18 July 2014
To improve security of your data, Mingle 14.1 included several fixes for security vulnerabilities. If you were using the API to access data from a custom macro or external application, it’s possible that you will no longer be able access the data using 14.1 or later versions because of these fixes.
In the past, you could perform API requests through a browser and it would use your existing login cookie (if you had already signed in) to authenticate.
Starting with 14.1, an API request must include either basic auth headers or an HMAC signature to be successfully authenticated. If you do not include this, it will return a 404. It will not popup and ask for credentials. This is intentional so an attacker does not know if the resource exists and is protected or does not exist at all.
CSRF is a common vulnerability in web applications where a user can be tricked into clicking a link in a phony app or email that will steal data or perform unintended actions.
If your macro code relies on the jQuery loaded by the Mingle app, then your requests should continue to work fine in 14.1. However, if you bundled your own copy of jQuery or are using a different framework, you will have to submit a valid token for your POST/PUT requests to work properly.
The following changes may affect your macros and integrations and cause you to have to expend extra effort to update them. However, they were made after a very thorough security audit of the application and we felt they were worth the inconvenience to keep your data secure. If you have any questions about these changes, or Mingle in general, please contact our support team.