTokenData() web service method and you'll get back the TransactionTokenDataModel object that contains properties that will match the parameters that are also in the querystring (and possibly additional ones).

WARNING

This security token expires at whatever time you have set the transaction session expiration. Taking this into consideration, you may want to retrieve all the of token data when the user first hits the page and save this data in some manner before attempting to make additional web services after a user action. This is would be especially important if you have a long form that a user is filling out that may exceed the session timeout duration. If you attempt to retrieve the token data after they submit their form, it might fail and the user would have to start over again.

csharp
private TransactionTokenDataModel GetSecurityTokenData()
{
    var token = Request.QueryString["ps_securitytoken"];
    var req = new TransactionTokenDataRequestModel();
    req.SecurityToken = token;
    var results = sc.GetTransactionTokenData(sa,req);
    if (results.IsSuccessful.Value)
    {
        return results.TokenData;               
    }
    else
    {
        //Handle error
    }
}