I have some trouble getting a response from the new Bigcommerce api, not sure what I'm doing wrong.
Followed the instructions to get an Oauth token upon app install here:
developer.bigcommerce.com/apps/callback
The token is stored and used to make this request:
https://api.bigcommerce.com/stores/{store hash}/v2/time
According to developer.bigcommerce.com/api/authentication:
I've added X-Auth-Client and X-Auth-Token respectively as the app client ID and Oauth token.
The server is just returning "0 NO RESPONSE" and I'm not sure what's wrong. It does return unauthorized if I remove one of the headers though.
Does anyone have an idea on this? Thank you.
--
I'm using the Advanced Rest Client app from chrome to test for responses. Basically calling my store's URL api.bigcommerce.com/stores/3t984h/v2/time as a GET request and passing X-Auth-Client and X-Auth-Token headers.
Request headers
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
X-Auth-Client: p1r37bt131z86675nofv9xmhietoe4t
X-Auth-Token: kzm1q2w8h11dfkgbxhg3j0i8amac86g
Accept: */*
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en,zh;q=0.8,zh-TW;q=0.6,ko;q=0.4,en-GB;q=0.2,en-US;q=0.2
Finally got it. It was a spec issue which wasn't that obvious (to me at least).
According to this (https://developer.bigcommerce.com/api/headers)
I needed to add
Content-Type: application/json
Accept: application/json
to the request header for it go thru.
Related
According the documentation (https://docs.kanboard.org/en/latest/admin_guide/reverse_proxy_authentication.html), i try to configure a simple authentication using the REVERSE_PROXY_USER_HEADER parameter.
For that, i set the parameters (data/config.php) like that !
define('REVERSE_PROXY_AUTH', true);
define('REVERSE_PROXY_USER_HEADER', 'REMOTE_USER');
define('REVERSE_PROXY_DEFAULT_ADMIN', 'admin');
define('REVERSE_PROXY_DEFAULT_DOMAIN', 'my-domain.fr');
I also change the apache2 log format for display my HTTP headers and i can see my 'user-name' in the corresponding log.
My HTTP request is this one :
Host: kbsso.my-domain.fr
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Cookie: KB_SID=g6re22ivihojnle991idmo4vhh; KB_RM=4c14de632e17976bc894b9dd0f273c0415d0fef620b62b00bc8e782084775a97%7Cf47e8c6b8ab3721c60dd32fbc4ed129fedbeafc388ff66b3c9933e28c08d
Upgrade-Insecure-Requests: 1
REMOTE_USER: ex.valere.viandier
Pragma: no-cache
Cache-Control: no-cache
So, my problem is...
When REVERSE_PROXY_AUTH is set to true, the controller show me the login screen but if i try to loggin, i receive an "Access denied" HTML page.
When REVERSE_PROXY_AUTH is set to false, the controller show me the login screen and, using the same user account, i can access to kanboard.
The documentation say :
Your reverse proxy authenticates the user and send the username through a HTTP header.
Kanboard retrieve the username from the request
The user is created automatically if necessary
Open a new Kanboard session without any prompt assuming it’s valid
I try with existing and non-existing user but i have the same problem.
I try with v1.2.5, v1.2.8 but no way...
Do you know an issue ?
Thx a lot
Valère
I'm working with a SSO Saml authentication flow which looks as follows:
User sends SAMLRequest
User is redirected to IdP login page
User submits login details
IdP authenticates and redirects to my consumer assertion processing page
Access token extracted and submitted for a token to interact with API
I'm stuck on step 5. In fiddler, I can see the request header being sent with the required SAMLResponse posted, but it does not show in $_POST, $_GET and I've tried file_get_contents('php://input'). The response is the result of a 301 redirect.
The incoming header request with the required SAMLResponse redirected (301) to my assertion consumer page looks as follows. I can't figure out how to extract the posted parameter SAMLResponse?
POST http://localhost/xxxxxxxxxxx
Host: localhost
Connection: keep-alive
Content-Length: 7710
Cache-Control: max-age=0
Origin: null
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Cookie: optimizelyEndUserId=oeu1463724346007r0.9674156716176872; ajs_anonymous_id=%22c336991a-286a-4278-8cb2-3d00d784f376%22; optimizelySegments=%7B%225943211328%22%3A%22direct%22%2C%225934960299%22%3A%22false%22%2C%225952160221%22%3A%22gc%22%7D; optimizelyBuckets=%7B%7D; ajs_user_id=null; ajs_group_id=null; _ga=GA1.1.1336717339.1458634274; PHPSESSID=imtffdda2a6g576rtd0vpb8ro2
SAMLResponse=xxxxxxxxxxxxxxxx
I've been scanning the web for a week but have not found a solution. Thanks in advance for any help.
It turns out I was missing a trailing / on my consumer assertion url which of course meant the server was redirecting to index.php resulting in the loss of post vabriables.
This question already has answers here:
PHP, cURL, and HTTP POST example?
(14 answers)
Closed 8 years ago.
I've looked for how to use cURL with PHP but in all the examples, it asks for post information. In the destination site which I want to login, it has these headers. Is there any way to login with cURL to this site?
POST //Login.aspx?t=tAagdOpCKVbBZJICqxicOwGO3g5%2fDqQ9HvthBEckSU%2fRd5lEPDasJELARgr2txnB12tfPnVvJSF1BasxQhlzbQ%3d%3d HTTP/1.1
Host: awebsite.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.6,en;q=0.4
Content-Type: application/x-www-form-urlencoded
Cookie: __qca=P0-1236052332-1411314388865; ASP.NET_SessionId=2lhdwlfafvc4mrt1leqofp4p; __utma=219632280.2029473779.1403506413.1419763928.1419764926.556; __utmc=219632280; __utmz=219632280.1419764926.556.7.utmcsr=google|utmccn=(organic)|utmcmd=organic|utmctr=(not%20provided); __utma=94244052.918496071.1403626522.1419678978.1419763934.203; __utmb=94244052.500.10.1419763934; __utmc=94244052; __utmz=94244052.1419763934.203.181.utmcsr=awebsite.com|utmccn=(referral)|utmcmd=referral|utmcct=/
Origin: http://awebsite.com
Referer: http://awebsite.com/Default.aspx
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
Your URL is: http://awebsite.com/Login.aspx?t=tAagdOpCKVbBZJICqxicOwGO3g5%2fDqQ9HvthBEckSU%2fRd5lEPDasJELARgr2txnB12tfPnVvJSF1BasxQhlzbQ%3d%3d
There is no post data. There are cookies and a content-type. Some APIs I've used reject the request if the content type is not x-www-form-urlencoded, but those google analysis cookies are likely unnecessary.
Check out the cURL doc of the setopt function.
http://php.net/manual/de/function.curl-setopt.php
If you try to test the request you can also use curl from the bash.
I haven't understand data transfer to the server completely. Which ways do I have? When I started learning PHP, I thought there are two ways called GET which encrypts data in the URL and POST which sends data in another way to the server. I didn't know where exactly, though.
Now I want to learn about RESTful server backends, and I learned that GET and POST are just request methods, among others like PUT and DELETE, which doesn't seem to have anything to do with how data is transferred to the server.
Moreover, I read that additional data can be sent in the HTTP header. Is this how POST actually sends its data or is there even a difference?
I would like to either read POST data regardless of the request method using PHP's $_POST array, but this doesn't work. On the other hand, when I try to manually parse the header information from php://input, I cannot see POST data. Could someone please explain to me where data is transferred in the different cases?
My goal is to get parameters from the client regardless of content type, which may be form-data, json or something other, and request method. How can I do this in PHP? Requests will be sent using JQuery's AJAX functionality.
To explain how does http work using nc
http://linux.die.net/man/1/nc
GET
$ nc -l 8888 to start a dummy server listen at 8888
send a GET request using jQuery (impl via XHR)
$.get("http://localhost:8888", { a :1 ,b: 2})
nc would print what XHR sent to server to stdout
$nc -l 8888
GET /?a=1&b=2&_=1383234919249 HTTP/1.1
Host: localhost:8888
Connection: keep-alive
Accept: */*
Origin: http://stackoverflow.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
DNT: 1
Referer: http://stackoverflow.com/questions/19710815/understanding-how-xmlhttprequest-sends-data-to-a-server
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4
thus, PHP parse GET /?a=1&b=2&_=1383234919249 into $_GET
POST
using nc to recording POST
POST / HTTP/1.1
Host: localhost:8888
Connection: keep-alive
Content-Length: 7
Accept: */*
Origin: http://stackoverflow.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded
DNT: 1
Referer: http://stackoverflow.com/questions/19710815/understanding-how-xmlhttprequest-sends-data-to-a-server
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,zh-CN;q=0.6,zh;q=0.4
a=1&b=2
here you can see Content-Type: application/x-www-form-urlencoded
,which tell the http body sent by browser is form encoded
as a result, PHP parse a=1&b=2 in to array $_POST
WHY php://input can't see POST BODY
according to http://php.net/manual/en/wrappers.php.php
php://input is a stream and can be read only once
below is from php doc
Note: A stream opened with php://input can only be read once; the
stream does not support seek operations. However, depending on the
SAPI implementation, it may be possible to open another php://input
stream and restart reading. This is only possible if the request body
data has been saved. Typically, this is the case for POST requests,
but not other request methods, such as PUT or PROPFIND.
I have a SWF file which allows a user to upload files on my website. That SWF sends a POST request to upload.php on my server, thus uploading the file.
But before it does so, at upload.php I wanna make sure that the person who is doing this is signed in. For this currently, I check the SID cookie value sent in the request headers and check an entry against that SID value in my database (i store sessions in database). I works well for chrome but fails in firefox as it doesn't send any cookie headers when request is generated by the SWF.
How should I go about it. Thanks for help.
Headers sent in Chrome
Content-Length: 355894
Origin: http://localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.52
Content-Type: multipart/form-data; boundary=----------ei4Ij5ae0ae0ei4Ef1Ef1KM7GI3Ef1
Accept: */*
Referer: http://localhost/home Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: PHPSSID = 238e320eewbjdbew923e092ejhwbjhwebd
Headers sent in FireFox
Accept: text/*
Content-Type: multipart/form-data; boundary=----------GI3Ef1Ef1ae0GI3cH2Ef1Ef1cH2KM7
User-Agent: Shockwave Flash
Host: localhost
Content-Length: 355894
Connection: Keep-Alive
Cache-Control: no-cache
It's a feature of Chrome, but not a Bug of FireFox. Uploading SWF's must explictly send browser cookies. Look at FancyUpload starting from version 3.0.
Also note, PHP with suhosin can remove session variables if User-Agent header is not equal to the browsers. This called 'Session Fixtion'. So Uploading SWF's must send browsers User-Agent during requests too (or just disable suhosin patch).