This question already has answers here:
How to enable CORS in AngularJs
(10 answers)
XMLHttpRequest cannot load XXX No 'Access-Control-Allow-Origin' header
(11 answers)
Origin evil.example in Request Header
(2 answers)
Closed 4 years ago.
I'm implementing a JWT for secure my API. my front-end is coded with Angular and the back-end with PHP.
I have a problem with the authorization set in the header. I'm sending a request to the server with the JWT that I stored but I don't know really how the back-end read that header
users.get = function(project){
var req = {
method: 'GET',
url: Global.url_api+'action=GET&table='+project+'_users',
headers: {
'Authorization': 'Bearer '+localStorage.getItem('tokenAPI')
}
}
console.log(req);
return $http(req);
My server isn't able to read that header, the Authorization variable is set to "NULL"
I'm trying to read with :
var_dump($_SERVER['HTTP_AUTHORIZATION']);
Here is my request in the browser :
Accept: */*
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Access-Control-Request-Headers: authorization
Access-Control-Request-Method: GET
Host:
Origin: http://evil.com/
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36
It's looking like there is no authorization set in the header, but my token is generated and stored by the client with the following:
if(response.status == 200){ //Status 200 : Everything OK
var jwt_token = response.data.jwt;
localStorage.setItem('tokenAPI',jwt_token); //Set the token sent by server in localStorage
$scope.credentials = true; //Set visible the tab
Related
How can I validate a Shopify store's URL? Given a URL how can I know whether it is a valid URL or 404 page not found? I'm using PHP. I've tried using PHP get_headers().
<?php
$getheadersvalidurlresponse= get_headers('https://test072519.myshopify.com/products/test-product1'); // VALID URL
print_r($getheadersvalidurlresponse);
$getheadersinvalidurlresponse= get_headers('https://test072519.myshopify.com/products/test-product1451'); // INVALID URL
print_r($getheadersinvalidurlresponse);
?>
But for both valid and invalid URLs, I got the same response.
Array
(
[0] => HTTP/1.1 403 Forbidden
[1] => Date: Wed, 08 Jul 2020 13:27:52 GMT
[2] => Content-Type: text/html
[3] => Connection: close
..............
)
I'm expecting 200 OK status code for valid URL and 404 for invalid URL.
Can anyone please help to check whether given shopify URL is valid or not using PHP?
Thanks in advance.
This happens because Shopify differentiates between bot requests and actual genuine requests to avoid denial of service attack up to a certain point. To overcome this problem, you will have to specify the user-agent header to mimic a browser request for an appropriate HTTP response.
As an improvement, you can make a HEAD request instead of a GET request(as get_headers() uses GET request by default, as mentioned in the examples) because here we are only concerned about response metadata and not response body.
Snippet:
<?php
$opts = array(
'http'=>array(
'method'=> "HEAD",
'header'=> "User-agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36"
)
);
$headers1 = get_headers('https://test072519.myshopify.com/products/test-product1',0,stream_context_create($opts));
$headers2 = get_headers('https://test072519.myshopify.com/products/test-product1451',0,stream_context_create($opts));
echo "<pre>";
print_r($headers1);
print_r($headers2);
I am using the angularavel setup for my app. On my local setup i do not need to explicitly send the XSRF-TOKEN with the angular http request. And it works fine with laravel. I uploaded the same setup on the server and tried to login using my form and laravel throws a token mismatch error. Hence I checked the request payload in dev tools and found there is no XSRF-TOKEN header in the request,like I see on my local. I believe angular generates one by default and send it with every http request,but not sure why is it failing here.
I added the csrf token in angular based on this tutorial here using the meta tag method. my meta is
<meta name="csrf-token" content='<?php echo json_encode(csrf_token()); ?>'> // Also tried without encoding
In my .config I have
$httpProvider.defaults.headers.common['X-XSRF-TOKEN'] = $('meta[name=csrf-token]').attr('content');
If I use X-XSRF-TOKEN I get DecryptException in Encrypter.php line 142:Invalid data.
If I use X-CSRF-TOKEN I get Token Mismatch error. My request shows the token in the header(added below).
Accept:application/json, text/plain, */*
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:68
Content-Type:application/json;charset=UTF-8
Cookie:PHPSESSID=ySsuvCYycB-9IfZZ29kSF1
Host:demo.abc.com
Origin:http://demo.abc.com
Referer:http://demo.abc.com/hexa/public/
User-Agent:Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36 FirePHP/4Chrome
X-FirePHP-Version:0.0.6
X-Wf-Max-Combined-Size:261120
X-XSRF-TOKEN:InhRWmVjcUxZNWVMRWlrWmFXR09vbGdZT1M2Z284c0NqV2x2RWxaN0Mi -->token
Where am I commiting mistake? Also the defult token from angular seems to be integrated and a vry large string.whereas the one genrated by function is a small string.
This is what worked for me, I'll show you the relevant snippets.
In my template I have the following:
<script type="text/javascript">myApp.constant("CSRF_TOKEN", '<?= csrf_token() ?>');</script>
And I have a factory such as:
.factory('Product', function($http, CSRF_TOKEN) {
return {
// store a product
save : function(productData) {
return $http({
method: 'POST',
url: 'http://localhost/angularjs/public/api/products',
headers: {'X-CSRF-TOKEN': CSRF_TOKEN},
data: productData
});
},
}
});
This is all I needed to do to stop receiving csrf token related errors.
that lines in module angular work for me....
in module angularjs
$httpProvider.defaults.headers.post['X-CSRF-TOKEN'] = $('meta[name=_token]').attr('content');
$httpProvider.defaults.headers.post['X-XSRF-TOKEN'] = $('meta[name=_token]').attr('content');
$httpProvider.defaults.withCredentials = true;
i
Hello may ask this why is it that on my code i cannot obtain the headers['Authorization'] when executing my code?
coz meanwhile iv'e developed a REST API that can handle database to clients using php-json-mysql so when i use GET method together i also include my apikey into headers as 'Authorization' but i cannot fetch it in my code.
Here's my approach:
$headers = apache_request_headers();
if (isset($headers['Authorization'])) {
//Good
}else {
//API KEY is missing
}
but in my request header it says that
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36
Authorization: API_KEY
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
im using Advance REST Client extension on chrome.
anyone encounter this?
The Authorization header has a specific format it should conform to.
Since using it as
Authorization: API_KEY
is not valid, the web server is probably ignoring it altogether. You might want to use a custom header like this:
X-Authorization: API_KEY or
X-Api-Key: API_KEY
It's been a while since I've used PHP but I think if you send the header like this, you can't get them by using apache_request_headers so you will have to obtain it this way:
$_SERVER['HTTP_X_AUTHORIZATION'] or
$_SERVER['HTTP_X_API_KEY']
I am new to php and stackovrflow. So please pardon my initial mistakes.
I am sending post request through extjs4 app. as per Mozilla console Network tab, request is sent. PHP is 5.4.25. Below are the details:
POST /Opp/annt.php HTTP/1.1
Host: localhost
Connection: keep-alive
Content-Length: 83
Origin: http://localhost
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Accept: */*
Referer: http://localhost/opp/index.html?_dc=140
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Form Dataview parsed
aaa=i&bbb=i&ccc=&ddd=&eee=4&fff=5&ggg=&hhh=
PHP file:
header('Content-Type: application/json');
$method = $_SERVER["REQUEST_METHOD"];
$con = new PDO("mysql:host=localhost;dbname=openclass", "root", "") or die("cannot connect to mysql");
$fileContents = file_get_contents("php://input");
echo $fileContents;
json_decode($fileContents, true);
function getPostValue($postData, $fieldName) {
return (!empty($postData[$fieldName]) ? htmlspecialchars($postData[$fieldName]) : NULL);
}
I am not getting any data after post request is executed. Can you pls help in this in pointing out possible issue and solutions
I solved the issue. I was getting error because http post was sending form data in application/x-www-form-urlencoded; charset=UTF-8 formt.
I changed the format sent to json using AJAX requests. This changed the format sent across to json key value pairs.
This helped it read by php.
I'm looking for help in something that I can't figure out....
I'm receiving in a PHP some data sent by a .swf...
var requestHeader:* = new URLRequestHeader("Content-type", "application/octet-stream");
var request:* = new URLRequest(url);
new URLRequest(url).requestHeaders.push(requestHeader);
request.method = URLRequestMethod.POST;
request.data = this.getByteArray(o, a, l, a2, l2);
navigateToURL(request, "_blank");`
I can't modify that code... that's a swf... but it works...
now... the php i'm using receives this as its header
Host: localhost
Connection: keep-alive
Referer: http://localhost/archivo.swf
Content-Length: 135782
Cache-Control: max-age=0
Origin: null
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/534.16 (KHTML, like Gecko) Chrome/10.0.648.133 Safari/534.16
Content-Type: application/octet-stream
Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: es-ES,es;q=0.8,en-US;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
looking at the content-length. I can see that some data was received.
but debugging or printing the PHP. the POST has 0 items. the GET has the session id.
and the REQUEST also has the session id
appending to the header
header("Content-disposition: attachment; filename=archivo.png");
only downloads the content of the printed php (in this case the headers, a 1.something kB file)
is there anyway to retrieve the content that has a size of 135782?
Thanks!
One issue I see is that you should be using a URLLoader to POST data from the SWF, rather than the navigateToURL function.
var urlLoader:URLLoader = new URLLoader();
urlLoader.load(request);
For the Adobe docs:
Note: When using the navigateToURL()
function, the runtime treats a
URLRequest object that uses the POST
method (one that has its method
property set to URLRequestMethod.POST)
as using the GET method.