I am developing an app for iPhone that makes use of a Wordpress site as a backend. I am also making changes to the site and have created basic endpoints for servicing the app using the Wordpress wp-json restful api. I have installed the JSON API, JSON API Auth, and JSON API User plugins and support user authentication. I manage to login a user and get a session token while doing so, a cookie. How do I make the subsequent calls authenticated, i.e. how do I add the cookie as a required parameter to an existing endpoint?
For instance, I have this code that retrieves the latest menu for the week:
function get_latest_menu ( $params ){
$post = get_posts( array(
'category' => 69,
'posts_per_page' => 1,
'offset' => 0
) );
if( empty( $post ) ){
return null;
}
return $post[0]->post_content;
}
// Register the rest route here.
add_action( 'rest_api_init', function () {
register_rest_route( 'weeks-menu/v1', 'latest-menu',array(
'methods' => 'GET',
'callback' => 'get_latest_menu'
) );
} );
Where and how should I add the cookie parameter in the call so that it would become authenticated? Please provide specific code if possible.
This might seem quite basic but I have no real php/Wordpress knowledge
nor the time to acquire it. Thank you.
Not sure how much help this will be after the fact but recently for school I ran into a similar issue while developing a mobile application using Ionic. The things I had to do were:
Enable Authentication headers in the HTAccess file for wordpress (it usually fails if you do not do this, the docs for the JWT explain exactly what to add and it worked for me).
I used post man to test it but the first thing you do is get the token for the username / password.
Every subsequent call you add an authorization flag in the header in the form Authorization: Bearer <token> where is your token you had for the user. I had a package with Ionic that can force the token from my storage which worked every time I made a call.
Additionally, you can add a new check to verify if the token is valid but there are a few plugins that force any rest end point to be authenticated which ends up sending an unauthorized flag which you can check in your code.
My recommendation if your still unclear download and use postman and use it to verify if everything is set up correctly. Once you get that sorted everything else starts making more sense.
Related
I am currently redoing a legacy web application that uses the PHP Parse SDK, and I am in the login authentication part. In the old application, we used $ _SESSION and ParseToken when doing ParseUser::signIn() and ParseUser::currentUser() to check if you have a session with a valid token, however the new application is being made using the REST architecture, where one of the REST concepts is that the server must not keep state, that is, be stateless, and in that case it would be the client that would have to send the necessary data.
When searching the internet and forums, I saw that it is common for developers to authenticate with JWT, where the client would make a request for a server's route and the server would return a token, and through that token authentication would take place.
I even implemented something using Firebase / jwt-php, where the client [Postman] makes a request for the route /login sending via body [username, password] and in case of success, returns the token to be used in secure route requests.
NOTE: Code is as simple as possible, without validation and cleaning just to show the example.
Action /login
$username = $request->getParsedBody()['username'];
$password = $request->getParsedBody()['password'];
$userAuthenticated = ParseUser::logIn($username, $password);
$payload = [
'data' => $userAuthenticated,
'exp' => time() + 3600
];
$token = JWT::encode($payload, $_ENV['JWT_SECRET_KEY']);
echo json_encode(['token' => $token]);
And the protected routes have a middleware that checks if the time has expired, and if this has happened, an exception with a 401 code is launched.
So far so good, authentication works, the problem I don't know if it's right to do it this way, since I need to give a ParseUser::logIn(), just to generate a session in the database and I don't even use it this session to do some authentication, with the exception of operations in the bank, because from what I saw in the documentation, if there is no valid session in the database, the application will return invalid session token error and also when making the request for another route ParseUser::currentUser() returns null, and this may be a problem in the future.
Does anyone have any idea how I can implement authentication for a REST application made in PHP? I appreciate the help !!
I believe the easiest way would be just replacing the default session storage (which uses $_SESSION) to something else that stores the session in, for example, Redis. Reference: https://docs.parseplatform.org/php/guide/#session-storage-interface
But the way you are doing should also work. You will only have to make sure that, every time that a request comes, you will decode the JWT, get the Parse Session token from there, and use ParseUser::become to set the current user: https://docs.parseplatform.org/php/guide/#setting-the-current-user
I want to access the current logged in Wordpress user in a separate Laravel installation.
Wordpress is running as website.com and I've got a subdomain with tool.website.com with the Laravel application (on another server but same domain).
I'm using the Native Wordpress API and created an authentication route.
The issue:
When I access the /authenticate route directly, the user ID is returned and works correctly. But when I access the route through tool.website.com false is returned..
Things I've got working:
I've created an API request which returns the user id in an API call:
add_action( 'rest_api_init', function () {
register_rest_route( '/authenticate', array(
'methods' => 'GET',
'callback' => 'authenticate',
) );
} );
The function looks like this:
$user_id = wp_validate_auth_cookie( $_COOKIE[LOGGED_IN_COOKIE], 'logged_in' );
The WP cookie is available on both the sub / main domain. I can see they are identical and toplevel.
define('COOKIE_DOMAIN', '.website.dev');
Things I've tried:
Using wp_get_current_user() to retrieve the user, this seems to need a nonce. I experimented hours and hours with the nonce approach on many different ways, but I could not get this to work (false or 0 was returned). I understand this is due to restrictions of using a nonce from outside of Wordpress.
Using the default native API approach to get the user, also needs the nonce.
Reading the https://developer.wordpress.org/rest-api/ manual, git repository & several articles / comments online.
Thinking about the OAuth approach, but I do not want users to login again as they are already logged in when they reach the tool.
Sending stuff like posts etc works without problems, so the API connection is not the problem.
I'm wondering if my approach is in the right direction. Hopefully someone can give me some guidance.
I found the following workaround:
- tool.website.com
Send the Cookies from tool.website.com to the API as post data.
$cookie_array = $_COOKIE;
// use key 'http' even if you send the request to https://...
$options = array(
'http' => array(
'header' => "Content-type: application/x-www-form-urlencoded\r\n",
'method' => 'POST',
'content' => http_build_query($cookie_array)
)
);
$context = stream_context_create($options);
$data = file_get_contents(self::BASE_URL . "authenticate", false, $context);
- website.com
Retrieve the cookie from Post data, and use the standard LOGGED_IN_COOKIE constant in Wordpress to select the correct one (this can be refactored to sending the correct cookie at once).
// We retrieve the cookie (which is sadly not available through the API call alone)
$the_cookie = $request->get_body_params();
// As the cookie lives at domain level, we can use the same Cookie key in the WP API and other subdomains of this domain
// The cookie key remains the same
$user_id = wp_validate_auth_cookie( $the_cookie[LOGGED_IN_COOKIE], 'logged_in' );
This solution seems steady; hopefully it will help someone. If there are other solutions, please add them in this topic; as I'm sure there must be different ways achieving this.
I'm new to bigcommerce and jwt tokens. I'm trying to get the customer login api to work on a trail store. But have not been able to successfully login a customer automatically.
I got it to work once or twice, but now it doesn't work anymore, and an unable to figure out the odd behavior since nothing changed with the code. I've tried googling if anyone else has had issues with the customer login api but have found nothing.
I've gone thru the tutorial on https://developer.bigcommerce.com/api/v2/#customer-login-api and copied the example provided.
Is there something I'm missing with the code below?
I've gone to developer.bigcommerce.com and created a draft app.
I got the Client ID and Client Secret from the draft app.
I've gone into my trial store and successfully installed the draft app.
I've tested this page on SSL as well.
Could it be because it's a trail store and it will only work if it's a real store?
Thanks.
Here is the php code below:
include "vendor/autoload.php";
use Bigcommerce\Api\Client as Bigcommerce;
use Firebase\JWT\JWT;
function getCustomerLoginToken($id, $redirectUrl = '', $requestIp = '') {
/*
if (empty(self::$client_secret)) {
throw new Exception('Cannot sign customer login tokens without a client secret');
}
*/
$payload = array(
'iss' => '#MyApp1's Client ID#',
'iat' => time(),
'jti' => bin2hex(random_bytes(32)),
'operation' => 'customer_login',
'store_hash' => '#Store Hash#',
'customer_id' => $id
);
if (!empty($redirectUrl)) {
$payload['redirect_to'] = $redirectUrl;
}
if (!empty($requestIp)) {
$payload['request_ip'] = $requestIp;
}
return JWT::encode($payload, "#MyApp1's Client Secret#", "HS256");
}
$jwt = getCustomerLoginToken(1);
header("Location: " . 'https://store-#Store Hash#.mybigcommerce.com/login/token/' . $jwt);
exit();
There are a couple of constraints that can cause errors:
The app must be installed on the store (seems like you're all good here - you can also test with an API token created locally in the store - https://support.bigcommerce.com/articles/Public/Store-API-Accounts/)
The app must have the Login OAuth scope
The JWT URL must be visited within about 30 seconds, or it won't work.
The computer/server that's generating the JWT needs to have a clock that's synchronized, otherwise your IAT value will appear to have been created more than 30 seconds ago or even in the future which will fail.
The URL can only be visited exactly once - if anything runs a GET request against it other than the intended end user's browser, it won't work. For example, if you send the URL in a Slack message, slack will try to preview the link by visiting it and therefore invalidate it.
It's good to double-check that your JWT is valid at https://jwt.io/
BigCommerce support has access to logs which can shed more light on the situation if you've ruled out the above.
Hope this helps!
do not need app client_id and Secret code , you need to api's client_id and secret code
I currently building a small chat using Firebase and PHP. This, I thought, would be a good learning project for Firebase, and so far I am very happy with it!
However, I have hit a wall. I am not sure how I can implement an authentication system to Firebase via PHP. It's quite specific what I need the authentication system to do:
To be able to use the chat, the user must login using my custom php login system. Then once they are logged in, they will also authenticate to be able to read/write in the chat.
I couldn't really understand how this (if even) is possible with PHP, using CURL.
In my __construct function in have the following:
require('/libs/FirebaseLib.php');
$this->firebase = new fireBase('https://<url>.firebaseio.com');
require('/libs/JWT.php');
require('/libs/FirebaseToken.php');
$tokenGen = new Services_FirebaseTokenGenerator('<firebase-secret>');
$this->authtoken = $tokenGen->createToken(
array(
'id' => $this->userid
)
);
How would I authenticate with Firebase to let the user be able to read/write in my chat and not allow non authenticated user to read/write?
Note: I have not done anything to the Firebase security rules - this is part of my question.
I've looked at the documentation, I might just be very thick, but I couldn't really find what I was looking for.
Hope anyone to point me in the right direction.
Thanks!
EDIT: I have intentionally not been using javascript for my chat, apart from ajax calls to my php script which then relays it to Firebase after I have done what I want to do with the user's messages.
EDIT 2: Added links to the used libraries: "Firebase Token Generator" and "Firebase PHP Client"
EDIT 3: My current code looks like this: (reference)
__construct:
$this->authtoken = JWT::encode(
array(
'admin' => true,
'debug' => true,
'v' => 0,
'iat' => time(),
'd' => array('user' => 'admin')
),
'<secret>',
'HS256'
);
New Message Function:
$response = $this->firebase->set('/chat.json?auth=' . $this->authtoken, array(
'message' => array(
'username' => 'Test',
'time' => time(),
'string' => 'Hello World!'
)
));
However it returns: { "error" : "invalid_token: Could not parse auth token." }. I basically want to get permission as the administrator. I have tried just using the Firebase secret as the auth, but its returns the same error.
Rules:
{
"rules": {
".read": "auth.username == 'admin'",
".write": "auth.username == 'admin'"
}
}
The general workflow would be:
After user has authenticated with your custom login system, generate a Firebase auth token in your server-side PHP code. (it looks like you got this far with the code snippet you pasted).
Pass that token back to the client.
Have the client call firebase.auth(<token>); to authenticate to Firebase using your server-generated token.
Use security rules to restrict what the client can read/write, depending on the contents of their auth token.
For a simple scenario where you just want to allow all Firebase access if they're authenticated, you could just have security rules like:
{
"rules": {
".read": "auth != null",
".write": "auth != null"
}
}
This would give authenticated users read/write access to your whole Firebase. You probably want to lock it down more than that though (i.e. only give them read/write access to certain parts of the Firebase). Check out our Security Quickstart for a walkthrough on how auth and security rules work.
If this doesn't help, perhaps you can elaborate on which part you're getting stumped at.
LinkedIn doesn't seem to like the idea of redirecting back to my test site.
This code directs me to the LinkedIn confirm page without any problems:
(This is pretty much a boilerplate example using Zend's OAuth)
$options = array(
'version' => '1.0',
'callbackUrl' => 'http://dev.local/',
'requestTokenUrl' => 'https://api.linkedin.com/uas/oauth/requestToken',
'userAuthorizationUrl' => 'https://api.linkedin.com/uas/oauth/authorize',
'accessTokenUrl' => 'https://api.linkedin.com/uas/oauth/accessToken',
'consumerKey' => [api],
'consumerSecret' => [secret]
);
$consumer = new Zend_Oauth_Consumer( $options );
// Start Requesting a LinkedIn Request Token
$token = $consumer->getRequestToken ();
// Store the LinkedIn Request Token
$_SESSION ['REQUEST_TOKEN'] = serialize ( $token );
// Redirect the Web User to LinkedIn Authentication Page
$consumer->redirect ();
However if my callback is http://dev.local/ it does not redirect, but if I specify a valid domain (like http://www.google.com) it redirects with no problem.
This behaviour happened recently (it was working fine until about a month ago). This is obviously a serious pain since I need to deploy code to be able to test anything.
Is this a problem people have experienced and has anyone found a way to get around?
it seems this is because LinkedIn changed their API, specifically how the api interacts with Oauth:
On the technical side, we've borrowed the OAuth 2.0 concept of the
"scope" parameter and incorporated it into our OAuth 1.0a and JS
Authentication flows.
Seems other apps, plugins and libraries are experiencing some difficulty with this as well.