I'm new to using API's and am currently trying to use the Trade Me API on a new application I am developing.
Their authorisation guidelines say they use OAuth to authenticate the API calls and that these can either be specified in the query string or the authorization header.
Being fairly new to API calls, I tried using the guzzlehttp/oauth-subscriber but failed miserably when trying to make the call.
So currently I am just trying to append the details to the query string.
The call I am trying to make requires:
oauth_consumer_key
oauth_signature
oauth_signature_method
Where oauth_consumer_key is the consumer key and oauth_signature is the consumer secret.
When I try to visit this URL to test the URL is correct - https://api.tmsandbox.co.nz/v1/Listings/123.json?oauth_consumer_key=XXX&oauth_signature=XXX&oauth_signature_method=PLAINTEXT
I get an error that:
"ErrorDescription":"Invalid PLAINTEXT signature."
I've obviously replaced my keys in the above URL but I can't see what is wrong with the above, it seems to match their documentation.
Can someone either point out what I am doing wrong?
Assuming you're using Guzzle and Laravel, as the comments stated, this would be a very simple example of how to achieve this (just put it in routes.php):
Route::get( '/', function ()
{
$client = new GuzzleHttp\Client( ["base_uri" => "https://api.tmsandbox.co.nz/v1/"] );
$response = $client->request( "GET", "Listings/123.json", ["headers" => ["Authorization" => 'OAuth oauth_consumer_key="YOUR-CONSUMER-KEY", oauth_signature_method="PLAINTEXT", oauth_signature="YOUR-CONSUMER-SECRET&"']] );
return Response::json($response->getBody()->getContents());
} );
Related
I had to install shopify-cli for develop shopify app with laravel. installation and test app are created successfully but when am i calling the API of shopify in Laravel app i got this error.
I am check header but no authorisation token pass. So my question how to get authenticate token get in Laravel starter app and call API of Shopify and i was follow PHP guide REST Admin API reference but without session i can not access shopify REST Admin API reference.
my code show like this...
Route::get('/rest-example', function (Request $request) {
/** #var AuthSession */
// $session = $request->get('shopifySession'); // Provided by the shopify.auth middleware, guaranteed to be active
$session = OAuth::callback(
$request->cookie(),
$request->query(),
['App\Lib\CookieHandler', 'saveShopifyCookie'],
);
$client = new Rest($session->getShop(), $session->getAccessToken());
$result = $client->get('products', [], ['limit' => 5]);
return response($result->getDecodedBody());
})->middleware('shopify.auth:online')->name('rest-api');
I think you want to create Custom App (not embedded) for your store.
You can read here about difference. I spent the whole day searching for solutions until get the idea.
All you need to do is to create a Custom App in your store, then get Admin API access token with you can use for REST API calls.
Here is my small example how I get it.
use Shopify\Clients\Rest;
Route::get('/test', function(Request $request) {
$client = new Rest(
env('SHOPIFY_APP_HOST_NAME'),
env('SHOPIFY_APP_ADMIN_ACCESS_TOKEN') // shpat_***
);
dd($client->get('products')->getDecodedBody());
});
I'm using composer to install the slim-skeleton. Those built in routes work as expected. I understand how to add in my previous routes and database connections, but I've been struggling on how to add in any JWT library. I've searched and searched but I'm not finding much documentation for Slim-4 and what I've tried always seems to fail one way or another.
So for example I use composer to install tuupola/slim-jwt-auth and it says to add the following code:
$app = new Slim\App;
$app->add(new Tuupola\Middleware\JwtAuthentication([
"secret" => "supersecretkeyyoushouldnotcommittogithub"
]));
but where or how exactly do I add it to the middleware? Does it need to be added to app/middleware.php? All the documentation I read has a completely different file structure with other directories and whatnot. Once this is placed in the correct spot it looks like when a request is made without a token I should get a 401 Unauthorized response.
After that part is working I know I need to create a route to get my access token, but I'm not seeing anything about that in this library so I would assume I need another library to encode my token and return it from my request.
Once I actually get a token response and pass it in the headers for my actual request route I would assume I do something like the following
$app->get("/protected-route-name", function ($request, $response, $arguments) {
$token = $request->getAttribute("token");
// Not sure what to put next to verify the token and allow the response or display a error if there is no token or the token in invalid.
});
I'm open to firebase or any JWT library if someone has one they like and that works well, I just need some direction as I feel all the documentation is lacking.
use \Firebase\JWT\JWT;
get token
$headers = apache_request_headers();
if(isset($headers['Authorization'])){
$decoded = JWT::decode($headers['Authorization'], $publicKey, array("RS256"));
.... verify token.
}
$jwt = JWT::encode($payload, $privateKey, "RS256");
boom done.
you don't even really need to use middle ware to do this.
slim made itself way overly complex with that.
But the truth is between slim3 and slim 4, on a very basic setup, the only thing that has changed is the getBody() on the json writing.
honestly, not really sure how useful this is anymore to be honest. everything is cloudbased now. Only reason I found this is trying to figure out how to use Google Identity Platform with Slim.
So I am building a simple project, where I am trying to hit the Battle.net API and recieve a token.
I've already created a client on their platform and got a secret and password.
When I am trying to make a request with the build in Http facade included in Laravel 7, i get unauthorized, no matter what.
I am using their documentation to hit the client grant enpoint: https://develop.battle.net/documentation/guides/using-oauth
I've tried hitting it with the same headers and content in Insomnia, and inside that software it works.
The code I am using is the following:
public function index()
{
$key = env('BATTLE.NET_KEY');
$secret = env('BATTLE.NET_SECRET');
$response = Http::withHeaders([
'Authorization' => "Basic {$key}{$secret}",
'Content-Type' => 'multipart/form-data',
])->post('http://eu.battle.net/oauth/token', ['grant_type' => 'client_credentials']);
return dd($response);
}
What am I doing wrong? I must be missing something important. It's supposed to be simple.
I've tried to wrap it in an associative array beginning with [form_params =>] but that didn't work neither.
Also tried other content types to see if that worked but to no avail.
It seems like you have mixed up the key and the secret.
$key = env('BATTLE.NET_SECRET'); // should be key
$secret = env('BATTLE.NET_KEY'); // should be secret
I think the construction of the Authorization header is off, guzzle has a option for it, try with that.
Http::withOptions([
'auth' => [
$key,
$secret,
]
])->withHeaders([
'Content-Type' => 'multipart/form-data',
])->post('http://eu.battle.net/oauth/token', ['grant_type' => 'client_credentials']);
I'm using Hybridauth 3 in my PHP app to make some periodical tweets on behalf of my account.
The app has all possible permissions. I'm giving it all permissions when it asks for them on the first auth step.
After that Twitter redirects me to the specified callback URL and there I'm getting a pair of access_token and access_token_secret.
But when I'm trying to make a tweet using these tokens - it gives me:
{"errors":[{"code":220,"message":"Your credentials do not allow access to this resource."}]}
Here's how I'm trying to make a tweet:
$config = [
'authentication_parameters' => [
//Location where to redirect users once they authenticate
'callback' => 'https://mysite/twittercallback/',
//Twitter application credentials
'keys' => [
'key' => 'xxx',
'secret' => 'yyy'
],
'authorize' => true
]
];
$adapter = new Hybridauth\Provider\Twitter($config['authentication_parameters']);
//Attempt to authenticate the user
$adapter->setAccessToken(/*tokens I've got from getAccessToken() on /twittercallback/*/);
if(! $adapter->isConnected()) {
// never goes here, so adapter is connected
return null;
}
try{
$response = $adapter->setUserStatus('Hello world!');
}
catch (\Exception $e) {
// here I've got the error
echo $e->getMessage();
return;
}
Tried to recreate tokens and key\secret pairs and passed auth process for the app many times, including entering password for my Twitter account (as suggested in some posts on stackoverflow) but still have this error.
P.S. According to this, Hybridauth has fixed the issue in the recent release.
It looks like you are using application authentication as opposed to user authentication. In order to post a tweet, you must authenticate as a user. Also, make sure your Twitter app has read/write privileges.
After comparing headers of outgoing requests from my server with the ones required by Twitter, I've noticed that Hybris doesn't add very important part of the header: oauth_token. At least it's not doing this in the code for Twitter adapter and for the scenario when you apply access token with setAccessToken(). It's just storing tokens in the inner storage but not initializing corresponding class member called consumerToken in OAuth1 class.
So to initialize the consumer token properly I've overridden the apiRequest method for Twitter class (before it used the defalut parent implementation) and added a small condition, so when consumer token is empty before the request - we need to try to init it.
public function apiRequest($url, $method = 'GET', $parameters = [], $headers = [])
{
if(empty($this->consumerToken)) {
$this->initialize();
}
return parent::apiRequest($url, $method, $parameters, $headers);
}
I'm not sure that I've fixed it the best way, but as long as it's working - that's fine.
For your info setAccessToken was fixed in v3.0.0-beta.2 (see PR https://github.com/hybridauth/hybridauth/pull/880)
I faced the same error when implementing a sample app in clojure and the following resource was a huge help to sort out my confusion about application-only auth vs user authentication: https://developer.twitter.com/en/docs/basics/authentication/overview/oauth
I'm developing a Laravel 4 app that will make the same CRUD operations on my data set available through a JSON REST API and a Web UI. It seems that to prevent breaking the DRY principle that my UI should consume my own API by routing all requests from the UI back to the API. I'm unsure though about the best approach to making this work. Presumably I would have separate UI and API controllers and somehow route the requests through. Or should I be looking at a different approach altogether?
I'm actually tinkering with the same idea and it's pretty neat. With Laravel you do have the ability to make internal requests (some might refer to this as HMVC, but I won't). Here's the basics of an internal request.
$request = Request::create('/api/users/1', 'GET');
$response = Route::dispatch($request);
$response will now contain the returned response of the API. Typically this will be returned a JSON encoded string which is great for clients, but not that great for an internal API request. You'll have to extend a few things here but basically the idea is to return the actual object back through for the internal call, and for external requests return the formatted JSON response. You can make use of things like $response->getOriginalContent() here for this kind of thing.
What you should look at doing is constructing some sort of internal Dispatcher that allows you to dispatch API requests and return the original object. The dispatcher should also handle malformed requests or bad responses and throw exceptions to match.
The idea itself is solid. But planning an API is hard work. I'd recommend you write up a good list of all your expected endpoints and draft a couple of API versions then select the best one.
NOTE: As vcardillo pointed out below, route filters are not called with these methods.
I am currently doing the same thing, and Jason's answer got me going in a great direction. Looking at the Symfony\Component\HttpFoundation\Request documentation, I figured out how to POST, as well as everything else I'd need to do. Assuming you're using a form, here is some code that could help you:
GET:
$request = Request::create('/api/users/1', 'GET');
$response = Route::dispatch($request);
POST:
$request = Request::create('/api/users/1', 'POST', Input::get());
$response = Route::dispatch($request);
POST w/ cookies
$request = Request::create('/api/users/1', 'POST', Input::get(), Cookie::get('name'));
$response = Route::dispatch($request);
POST w/ files
$request = Request::create('/api/users/1', 'POST', Input::get(), null, Input::file('file'));
$response = Route::dispatch($request);
I hope this helps someone else. If you aren't using a form, or you are but not using Laravel's Input / Cookie facade, replace the Input / Cookie facades with your own content.
Taylor Otwell suggested using app()->handle() rather than Route::dispatch() to achieve a clean request.
For Route::dispatch($request) I noticed if the endpoint of your non-GET request (parameters on the HTTP request body) uses a dependency injected \Illuminate\Http\Request or \Illuminate\Foundation\Http\FormRequest extending instance, state of the parameters, cookies, files, etc. are from the original HTTP request. i.e., for your application's controller action method.
If parameter names and post method type for your app controller and API controller are the same, you won't notice the difference since the original parameter values are passed on. But when you're manually assembling the 3rd parameter of Request::create(), Route::dispatch() will result in it being ignored.
app()->handle() fixes that context problem in the Laravel request lifecycle.
Caveat: app()->handle() affects Illuminate\Support\Facades\Request, refreshing it with this new request instance. As a knock-on effect, calls like Request::isXmlHttpRequest() or redirect()->back() invoked after app()->handle() will cause unpredictable behaviour. I'd suggest tracking the context of your original request and instead use redirect()->to(route('...')) so you strictly control flow and state of your app.
Given all these corner cases, it may be best to just do a manual curl using a Guzzle HTTP client.
If you are looking for using passport login api internally, then you need to add the parameters to original request:
protected function manualLogin(Request $request)
{
$email = $request->input('email');
$password = $request->input('password');
$request->request->add([
'username' => $email,
'password' => $password,
'grant_type' => 'password',
'client_id' => $clientID,
'client_secret' => $clientSecret,
'scope' => '*']);
$newRequest = Request::create('/oauth/token', 'post');
return Route::dispatch($newRequest)->getContent();
}
If you're consuming your own API, use app()->handle() instead of Route::dispatch() as Derek MacDonald has suggested.
app()->handle() creates a fresh request, while Route::dispatch() runs the route within the stack, effectively ignoring parameters that are part of the request that you're sending.
Edit: Just a heads-up. Taylor Otwell advises against using sub-requests to make internal API calls, as they mess the current route. You can an HTTP API client like Guzzle instead to make the API calls.
You can use Optimus API consumer, the API is clean and simple, example making an internal request:
$response = app()->make('apiconsumer')->post('/oauth/token', $data);
In it's core, it uses Illuminate\Routing\Router and Illuminate\Http\Request to make the call
// create the request
$this->request->create($uri, $method, $data, [], [], $server, $content);
// get the response
$response = $this->router->prepareResponse($request, $this->app->handle($request));