I have a weird problem with Passport authentication deploying my application to a new site, in spite of the fact that I haven't had a problem with this before.
I'm using Passport's password grant feature to log in to the application (Laravel 5.4). This happens by the user posting his username/password as JSON to the site, and from there it posts those credentials to OAuth/token to get the API key for the site. This has worked fine in the past, and my OAuth keys are committed to the repository.
The other day I managed to deploy the site to a new server (with the same OAuth keys), regenerated (I think) the app key, loaded my data that has the encrypted passwords, and authentication worked fine. Today, however, I did the same thing on a different branch and now logging in returns 401 Unauthorized.
I've done nearly every permutation I could think of: delete the OAuth keys, regenerate app key, reinstall passport, and yet the app refuses to log in. I don't believe it has anything to do with the source code because no changes I made on this branch would affect the login system.
I even tried copying the working site's app key and OAuth keys to the broken site still don't work.
What makes this even more puzzling to me is that I have another site with a different app key, different OAuth keys, but the same data, and the login system works fine.
I don't understand the league/oauth2 package enough to understand why this isn't working. What am I missing?
Thanks, Matt
Well, bad code doesn't pay.
What I didn't mention was that the site I'm trying to deploy is an attempt to move a domain over to a new server. Both the broken site and it's active sister site have the same domain name. This is the code that posts to my own domains /oauth/token endpoint:
$username = Input::json('username');
$password = Input::json('password');
$page = Input::get('page');
$client = Client::find(2);
$http = new GuzzleHttp\Client();
try {
$response = $http->post(url('oauth/token'), [ # <-- see the problem?
'form_params' => [
'grant_type' => 'password',
'client_id' => '2',
'client_secret' => $client->secret,
'username' => $username,
'password' => $password,
'scope' => '',
],
]);
#...
The problem is rather hilarious. Since the DNS hasn't switched for the site yet, the requests to my own site are going to the old site, not this one. Hence I'm getting back Unauthenticated. Because I'm not.
The solution was to edit the /etc/hosts file on the server to point the domain to itself. That way, any calls to its own api will actually go its own api. Problem solved.
Related
------Answer below--------
I know many post already talk about this but I've tried everything and I think nothing worked.
I use Google API for connection to a website and after to manage Google drive with API and Google library in PHP.
Pretty simple, I've got an issue with curl error 60, so I've checked curl.se website to get the last cacert.pem.
for those who would have my code, in my connection module, if i delete the verify line :
$client = new Client([
'timeout' => 2.0,
'verify' => __DIR__ . '/cacert.pem'
]);
i got this :
cURL error 60: SSL certificate problem: unable to get local issuer certificate
If i keep the verify, it work.
And my drive manager module :
$client = new Google_Client([
'timeout' => 2.0,
'verify' => __DIR__ . '/cacert.pem'
]);
$client->useApplicationDefaultCredentials();
$client->addScope(Google_Service_Drive::DRIVE);
$driveManager = new Google_Service_Drive($client);
$client->setSubject('api#test.fr');
// Print the names and IDs for up to 10 files.
$optParams = array(
'fields' => 'nextPageToken, files( name)',
'q' => 'folder',
);
$results = $driveManager->files->listFiles($optParams);"
Of course there is require vendor/autoload and putenv blablabla to open my credentials json file before and the printf foreach $results under..
The thing is, with the same cacert.pem verification, since the last update of cacert.pem on curl.se website (aka the 19/01/2021), this module doesn't work at all with the same error!
I'm a new user with Google API and I don't understand everything.
i've finally hosted my app today, to get it online, and it seems to work.
As my host use ssl by let's encrypt, my app dont use the cacert.pem as scpecified just above in the post, but it use the main certificate of my website, which is my host certificate.
When i've tested it, the error seems appear when the app request to : https://oauth2.googleapis.com/token, and it appear just when i've updated to the last cacert.pem file, so i guess there is an error somewhere that is not made by my hand...
I'm using windows, xampp and fairly new on integrating docusign. I watched this tutorial from docusign using PHP, however since the tutorial is using mac, I'm getting confused on how I will setup this tutorial on my xampp and windows and the result is I'm getting the error:
The redirect URI is not registered properly with DocuSign
Here is how I did my setup
1.) Clone the repository and place it on my xamp/htdocs/eg-something-something
2.) Rename the ugly repository name to xamp/htdocs/docusign/
3.) Run composer install to get the dependencies
4.) I configured my ds_config.php and here is my code... I removed credentials for security purposes
<?php
// ds_config.py
//
// DocuSign configuration settings
$DS_CONFIG = [
'ds_client_id' => 'xxxx', # The app's DocuSign integration key
'ds_client_secret' => 'xxx', # The app's DocuSign integration key's secret
'signer_email' => 'xxx#gmail.com',
'signer_name' => 'Michael',
'app_url' => 'http://localhost/docusign/public', // The url of the application.
// Ie, the user enters app_url in their browser to bring up the app's home page
// Eg http://localhost/eg-03-php-auth-code-grant/public if the app is installed in a
// development directory that is accessible via web server.
// NOTE => You must add a Redirect URI of app_url/index.php?page=ds_callback to your Integration Key.
'authorization_server' => 'https://account-d.docusign.com',
'session_secret' => '{SESSION_SECRET}', // Secret for encrypting session cookie content
'allow_silent_authentication' => true, // a user can be silently authenticated if they have an
// active login session on another tab of the same browser
'target_account_id' => false, // Set if you want a specific DocuSign AccountId, If false, the user's default account will be used.
'demo_doc_path' => 'demo_documents',
'doc_docx' => 'World_Wide_Corp_Battle_Plan_Trafalgar.docx',
'doc_pdf' => 'World_Wide_Corp_lorem.pdf',
// Payment gateway information is optional
'gateway_account_id' => '{DS_PAYMENT_GATEWAY_ID}',
'gateway_name' => "stripe",
'gateway_display_name' => "Stripe",
'github_example_url' => 'https://github.com/docusign/eg-03-php-auth-code-grant/tree/master/src/',
'documentation' => false
];
$GLOBALS['DS_CONFIG'] = $DS_CONFIG;
5.) I log into my admin sandbox and use this as my redirect URI
http://localhost/docusign/public/index.php?page=ds_callback
The web app is running but I am having an error of "The redirect URI is not registered properly with DocuSign" when I click the login or just by authenticating.
Thanks for helping me on this issue.
Update part:
I tried adding http:// on the configuration of the integration key on sandbox, however, I'm getting a fatal error:
Fatal error: Uncaught GuzzleHttp\Exception\RequestException: cURL
error 77: error setting certificate verify locations: CAfile:
C:\xampp\apache\bin\curl-ca-bundle.crt CApath: none (see
http://curl.haxx.se/libcurl/c/libcurl-errors.html) in
C:\xampp\htdocs\docusign\vendor\guzzlehttp\guzzle\src\Handler\CurlFactory.php
on line 186
Once I tried to authenticate. Check this screenshot for the errors.
try http://localhost/docusign/public/index.php?page=ds_callback as the redirect URL.
You need the complete URL including the http:// part.
I am developing an web application using PHP. I am storing the user credentials on the AWS Cognito service. I am logging in the user to the Cognito using PHP SDK.
I developed the feature successfully. I tested it locally on my machine, it was working. Then I deployed it onto the staging server, it was working on the staging server as well. But when I deployed it on to the live server, it gave me this error:
(1/1) CredentialsException
Error retrieving credentials from the instance profile metadata server. (cURL error 7: Failed to connect to 169.254.169.254 port 80: Connection refused (see http://curl.haxx.se/libcurl/c/libcurl-errors.html))
This is my code
try{
$client = new CognitoIdentityProviderClient([
'version' => 'latest',
'region' => 'eu-west-2'// env('AWS_REGION', '')
]);
$result = $client->adminInitiateAuth([
'AuthFlow' => 'ADMIN_NO_SRP_AUTH',
'ClientId' => COGNITO_APP_CLIENT_ID,
'UserPoolId' => COGNITO_USER_POOL_ID,
'AuthParameters' => [
'USERNAME' => $request->email,
'PASSWORD' => $request->password,
],
]);
$auth_result = $result->get('AuthenticationResult');
$cognito_access_token = $auth_result['AccessToken'];
if(!empty($cognito_access_token))
{
//register the user
$reg_user = $this->accRepo->register($request);
if($reg_user)
{
Auth::login($reg_user);
$token = $reg_user->createToken($this->tokenTag)->accessToken;
unset($reg_user->password);
return response()->json([ 'success' => true, 'access_token' => $token, 'account' => $reg_user ], SUCCESS_RESPONSE_CODE);
}
}
}
catch(Exception $e)
{
}
I am using the exact code and setting and credentials as the local machine and the staging server for the live server. But it does not work on the live server. Working on the other environments. What might be the error? I am deploying it on Heroku.
I am not familiar with Cognito, but the error you're seeing is that your code is attempting to access the Instance Metadata available in EC2. The AWS PHP SDK has a specific order in which it attempts to locate credentials. Here is an outline of different credential methods using the PHP SDK.
So, I suspect it works on your local machine because you have an IAM profile configured using the AWS CLI aws configure command.
It most likely works on your staging server because that server has an IAM Role attached to the EC2 instance. The PHP doesn't find a locally configured IAM profile, so it then skips to attempting to access the EC2 metadata, which it does successfully, so it gets authenticated.
Now, when you deploy to Heroku, it is no longer on an EC2 instance, or in your local environment. So, your CredentialProvider fails. My suggestion would be to utilize Config Vars in Heroku, then change your code to use CredentialProvider::env() as outlined here. You would need to create an IAM user with the same role as your EC2 instance that works (or enough permissions to do what you need to do). This would allow your application to securely access Cognito from an environment external to AWS.
I’ve a simple PHP component that fetches videos from a public playlist on YouTube. I’m using Google’s official PHP SDK and authenticated with a server key (as I only need to access public data, not data in a user context).
Throughout development and into staging, this component has worked fine. However, I’ve moved the application to the client’s production server (a GoDaddy hosting account) and the component’s suddenly stopped working, instead throwing the following error:
Google_Service_Exception in REST.php line 83:
Error calling GET https://www.googleapis.com/youtube/v3/playlistItems?part=snippet&maxResults=50&playlistId=PLAYLIST_ID&userIp=SERVER_IP&key=DEVELOPER_KEY: (403) There is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your API key configuration if request from this IP or referer should be allowed.
I don’t understand. The server’s IP address is white-listed in the Google API Console. I know it’s the correct IP address, as I’ve sent a HTTP POST request from the server to another PHP script and captured the REMOTE_ADDR server variable.
I’ve also tried specifying the IP address in the request itself. The full code:
$client = new Google_Client;
$client->setApplicationName($appName);
$client->setDeveloperKey($developerKey);
$service = new Google_Service_YouTube($client);
$service->playlistItems->listPlaylistItems('snippet', array(
'maxResults' => 50,
'playlistId' => $collectionId,
'userIp' => $serverIp,
));
So what’s going? Why is Google deciding it’s not playing ball with the production server?
I have a question about building a authentication system with SSL certificates. My Idea is to store the data in the database(I know how to do that) and when the user gives the certificate the system to check the cert values and to know where to put the user. But there are some things that are not quite clear(I might sound nooby, but don't judge me)
How to make the certificate with PHP?
How to make the system to request a specific details from the client?(As is on StartSSL)
Do I have to sign the private certificate or something?
P.S: I am using HostGator Business Plan if this makes any difference. I have requested them to issue a private ssl certificate.
I have never used StartSSL however many individuals and companies alike use SSL APIs and auth now, like the new(ish) Facebook sdk.
Note that self signed certificates are not supported as a valid security mechanism by many browsers and other software.
You cannot make SSL certificates in PHP, instead you must make then using a tool like OpenSSL. Here is a brief tutorial I found on Google: http://www.akadia.com/services/ssh_test_certificate.html .
SSL is mainly designed to make the transference of data across the line a little more secure and when reading in connections through PHP you would validate the certificate to see if it matches the one it is supposed to (http://stackoverflow.com/questions/3081042/how-to-get-ssl-certificate-info-with-curl-in-php) much like how a browser downloads a sites SSL cert and then uses that to create a secure connection. I wouldn't imagine you would have a certificate per user.
After this all your data goes over HTTPS rather than HTTP allowing for SSL auth.
Depending on the SSL auth system, if it is an API then your cURL request would be sent over HTTPS rather than HTTP.
If you are making this for a login page on a website then it is a lot simpler than I have said above (well in theory, there are still a lot of thing you can mess up). If you are doing this then you would simply add the SSL cert to your server and then add it to your server config (another quick tutorial for Apache from Google: http://www.digicert.com/ssl-certificate-installation-apache.htm ) and then literally proceed as you normally would redirecting the user to a https of the login page and the login processing page (making sure you have a vhost for 443 if your in Apache).
Edit: Openssl does have a PHP API as I just remembered so I was wrong there.
This is how I see SSL auth going down.
1) Method for create new SSL certificate with PHP^
$dn = array(
"countryName" => 'Country',
"organizationName" => 'Org',
"commonName" => 'Common name',
"emailAddress" => 'email#email.com',
);
$configArgs = array(
'digest_alg' => 'SHA1',
);
$clientKey = openssl_pkey_new();
$csr = openssl_csr_new($dn, $clientKey, $configArgs);
$password = trim(base64_encode(openssl_random_pseudo_bytes(8)), '/=');
$cert = openssl_csr_sign(
$csr,
'file:///etc/ssl/ca/ca.pem',
'file:///etc/ssl/ca/ca.pem',
1095,
$configArgs,
$serial
);
openssl_pkcs12_export($cert, $clientCertPkcs12, $clientKey, $password);
openssl_x509_free($cert);
$sslData = array(
'serial' => $serial, // random serial
'sslkey' => $password,
'created_at' => time(),
'sslpfx' => $clientCertPkcs12
);
openssl_pkey_free($clientKey);