Background
I have an application that has a Wordpress plugin. I'm posting it here because AFAIK wp_remote_get() is basically a wrapper around CURL, and I don't think this is a Wordpress problem. The application (call it the back end) has a REST API. Most of the requests to the back end happen via ajax from javascript in the browser, and both Wordpress and the back end application have access to the same session - this is tested and working - the plugin has access to all the same session data that the back end does.
The problem
For some tasks the plugin needs to make requests to the back end directly (as in not ajax from the browser), so I need to pass the session cookie with those requests which are made via wp_remote_get(). Here is the code:
$headers = array(
'Content-Type' => 'application/json',
'Api-Key' => $options['api_key']
);
if ( !empty( $_SESSION[ 'Security' ][ 'accessToken' ] ) )
{
$headers[ 'Authorization' ] = 'Bearer ' . $_SESSION[ 'Security' ][ 'accessToken' ];
}
$cookies = [];
$cookie = new WP_Http_Cookie( 'main' );
$cookie->name = 'main';
$cookie->value = $_COOKIE['main'];
$cookie->expires = time()+120;
$cookie->path = '/';
$cookie->domain = '.example.com';
$cookie->samesite = 'none';
$cookie->secure = true;
$cookie->httponly = true;
$cookies[] = $cookie;
$request = wp_remote_get( $api_url, array(
'headers' => $headers,
'cookies' => $cookies
)
);
Now, I'm not 100% sure that this will give the back end access to the session as expected, because when I send this cookie along with the request I get an error:
[proxy_fcgi:error] [pid 1737121:tid 140694932940544] [client 192.168.1.1:40819] AH01071: Got error 'PHP message: https://example.com/shop/api/v3/item?id=100101
PHP message: fmldcke15n4uco3622i2t0nlj1
fmldcke15n4uco3622i2t0nlj1 is the current session_id(), which I find odd.
I have played with the various settings for the cookie, and the values being set are copied directly from session_set_cookie_params() from the back end.
So, 2 questions:
Why would sending a session cookie like this cause a hard error in fcgi?
Assuming I can get this to work, will this allow the back end to access the values in session when called in this fashion?
Related
I'm currently developping an application in Symfony using Guzzle. I succesfully created a service where I make my requests (one request to get a list of enterprises, another to get user infos, ...) but I have issues regarding cookies in Guzzle. I've got to say I'm a newbie regarding API so I'm learning as I read the documentation but found nothing interesting for the moment. I've tried everything found on the internet so far but didn't get the result I wanted.
When I make a request, I get a property "Set-Cookie" in my response that I need to put in my next requests. The "Set-Cookie" property is something like "EfficySession=XX-XXXXX~XXXXXXXX-XXXXXXXX; path=/crm/; expires=Wed, 13 Oct 2021 23:22:14 GMT; HttpOnly".
So far this is where I am :
I create my client in the construct in order to be able to use the same client in every method :
public function __construct()
{
$this->client = new Client(["base_uri" => "BASE_URI", "allow_redirect" => true]);
}
And this is my test request to try setting my cookies right :
public function testFunction()
{
$json = json_encode([
[
"#name" => "api",
"#func" => [
[
"#name" => "currentuserfullname"
]
]
]
]);
$jar = new CookieJar();
$headers = [
'X-Efficy-ApiKey' => $this->apiKey,
'X-Efficy-Logoff' => 'false',
'Content-Type' => 'application/json'
];
$options = ["headers" => $headers, "body" => $json, "cookies" => $jar];
$response = $this->client->request('GET', 'json', $options);
$cookieParser = new SetCookie();
$cookie = $cookieParser->fromString($response->getHeader("Set-Cookie")[0]);
$cookie->setDomain('DOMAIN');
$this->jar->setCookie($cookie);
return json_decode($response->getBody()->getContents())[0]->{'#func'}[0];
}
But my cookies doesn't seem to be stored since I always get the property "Set-Cookie" in my response's headers... I think I've tried everything, from using SessionCookieJar to using CookieJar but nothing seems to be working.
Maybe I don't understand things the right way but as I said above, I'm just starting with API so sorry if you see big mistakes in my code.
I have my account system at accounts.example.com.
When a user logged in at accounts.example.com, the session ID will be saved on a cookie which is available on .example.com (In all subdomains)
subdomain.example.com is in another server and it doesn't have access to session data and database of the accounts system. How I check if the user is logged in is that I get the session ID (as it is available in all the subdomains). Then, I send an HTTP request to the accounts server with the session id and a password (A password that secures HTTP requests).
The HTTP request from subdomain.example.com is as follows.
$sessionId = $_COOKIE[$sessionCookieName];
$post = http_build_query(
array (
'http_secret' => AUTH_HTTP_SECRET,
'session_id' => $sessionId
)
);
$opts = array('http' =>
array (
'method' => 'POST',
'user_agent' => $_SERVER['HTTP_USER_AGENT'],
'content' => $post
)
);
$context = stream_context_create($opts);
$url = 'https://account.example.com/check-login';
$response = #file_get_contents($url , false, $context);
So, an HTTP request will be sent to accounts.example.com/check-login.
check-login.php at accounts.example.com is as follows.
$httpSecret = $_POST['http_secret'];
// if it is from an invalid client
if ($httpSecret !== HTTP_SECRET) {
throw new Exception('HTTP Error');
}
$sessionId = $_POST['session_id'];
# set the session ID
session_id($sessionId);
# then, I get the session data and checks if the user is logged in
If the user is logged in I return the account-related data to subdomain.example.com.
Is this approach is good or bad?
Thanks in advance.
There is no security flaw in it. That is one of the reasons you have the function in the first place.
And if you want your code reviewed, try https://codereview.stackexchange.com/
No, it is not secure, you should use HTTPS for this.
I modified it all now I have this file that makes my api work.
auth.php:
<?php
include 'Unirest.php';
function login()
{
$headers = array('Accept' => 'application/json');
$data = array(
"grant_type" => "password",
"client_id" => "myclientid",
"client_secret" => "myclientsecret",
"username" => "username",
"password" => "password"
);
$response = Unirest\Request::post('http://i-scent.fr/api/oauth_token', $headers, $data);
// $response->code;
// $response->headers;
return $response->body->access_token;
}
function device_info($device_id,$token){
$header = array('Accept' => 'application/json',
'Authorization' => 'Bearer '.$token );
$response = Unirest\Request::get('http://i-scent.fr/api/devices/'.$device_id,$header);
echo $response->body->name;
echo "</br>";
}
function diffuse($device_id,$token,$duration,$intensity){
$header = array('Accept' => 'application/json', 'Authorization' => 'Bearer '.$token );
$data = array('time' => 1, 'percent' => 50);
$body = Unirest\Request\Body::form($data);
$response = Unirest\Request::put('http://i-scent.fr/app_dev.php/api/device/'.$device_id.'/actions/diffusion',$header,$body);
echo $response->code;
echo "</br>";
}
When I use all the functions in a simple script it works perfectly on my website. But when I put it like this in my webhook, I have error 500 internal server error. I have all the unirest libraries.
<?php
include "auth.php";
function processMessage($update) {
if($update["result"]["action"] == "sayHello"){
$token = login();
$name = device_info("1966",$token);
diffuse("1966",$token,"0.5","50");
sendMessage(array(
"source" => $update["result"]["source"],
"speech" => "bonjour webhook",
"displayText" => "bonjour webhook",
"contextOut" => array()
));
}
}
function sendMessage($parameters) {
echo json_encode($parameters);
}
$update_response = file_get_contents("php://input");
$update = json_decode($update_response, true);
if (isset($update["result"]["action"])) {
processMessage($update);
}
Error 500 is supposed to mean that the webhokk's script crashed somewhere but I don't know where and why.
Update 2
Based on your most recent code, you're including "auth.php", which works in the original environment (which is being called as part of a web page, it sounds like).
Your code has two functions, device_info() and diffuse(), which output their results instead of returning them. This output isn't JSON, and includes HTML markup. This is being sent as part of the result of your webhook and will cause what is returned to be invalid.
Update
Based on your latest code, there are still many logical, and a few syntactical, problems.
A "500 Internal Server Error" indicates that your program didn't run correctly and crashed for some reason. As posted, it is missing a closing }, which could be the problem if that isn't in your actual code.
Even if you fix that, there are many issues with the code:
It isn't clear what you intend to do with the results of calling your "test1" script. You store them in $data and don't do anything with it.
You're calling the other website (test1) before you look at what the user has asked you to do. Which is fine, but then why do you care what the user is asking you?
Original Answer
There are a few errors here, but the underlying problem is that you're mixing up where things run and the capabilities of the caller to your webhook.
For a Dialogflow webhook, Google/Dialogflow is sending JSON (which you seem to be handling ok), and expecting back JSON. Although it looks like you send this back as part of send_message(), you're also sending something back when you call connexion(). What you're sending back in this case is not JSON, but HTML with JavaScript.
Which leads to the second problem - If this was php that was generating an HTML page that included a script, you'd be in fine shape. But it isn't. You have to send back only JSON.
You can do something like this to call the other API and get back the contents:
$body = file_get_contents("http://google-home.exhalia.fr/test1");
Which will set $body to the body of the page you've called. What you do with that, at that point, is up to you. But you need to make this call before your call to send_message() because you want to represent the contents as part of what you're saying.
(See How to send a GET request from PHP? for a discussion of other methods available to you in case you need to do a POST, use header information, etc.)
I'm getting a TokenResponseException from Laravel when I try to login to my web site with Facebook using oauth-4-laravel.
OAuth \ Common \ Http \ Exception \ TokenResponseException
Failed to request resource.
Using Facebook's JavaScript API works like its supposed to, so I'm pretty sure my application is configured correctly.
Are there any known issues that might cause this problem? Am I doing something wrong, or is this a bug in the library?
With the exception of a redirect line that works around another bug, my code is identical to the example code at the GitHub page. I think the exception is thrown when I try to get the token from the Facebook Service object.
Here's the code:
public function loginWithFacebook() {
// get data from input
$code = Input::get( 'code' );
// get fb service
$fb = OAuth::consumer( 'Facebook' );
// check if code is valid
// if code is provided get user data and sign in
if ( !empty( $code ) ) {
// This was a callback request from google, get the token
$token = $fb->requestAccessToken( $code );
// Send a request with it
$result = json_decode( $fb->request( '/me' ), true );
$message = 'Your unique facebook user id is: ' . $result['id'] . ' and your name is ' . $result['name'];
echo $message. "<br/>";
//Var_dump
//display whole array().
dd($result);
}
// if not ask for permission first
else {
// get fb authorization
$url = $fb->getAuthorizationUri();
// return to facebook login url
// ref: https://github.com/artdarek/oauth-4-laravel/issues/27
//return Response::make()->header( 'Location', (string)$url );
return Redirect::to((string)$url);
}
}
And a screenshot:
I had this exact same problem. It turns out that my issue was that my return_uri was missing a trailing slash, which through off the entire process. Make sure that when you're calling it you've added it.
$fb = OAuth::consumer('Facebook','http://url.to.redirect.to/');
NOT
$fb = OAuth::consumer('Facebook','http://url.to.redirect.to');
first try to load file_get_contents("https://www.facebook.com");
if allow_url_fopen=0 was set in the php.ini it will not work so you need to change it to allow_url_fopen=1
The weirdest thing i have your problem with google not with facebook, so here is my code maby it helps you fix your fb problem
public function loginWithFacebook() {
// get data from input
$code = Input::get( 'code' );
// get fb service
$fb = OAuth::consumer( 'Facebook' );
// check if code is valid
// if code is provided get user data and sign in
if ( !empty( $code ) ) {
// This was a callback request from facebook, get the token
$token = $fb->requestAccessToken( $code );
// Send a request with it
$result = json_decode( $fb->request( '/me' ), true );
$message = 'Your unique facebook user id is: ' . $result['id'] . ' and your name is ' . $result['name'];
echo $message. "<br/>";
//Var_dump
//display whole array().
dd($result);
}
// if not ask for permission first
else {
// get fb authorization
$url = $fb->getAuthorizationUri();
// return to facebook login url
return Redirect::to( (string)$url );
}
}
Since my previous answer was deleted.. Let's try again..
--
After some debugging I think I got it. Commenting out the error_reporting part visible in your code snippet will already tell you a lot. The file_get_contents call got a 401 Unauthorized because the tokens were no longer valid.
After changing code, start your auth process from the beginning and don't refresh your url half-way, that wil cause the error.
The problem should be here $token = $fb->requestAccessToken( $code );
When I tried var_dump it, I get this.
object(OAuth\OAuth2\Token\StdOAuth2Token)[279]
protected 'accessToken' => string 'your-accessToken' (length=180)
protected 'refreshToken' => null
protected 'endOfLife' => int 1404625939
protected 'extraParams' =>
array (size=0)
empty
Try this and check what you've get as accessToken. Anyway, your function loginWithFacebook working fine with me.
I had the same problem. I was trying to access facebook graph. It wasn't that it could not access the URL, it was that Facebook was returning a 400 error because I wasn't passing parameters through. Try connecting to HTTPS on a site that will have a working HTTPS connection. E.g. Try this:
file_get_contents("https://www.namhost.com");
If that works, you must see why the HTTPs connection you are connecting to is failing, because the problem isn't that you can't connect to HTTPs, but rather that what you are connecting to isn't liking the request.
I'm sending multiple requests to same client. zend_Http_Client not able to redirect because our site giving a javascript redirect. And from that javascript I'm getting the redirect url and again calling the client , now I'm getting access denied. This is beacuse I'm not able to store the session from the first client request.
I'm using the following code..
$client = new Zend_Http_Client(
$loginUrl,
array(
'keepalive' => true,
'timeout' => 1000
)
);
$response = $client->request()->getBody();
$redirectUrl = $this->_getResponseRedirectUrl($response);
$client->resetParameters();
$client->setUri($redirectUrl);
$response = $client->request()->getBody();
$resultUrl = $this->_getResponseRedirectUrl($response);
Can anybody tell me how to store the session for the second request.
Before trying the following steps make sure your server authentication is based on session cookies.
Solution Worked for me:
You need to add cookies from the first repose to the second request. In this case server consider your second request as authenticated one.In the response after login to the site your cookie will be having following set of values like cookie-name,cookie-value,Expiration Date, Path, Secure and HTTPOnly. From the cookie string explode cookie-name and cookie-value
Example Session Cookie after login response:
"JSESSIONID=DQl3NKXXmy3yntp3NW2GMlcn8pLn9PR9rl0lnR6vbtfdVpyHWdnq!598502565; path=/"
"CK_LanguageID_252085=1; expires=Friday, 23-Mar-2012 05:31:03 GMT; path=/; secure"
"CK_TimeZone_252085=4; expires=Friday, 23-Mar-2012 05:31:03 GMT; path=/; secure"
Create new cookie string for further server communication in the following pattern:
"JSESSIONID=DQl3NKXXmy3yntp3NW2GMlcn8pLn9PR9rl0lnR6vbtfdVpyHWdnq!598502565; CK_LanguageID_252085=1; CK_TimeZone_252085=4"
Adding a handy method to create cookie string from zend_http_client "Set-cookie" array.
/**
* Get clean cookie string with only name,value pair
* This method filer all the follwoing cookie information
* Expiration Date, Path, Secure and HTTPOnly
* #access public
* #param {Array} $cookies
* #return {String} $cookieString
*/
public function getCookieString(array $cookies){
$cookieString = null;
foreach($cookies as $cookie){
$part = explode(';',$cookie);
$cookieString = ($cookieString == null)? $part[0] : $cookieString . '; ' . $part[0];
}
return $cookieString;
}
Using Zend_Http_Client making consecutive requests:
//Login
$client = new Zend_Http_Client($loginUrl);
$response = $client->request();
//Get Header from response
$headers = $response->getHeaders();
//Create second header
$header = array("Cookie" => $this->getCookieString($headers["Set-cookie"]));
$client->setHeaders($header);
//Second request
$client->setUri($redirectUrl);
$response = $client->request();
Here I am removing "$client->resetParameters();" because you are not setting any GET Params using "$client->setParameterGet()"(Same for POST as well)
If using "$client->setParameterGet()" or "$client->setParameterPost()" use "$client->resetParameters();" before setting second uri.
$client->resetParameters() accepts boolean values:
FALSE : This is the default value which reset POST and GET Params only.
TRUE : Reset all the params including headers,last request and last response.
Actuall, Zend_Http_Client provides a very simple way to do what you've done, no need to reinvent the wheel here.
$client = new Zend_Http_Client(
$loginUrl,
array(
'keepalive' => true,
'timeout' => 1000
)
);
// this is the magic line...
$client->setCookieJar();
$response = $client->request()->getBody();
$redirectUrl = $this->_getResponseRedirectUrl($response);
$client->resetParameters();
$client->setUri($redirectUrl);
$response = $client->request()->getBody();
$resultUrl = $this->_getResponseRedirectUrl($response);
Read more here: http://framework.zend.com/manual/en/zend.http.cookies.html