Usually if I want to return some data from a server, I would make a POST request with some token inside the request body:
$token = filter_input(INPUT_POST, 'token');
$request = filter_input(INPUT_POST, 'request');
But what about securing GET rest api requests? I don't want to place tokens inside the URL. How should I send a security token inside a GET request?
Place the token in the request header (for all request types,not just for GET).This is the recommended way.
Related
In laravel documentation, for ajax based applications, there is CSRF protection via HTML meta tag and cheking header request.
Why this method needed and why not check ajax request as usual request? I mean, if for ajax whe use POST method, then send CSRF token as usual parameter (for example as csrf_token) and then check in server side (PHP) :
if ( !isset($_POST['csrf_token']) OR $_POST['csrf_token'] !== $_SESSION['csrf_token'] ) {
// incorrect csrf token, stop processing
}
Cheking header request have some advantage than this method ?
If you are doing POST request, CSRF doesn't go through the header it goes through the http message body, what Laravel has is some kind of default middleware for csrf protection, where is the issue in that?
If you go into assets/js folder you can see the CSRF token in bootstrap.js.
You can fetch a CSRF token from a global Javascript variable and send it through ajax post request body.
I'm writing some code in my localhost.
index.php:
$task = null;
$method = $_SERVER['REQUEST_METHOD'];
var_dump($method);
//initialize data
HttpProtocol::init();
if (empty($method))
exitApp("unknown method");
if ($method == HttpProtocol::get())
$task = new WebhookVerifyTask();
else if ($method == HttpProtocol::post())
$task = new ProcessFacebookEventTask();
if (is_null($task))
exitApp("unknown method");
$task->start();
http_response_code(200);
it doesn't matter if I send a GET or POST request, the $method will always be GET.
When trying PUT or DELETE - it changes perfectly..
What could cause the $method to always be GET even when POST ?
UPDATE
apparently when i'm sending the request to localhost/path - the above behaviour occur. if i'm sending it to localhost/path/ - the post works perfectly.
apparently when i'm sending the request to localhost/path - the above behaviour occur. if i'm sending it to localhost/path/ - the post works perfectly
Your update also answers your question. if it's /path, but there's no such file, the web server automatically redirects you to /path/ instead. – Janno
when it does this redirection - he does not do it completely with all the request data and methods ?
It cannot. The web server decides to tell the client that it should try another request to a different URL. The web server responds with a 302 Found status code and a Location: http://localhost/path/ header. This causes the client to make another HTTP request to that new location, and that new request will always be a GET request. POST requests cannot be redirected. (Well, theoretically they can be with a 307 Temporary Redirect, but in practice that is not widely supported.)
You need to make your request to the canonical URL directly so as to not cause a redirect.
I'm making a request to retrieve a JSON file to a server at a particular secure DocuSign uri. However, unless I put in the authorization information (which I do have), I am unable to have the file returned.
<?php
$json = file_get_contents("https://example.docusign.com/sensitiveIDs/moreID");
echo $json
?>
Where would I put in authorization information for the specific server/username/password/other info needed to access the particular DocuSign server using a method like this in PHP? Is there a better method to use for this scenario in PHP?
It depends on how the authorization is implemented. If its basic or digest HTTP authentication then specify it in the URL:
file_get_contents("https://$USER:$PASSWORD#example.docusign.com/sensitiveIDs/moreID");
Cookie based authentication is a lot more difficult (and probably easier to use Curl or even a more complex system like Guzzle. If its oauth2, then you probably want an oauth2 library.
Your call needs to include authentication to make the GET call to retrieve the file.
If your app is initiated by a human use Oauth to retrieve access and refresh tokens. Then included the access token with the GET request.
If your app is a "system app" that wants to autonomously retrieve the file, then you should authenticate by using X-DocuSign-Authentication -- include the following header in your HTTPS request. Since the request is HTTPS, the content is encrypted on the wire:
X-DocuSign-Authentication: <DocuSignCredentials><Username>{name}</Username><Password>{password}</Password><IntegratorKey>{integrator_key}</IntegratorKey></DocuSignCredentials>
Replace {name} with your email address (no braces), etc.
The bottom line is that you can't use the file_get_contents Php method. Instead, you'd do something like the following:
Use https://github.com/rmccue/Requests or a similar library to help with the https request. (http is not allowed due to security issues.)
(untested code)
$url = $base_url . $the_url_section_for_this_call
$headers = array('X-DocuSign-Authentication' =>
'<DocuSignCredentials><Username>your_name</Username><Password>your_password</Password><IntegratorKey>your_integrator_key</IntegratorKey></DocuSignCredentials>');
$request = Requests::get($url, $headers);
# Check that the call succeeded (either 200 or 201 depending on the method
$status_code = $request->status_code;
if ($status_code != 200 && $status_code != 201) {
throw new Exception('Problem while calling DocuSign');
}
$json = $request->body;
i try to implement the paypal IPN with slim.
see code here
they use curl to make a post request to an URL. Is it not possible to just change the URL in the slim response object?
other ways to send requests to somewhere with slim?
EDIT
I am talking about this line:
$res = curl_exec($ch);
what is the equivalent slim way to send a request to some url?
You can send PSR7 Requests with the help of HTTPlug.
You have to create some Adapter classes to tell HTTPlug how to create Slims Request and Response objects. In your code you just create your Slim Request and call the Client with this. You can choose between some clients, for example Curl or Socket.
If you want to send your user to PayPal in order for them to pay, then you need to create a form on your website which POSTs to PayPal directly.
The code you linked to is a POST request from PayPal back to your server. To handle that in Slim, you create a post route:
$app->post('/paypal-ipn', PayPalIpnAction::class);
Within your Action class you need to send POST request back to PayPal:
class PayPalIpnAction
{
public function __invoke($request, $response, $args)
{
$dataFromPaypal = $reqest->getParsedBody();
// Validate data from PayPal using HTTPlug, Guzzle or
// you use can the PayPal example code directly.
// If data is valid, process data and do whatever you
// need to with it.
// All done. Return the response.
return $response;
}
}
Note that the verification step back to PayPal isn't directly related to the handling of the notification in Slim as it's part of your code for handling the notification.
I'm creating an API for a site that allows the user to login via the API. I'm using Guzzle, but the question is how do I use the Cookies Plugin with Guzzle? In cURL I can use a cookie file, and pass this along with requests. But the example on the Guzzle docs looks confusing.
use Guzzle\Http\Client;
use Guzzle\Plugin\Cookie\CookiePlugin;
use Guzzle\Plugin\Cookie\CookieJar\ArrayCookieJar;
$cookiePlugin = new CookiePlugin(new ArrayCookieJar());
// Add the cookie plugin to a client
$client = new Client('http://www.test.com/');
$client->addSubscriber($cookiePlugin);
// Send the request with no cookies and parse the returned cookies
$client->get('http://www.yahoo.com/')->send();
// Send the request again, noticing that cookies are being sent
$request = $client->get('http://www.yahoo.com/');
$request->send();
echo $request;
It seems to be making 3 requests. I don't understand why it's making a request to test.com, then twice to yahoo.com. Why are you not able to make 1 request?
It's just an example... You don't have to make three requests. Just attach the cookie plugin to your client and you're good.