Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

namecheap authentication fails for permissioned domain management

See original GitHub issue

The following lines check to see if the domain name is returned by Namecheap’s API

https://github.com/AnalogJ/lexicon/blob/master/lexicon/providers/namecheap.py#L54-L63

Namecheap’s API seems to be halfassed and this won’t work as expected.

please bear with me on this, it’s going to be odd to explain.

The only domains that seem to appear in this list are ones which are OWNED by the authenticating account. The list does not include items that are MANAGED by the authenticating account. Namecheap’s backend provisioning systems use an ACL (Access Control List) that allows for an domain “Owner” to proxy/delegate different responsibilities for a domain to other users of their system.

In my case, “Account1” is the owner of all domains, while “Account2” has been delegated admin privileges for only the DNS settings of a subset of domains. This was done to allow a tier of company staff to manage DNS via the control panel AND also enable API access – but keeping the staff and API away from registration/transfer/etc operations.

Privileged domains don’t seem to appear on this paginated view and will trigger lexicon exiting.

A potential check would be the namecheap.domains.getinfo endpoint (https://www.namecheap.com/support/api/methods/domains/get-info.aspx)

Supplying a &DomainName=example.com argument will result in a valid response if the user has permissions:

<ApiResponse Status="OK" xmlns="http://api.namecheap.com/xml.response">
  <Errors />
  <Warnings />
  <RequestedCommand>namecheap.domains.getinfo</RequestedCommand>
  <CommandResponse Type="namecheap.domains.getInfo">
    <DomainGetInfoResult Status="Ok" ID="11111111111" DomainName="EXAMPLE.COM" OwnerName="USERNAME" IsOwner="false" IsPremium="false">
      <DomainDetails>
        <CreatedDate>02/15/2000</CreatedDate>
        <ExpiredDate>02/15/3000</ExpiredDate>
        <NumYears>0</NumYears>
      </DomainDetails>
      <LockDetails />
      <Whoisguard Enabled="False">
        <ID>0</ID>
      </Whoisguard>
      <PremiumDnsSubscription>
        <UseAutoRenew>false</UseAutoRenew>
        <SubscriptionId>-1</SubscriptionId>
        <CreatedDate>0001-01-01T00:00:00</CreatedDate>
        <ExpirationDate>0001-01-01T00:00:00</ExpirationDate>
        <IsActive>false</IsActive>
      </PremiumDnsSubscription>
      <DnsDetails ProviderType="FREE" IsUsingOurDNS="true" HostCount="5" EmailType="No Email Service" DynamicDNSStatus="false" IsFailover="false">
        <Nameserver>dns1.registrar-servers.com</Nameserver>
        <Nameserver>dns2.registrar-servers.com</Nameserver>
      </DnsDetails>
      <Modificationrights All="false">
        <Rights Type="hosts">OK</Rights>
      </Modificationrights>
    </DomainGetInfoResult>
  </CommandResponse>
  <Server>PHX01APIEXT03</Server>
  <GMTTimeDifference>--5:00</GMTTimeDifference>
  <ExecutionTime>0.384</ExecutionTime>
</ApiResponse>

Note this section which correlates to the ACL for hosts being enabled:

<Modificationrights All="false">
        <Rights Type="hosts">OK</Rights>
</Modificationrights>

If a user requests this endpoint on a domain they are not permissioned for, it’s an error:

<?xml version="1.0" encoding="utf-8"?>
<ApiResponse Status="ERROR" xmlns="http://api.namecheap.com/xml.response">
  <Errors>
    <Error Number="4011103">Access Denied</Error>
  </Errors>
  <Warnings />
  <RequestedCommand>namecheap.domains.getinfo</RequestedCommand>
  <CommandResponse Type="namecheap.domains.getInfo">
    <DomainGetInfoResult ID="0" IsOwner="false" IsPremium="false">
      <DomainDetails>
        <NumYears>0</NumYears>
      </DomainDetails>
      <LockDetails />
      <Whoisguard>
        <ID>0</ID>
      </Whoisguard>
      <PremiumDnsSubscription>
        <UseAutoRenew>false</UseAutoRenew>
        <SubscriptionId>-1</SubscriptionId>
        <CreatedDate>0001-01-01T00:00:00</CreatedDate>
        <ExpirationDate>0001-01-01T00:00:00</ExpirationDate>
        <IsActive>false</IsActive>
      </PremiumDnsSubscription>
      <DnsDetails IsUsingOurDNS="false" HostCount="0" DynamicDNSStatus="false" IsFailover="false" />
      <Modificationrights />
    </DomainGetInfoResult>
  </CommandResponse>
  <Server>PHX01APIEXT02</Server>
  <GMTTimeDifference>--5:00</GMTTimeDifference>
  <ExecutionTime>0.114</ExecutionTime>
</ApiResponse>

i don’t know enough of their system to understand all the edge cases of what valid dns rights would look like in a variety of situations, but just doing a simple error check made this library usable for me.

Issue Analytics

State:
Created 6 years ago
Comments:6 (6 by maintainers)

Top GitHub Comments

1reaction

AnalogJcommented, May 2, 2018

Looks like this issue was fixed in #207

0reactions

jvanascocommented, May 2, 2018

Yep!

Top Results From Across the Web

How do I share access to my domain with other users?

Sign into your Namecheap account (The Sign In option is available in the header of the page). 2. Select Domain List from the...

How to fix Error You do not have permission to access…

1. Log into cPanel · 2.Follow the File Manager icon in the Files field · 3.On the left of the window that opens,...

How to change permissions for files and directories - Hosting

1. Log into your cPanel, navigate to the Files section and click the File Manager icon. · 2. Move the document root for...

API Documentation - Error Codes List - Namecheap

2033409, Possibly a logical error in authentication phase. Order chargeable for Username is not found. 2019166, Domain not found. 2030166, Edit permission ......

My website is down: what to do? - Hosting - Namecheap.com

Most likely, the issue is related to the DNS propagation. It is caused by the domain's DNS zone change and may take up...