Laravel API cURL Request to Python - php

I followed this Laravel token API tutorial: http://rjv.im/post/95988160186/api-token-authentication-with-laravel-and-sentry-part. I have written the following cURL request to communicate with my API:
curl -H "X-Auth-Token:tokenhere" http://localhost:8000/account
The request works properly, and accurately returns the expected data. When I translate this to Python I receive urllib2.HTTPError: HTTP Error 401: Unauthorized
import urllib2
req = urllib2.Request('http://localhost:8000/account')
req.add_header("X-Auth-Token", "tokenhere")
resp = urllib2.urlopen(req)
content = resp.read()
print content
If I pass user credentials using basic auth instead of an X-Auth-Token, the request works as expected:
import urllib2
def basic_authorization(user, password):
s = user + ":" + password
return "Basic " + s.encode("base64").rstrip()
req = urllib2.Request("http://localhost:8000/account", headers = { "Authorization": basic_authorization("usernameHere", "passwordHere"), })
f = urllib2.urlopen(req)
print f.read()
Any assistance would be much appreciated.

There is something you missed in the tutorial. In the tokens table there is a column:
$table->string('client');
It is important from which client you are sending your request. I am using https://github.com/hisorange/browser-detect to detect from which client I got the request.
But for now I will just try to see User Agent. In my laravel code I just logged every request to see what's happening with the following code:
Route::filter('auth.token', function($route, $request)
{
....
Log::info($request);
....
}
Now, Let's see:
When I use curl from command line:
curl -u user#example.com:password -X GET http://localhost:8000/account
My User Agent is
User-Agent: curl/7.32.0
I sent the same from python using your code above, User Agent is:
User-Agent: Python-urllib/2.7
Ah! That must be it. You have to authenticate your user at least once using Basic Auth, it will give you a token and that token is valid for only that client. In the first part http://rjv.im/post/78940780589/api-token-authentication-with-laravel-and-sentry-part of tutorial there was no such condition. In the comments I received someone posted a query on how to support multiple clients, so this example was made to solve that problem.
Apart from that, may I suggest this library: https://github.com/chrisbjr/api-guard It supports Rate Limiting, easy to integrate with Sentry. It's a bit different from my tutorial. Using my solution you can hit any endpoint using Basic Auth or Token. Using above library, only token is permitted, so there is dedicated route to generate token. Let me know how it goes.

Related

php, postman- get request with authorization token bearer doesent work

authorizationResponse = {type: "authorization_response",response: {"access_token":"3VH1nr_EukBPqelzH5h5INuwaMh4rIsw","id_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6Im9ubGluZWludm9pY2Uy
NjE5QGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ1c2VyX21ldGFkYXRhIjp7ImZpcnN0X25hbWUiOiJIIiwiZ2l2ZW5OYW1lIjoiQmVhbGUiLCJsYXN0X25hbWUiOiJCZWFsZSIsIm5hbWUiOiJIIiwidXNlcl9wcmVmZXJlbmNlcyI6eyJQYXBlcmxlc3MiOiJmYW
xzZSIsIlByb21vdGlvbmFsU3RhdHVzIjoiZmFsc2UiLCJQcm9tb3Rpb25hbENvbW1UeXBlIjoiRW1haWwiLCJTZXJ2aWNlQWxlcnRzQ29tbVR5cGUiOiJFbWFpbCIsIlNlcnZpY2VBbGVydHNTdGF0dXMiOiJmYWxzZSIsIlBob25lTnVtYmVyIjoiIiwiTW9iaWxlTnVtYmVyIjoi
IiwiT0JQU3RhdHVzIjoidHJ1ZSIsIklzU2V0dGluZ1VwZGF0ZWQiOiIifSwiZGVmYXVsdF9hY2NvdW50IjoiNDA2NDQxMCJ9LCJ1c2VyX2lkIjoiYXV0aDB8NWUwYmM4OGY0MjhiM2IxMDMzZTVhMzc0IiwiYXBwX21ldGFkYXRhIjp7ImZpc191c2VybmFtZSI6IjEyMzllODlhNT
ExZDRkYzQ4YjU0ZTQ2ZWE2NDBiZTk2IiwidXNlcl9yb2xlIjoiQ3VzdG9tZXIiLCJjZGhfY29udGFjdF9wcm9maWxlX2lkIjoiMzcwMTExNSIsInJlZ2lzdHJhdGlvbl9zdGF0dXMiOiJDRCIsInVzZXJfdHlwZSI6Ik9SIiwiZmlzX3N5bmNfc3RhdHVzIjoiQ0QiLCJzc29fZmxh
ZyI6Ik4iLCJjZGhfaWQiOiIzNTkzNDg1IiwibXJfb3JpZ2luYWxfaWQiOiIifSwiaWRlbnRpdGllcyI6W3sidXNlcl9pZCI6IjVlMGJjODhmNDI4YjNiMTAzM2U1YTM3NCIsInByb3ZpZGVyIjoiYXV0aDAiLCJjb25uZWN0aW9uIjoiVXNlcm5hbWUtUGFzc3dvcmQtQXV0aGVudG
ljYXRpb24iLCJpc1NvY2lhbCI6ZmFsc2V9XSwiaXNzIjoiaHR0cHM6Ly9hdXRoLnJlcHVibGljc2VydmljZXMuY29tLyIsInN1YiI6ImF1dGgwfDVlMGJjODhmNDI4YjNiMTAzM2U1YTM3NCIsImF1ZCI6ImFrN2czc3pJNTV6ZVQzWWR2c2FIcktCTVN6dWYwN1JqIiwiaWF0Ijox
NTkxNjM5OTY2LCJleHAiOjE1OTE2NDIwNjZ9.O6Lr6mwdRDGnkajLvjles5OZUE6bdgeIc5NDmerKkyk","scope":"openid email user_metadata user_id app_metadata identities given_name offline_access","expires_in":86400,"refresh_token
":"wOSUKBkpPBE5cP2Fvjhqk_IyaVaUe1Yn-PMDlqvz2PiDr","token_type":"Bearer","state":"-cnRVfTo5leolNpTONy-08usnorvye89"}};v
From this page, I get the id_token because I need to put it in headers to get another page, but when I do it, I can't get the JSON page, instead, I receive and simple HTML page and that is not what I need. I also tried with the postman, I copied all headers and URL in postman but can't get the good response that i need. My header look like this:
authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InAzcmVwdWJsaWMxMEBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwidXNlcl9tZXRhZGF0YSI6eyJmaXJzdF9uYW1lIjoiUDMiLCJsYXN0X25hbWUiOiJXQyIsIm5hbWUiOiJQMyBXQyIsInVzZXJfcHJlZmVyZW5jZXMiOnsiUGFwZXJsZXNzIjpmYWxzZSwiUHJvbW90aW9uYWxTdGF0dXMiOiJmYWxzZSIsIlByb21vdGlvbmFsQ29tbVR5cGUiOiIiLCJTZXJ2aWNlQWxlcnRzQ29tbVR5cGUiOiJFbWFpbCIsIlNlcnZpY2VBbGVydHNTdGF0dXMiOiJmYWxzZSIsIlBob25lTnVtYmVyIjoiMTg4ODY3NjY0OTQiLCJNb2JpbGVOdW1iZXIiOiIiLCJPQlBTdGF0dXMiOiJ0cnVlIiwiSXNTZXR0aW5nVXBkYXRlZCI6InRydWUifSwib25ib2FyZFBhZ2VWaXNpdGVkIjpmYWxzZSwiZGVmYXVsdF9hY2NvdW50IjoiNDA2NDQxMCJ9LCJ1c2VyX2lkIjoiYXV0aDB8NWExZDcyYzhkNTFkZGQxOGUwODM3ZWFiIiwiYXBwX21ldGFkYXRhIjp7ImZpc191c2VybmFtZSI6IjIzOTM4NzUiLCJ1c2VyX3JvbGUiOiJDdXN0b21lciIsImNkaF9jb250YWN0X3Byb2ZpbGVfaWQiOiIyMzkzODc1IiwicmVnaXN0cmF0aW9uX3N0YXR1cyI6IkNEIiwidXNlcl90eXBlIjoiT1IiLCJmaXNfc3luY19zdGF0dXMiOiJDRCIsInNzb19mbGFnIjoiWSIsImNkaF9pZCI6IjIzNjU0MTMiLCJtcl9vcmlnaW5hbF9pZCI6IiJ9LCJpZGVudGl0aWVzIjpbeyJ1c2VyX2lkIjoiNWExZDcyYzhkNTFkZGQxOGUwODM3ZWFiIiwicHJvdmlkZXIiOiJhdXRoMCIsImNvbm5lY3Rpb24iOiJVc2VybmFtZS1QYXNzd29yZC1BdXRoZW50aWNhdGlvbiIsImlzU29jaWFsIjpmYWxzZX1dLCJpc3MiOiJodHRwczovL2F1dGgucmVwdWJsaWNzZXJ2aWNlcy5jb20vIiwic3ViIjoiYXV0aDB8NWExZDcyYzhkNTFkZGQxOGUwODM3ZWFiIiwiYXVkIjoiYWs3ZzNzekk1NXplVDNZZHZzYUhyS0JNU3p1ZjA3UmoiLCJpYXQiOjE1OTE2MzkxNzAsImV4cCI6MTU5MTY0MTI3MH0.RnPasIlFFHOhn7yvs7aHKepLZqdlobM3rAJH1TzxfNU
but something doesn't work good, any help, how at least I can get a good response in postman?
So, from I understood, you have troubles sending a request using the authorization header bearer token with Postman ?
If it is indeed the case, here's how to do it (just put the token in the form to the right, without the quotes of course) =>
If it's not what you asked, well I tried to help ^^

Run javascript on a page [duplicate]

I am making a Chrome Extension that talks to a website via an api. I want it to pass information about a current tab to my website via a cors request.
I have a POST api request already working. It looks like this:
...
var url = "https://webiste.com/api/v1/users/sendInfo"
...
xhr.send(JSON.stringify({user_name:user_name, password:password, info:info}));
Its corresponding curl statement is something like this:
curl -X POST https://website.com/api/v1/users/sendInfo -d '{ username:"username", password:"password", info: "Lot's of info" }' --header "Content-type: application/json
But, this is not as secure as we want. I was told to mirror the curl command below:
curl --basic -u username:password <request url> -d '{ "info": "Lot's of info" }'
But, one cannot just write curl into javascript.
If someone could either supply javascript that acts like this curl statement or explain exactly what is going on in that basic option of the curl script I think that I could progress from there.
The curl command is setting a basic Authorization header. This can be done in JavaScript like
var url = "https://webiste.com/api/v1/users/sendInfo",
username = "...",
password = "...";
xhr.open('POST', url, true, username, password);
xhr.send(...);
This encodes the username/password using base 64, and sets the Authorization header.
Edit As arcyqwerty mentioned, this is no more secure than sending username/password in the request body JSON. The advantage of using the basic authentication approach is that it's a standard way of specifying user credentials which integrates well with many back-ends. If you need security, make sure to send your data over HTTPS.
curl is the curl binary which fetches URLs.
--basic tells curl to use "HTTP Basic Authentication"
-u username:password tells curl supply a given username/password for the authentication. This authentication information is base64 encoded in the request. Note the emphasis on encoded which is different from encrypted. HTTP basic auth is not secure (although it can be made more secure by using an HTTPS channel)
-d tells curl to send the following as the data for the request
You may be able to specify HTTP basic authentication in your request by making the request to https://username:password#website.com/api/v1/users/sendInfo

How to use get_file_contents in PHP when authorization is needed for URI?

I'm making a request to retrieve a JSON file to a server at a particular secure DocuSign uri. However, unless I put in the authorization information (which I do have), I am unable to have the file returned.
<?php
$json = file_get_contents("https://example.docusign.com/sensitiveIDs/moreID");
echo $json
?>
Where would I put in authorization information for the specific server/username/password/other info needed to access the particular DocuSign server using a method like this in PHP? Is there a better method to use for this scenario in PHP?
It depends on how the authorization is implemented. If its basic or digest HTTP authentication then specify it in the URL:
file_get_contents("https://$USER:$PASSWORD#example.docusign.com/sensitiveIDs/moreID");
Cookie based authentication is a lot more difficult (and probably easier to use Curl or even a more complex system like Guzzle. If its oauth2, then you probably want an oauth2 library.
Your call needs to include authentication to make the GET call to retrieve the file.
If your app is initiated by a human use Oauth to retrieve access and refresh tokens. Then included the access token with the GET request.
If your app is a "system app" that wants to autonomously retrieve the file, then you should authenticate by using X-DocuSign-Authentication -- include the following header in your HTTPS request. Since the request is HTTPS, the content is encrypted on the wire:
X-DocuSign-Authentication: <DocuSignCredentials><Username>{name}</Username><Password>{password}</Password><IntegratorKey>{integrator_key}</IntegratorKey></DocuSignCredentials>
Replace {name} with your email address (no braces), etc.
The bottom line is that you can't use the file_get_contents Php method. Instead, you'd do something like the following:
Use https://github.com/rmccue/Requests or a similar library to help with the https request. (http is not allowed due to security issues.)
(untested code)
$url = $base_url . $the_url_section_for_this_call
$headers = array('X-DocuSign-Authentication' =>
'<DocuSignCredentials><Username>your_name</Username><Password>your_password</Password><IntegratorKey>your_integrator_key</IntegratorKey></DocuSignCredentials>');
$request = Requests::get($url, $headers);
# Check that the call succeeded (either 200 or 201 depending on the method
$status_code = $request->status_code;
if ($status_code != 200 && $status_code != 201) {
throw new Exception('Problem while calling DocuSign');
}
$json = $request->body;

Invalid API key as a reponse of PUT method using RESTServer codeigniter

I am using the codeigniter rest server api library.
When I enter http://localhost/RESTapi/api/question?X-API-KEY=XXX in Postman with the PUT method
I'm getting:
{
"status": false,
"error": "Invalid API key "
}
It works fine with GET method
How can I fix this issue?
I've seen some API's that do not look at the GET params if you make a POST or PUT request for credentials or are inconsistent in how they do it.
Really, credentials should go in headers either via the Authorize header or a custom one for many reasons like 'not logging credentials to access logs', but I digress.
In this case you can try:
Put (no pun) the X-API-KEY=XXX inside the body of the PUT just to see if this works
See if/how the library accepts the API key in a header
Looking at this library in particular (https://github.com/chriskacerguis/codeigniter-restserver), they do support the header X-API-KEY. This should be where you put the key for ALL requests--it's best practice not to pass them as url params.
Here's the commandline example using curl from their Github project.
curl -X POST -H "X-API-KEY: some_key_here" http://example.com/books
In PHP you can use curl to set header like this:
curl_setopt($ch, CURLOPT_HTTPHEADER, array('X-API-KEY: XXX'));

How to stimulate cURL request to a request using postman

I am using the following cURL request to localhost which runs fine:
curl -u admin:e4d4face52f2e3dc22b43b2145ed7c58ce66e26b384d73592c -d "{\"jsonrpc\": \"2.0\", \"method\": \"feed.list\", \"id\": 1}" http://localhost/minifluxR/jsonrpc.php
But when I send the same request using Postman instead of cURL, I am getting:
{"jsonrpc":"2.0","id":null,"error":{"code":-32700,"message":"Parse error"}}
In Postman I used a GET request and sent the following as headers:
url:http://localhost/minifluxR/jsonrpc.php
username:admin
api_token:e4d4face52f2e3dc22b43b2145ed7c58ce66e26b384d73592c
method: feed.list
The following is the PHP function I am trying to trigger:
$server = new Server;
$server->authentication(array(
\Model\Config\get('username') => \Model\Config\get('api_token')
));
// Get all feeds
$server->register('feed.list', function () {
return Model\Feed\get_all();
});
Please help me to correct these errors.
When using cURL, the -u option (or --user) is used to supply the credentials for HTTP Basic authentication. This sets the Authorization header to contain the necessary data to authenticate with the server.
These steps apply to Postman's packaged app. For steps for the legacy app, view this of revision this answer.
To use HTTP Basic authentication as you were in your cURL command, click the Authorization tab and enter your credentials. Clicking Update Request will add the necessary Authorization header for you.
To submit the JSON data in the same way that you did with cURL, use a POST request, select raw under the Body tab, and enter your data like so:
To debug this I used Fiddler - a free web debugging proxy.
I used cURL's --proxy option to make it send its requests through Fiddler like so:
curl \
--proxy http://localhost:8888 \
-u foo:bar \
-d "{\"jsonrpc\": \"2.0\", \"method\": \"feed.list\", \"id\": 1}" \
http://localhost
Now that the request goes through Fiddler, I can select it from the session list, and use the "raw" inspector to see the raw request:
This shows me that the cURL is making a POST request with HTTP Basic authentication and application/x-www-form-urlencoded content. This type of data normally consists of keys and values, such as foo=bar&hoge=fuga. However, this cURL request is submitting a key without a value. A call to var_dump($_POST) will yield the following:
With a = at the end of the data (like so: {"jsonrpc": "2.0", "method": "feed.list", "id": 1}=) the var_dump will yield the following:
However, it seems that JsonRPC will use file_get_contents('php://input') in your case. This returns the data that was submitted with the request, including a =, if the data ends with it. Because it will try to parse the input data as a JSON string, it will fail if the string ends with a =, because that would be invalid JSON.
Using the FoxyProxy extension for Chrome, I created a proxy configuration for Fiddler (127.0.0.1:8888), which allowed me to easily debug the data being sent by Postman's POST request. Using x-www-form-urlencoded with a key of foo with no value, the data sent was actually foo=, which would result in your JSON string being invalid.
However, using "raw" input will allow for the specified data to be sent without a = being added to the end of it, thus ensuring the data is valid JSON.
Curl is using HTTP Basic authentication by default. Your headers set in Postman are something different. Try using Basic Auth in Postman. It is in top panel, you fill in username and password and authorization header will be generated.

Categories