First I'm making a "login" API call and receiving the authorization token back. Next, I make another API call that requires authentication and include the token. This call returns error code 5 "Method must come from a white-listed IP address or provide an auth token". The call I'm making is a client side call (the API starts with CR), so IP addresses don't need to be white-listed, and I am including an auth token. This started after our site was upgraded to version 15.5. Why is this happening and how do I fix it?
Part of the Luminate Online 15.5 upgrade included changes to session information in order to adhere to PCI compliant standards (described in depth in BB756339).
An auth token is a session identifier, and as such can no longer be passed in the URL when making API calls. This means that the "sso_auth_token" parameter must now be passed as a POST parameter rather than a URL parameter. If you view your API logs for one of the requests that returned the error code, you will see something that looks like the following:
Each parameter that is visible in the URL string (has ¶m=value) has been passed as a URL parameter rather than a POST parameter. The sso_auth_token at the very least must be sent as a POST parameter. You will be able to tell that is being accomplished when the parameter no longer appears in the URL string in your API logs. Below is an example of what a URL string would look like if all parameters were sent as a POST parameter rather than a URL parameter: