I have a couple of sites on the same server and same domain (site1.domain.com, site2.domain.com...) which talk to each other with http post request. This works fine, but I also have a dev version of all sites that is under basic authentication so you need a username/password to see the sites, and on these the http post request doesn't work.
This seems to be because the server can't authenticate itself which seems kinda weird to me, I don't have much experience with IIS thou so probably have missed something.
Anyone know how to solve this?
Don't know if it makes a difference, but the sites are using php, not asp.net
You will need to send your credentials with your request. I do not know much about drupal_http_request, but if it doesnt have built in methods to add credentials to the request, you can manually add an auth header by base64 encoding your credentials.
Related
To start things off, my server is not running PHP in CGI mode. And even if it was I have the proper mod_rewrite stuff setup (this is a Drupal site).
My problem is that when the user/pass are passed via the URL in the form of http://user:pass#example.com then they do not show up in any of $_SERVER's values. Not PHP_AUTH_USER, not in HTTP_AUTHORIZATION, not in REMOTE_USER, or anywhere else within that super global.
If the credentials are passed via the browser's HTTP basic auth dialog or directly using the base64 encoded Authorization: Basic ZXhhbXBsZTpleGFtcGxl HTTP header then everything works as expected, `$_SERVER['HTTP_AUTH_USER'] is filled out and everything is okay. But if the user/pass are passed via the URL then it's a no go.
Any ideas on what could be going on here?
PHP 5.3.10
Apache 2.2.22
tl;dr: Caching of the 401 Unauthorized response faked me into thinking there was a problem with the authentication code when there wasn't, it was just sending the cached authentication failure response over and over again despite correct credentials. Disabling the caching fixed the problem.
For context, this was all for an API. Basically, Drupal was aggressively caching the responses from the API, including the 401 Unauthorized response. But I didn't notice that the reason authorization was failing was due to the caching, I saw two separate problems: responses were being improperly cached and authorization wasn't working in some situations.
That was on production, so in my development environment I disabled caching for the API and then started to troubleshoot the authorization problem, not realizing I had already solved it. As a debugging method, I short-circuited the responses so that the API wouldn't actually check the HTTP Basic Auth credentials, it would just spew debug info ($_SERVER, mainly). Because the server was no longer sending 401 Unauthorized when it should, Safari wasn't packaging up the user and pass in the URL as a HTTP Authorization header. But I hadn't realized that yet.
So, Safari was working with user/pass in the URL on a site that uses Apache for handling HTTP Basic Auth but it wasn't working with my PHP API. This made me think that Apache was eating the authentication in the URL and not sending it along. This idea is what spawned this question.
Thanks to Basic's and Barmar's comments on the question, I realized my error and tested actually sending the 401 Unauthorized status code and low-and-behold, Safari was working with the user/pass in the URL.
I didn't notice the caching while I was developing the API because I was logged into the Drupal site the API is built on and Drupal only does the full page caching for anonymous users. Interestingly, even the Chrome app, Postman, which acts like a separate application, sends your cookies from the main Chrome application. I didn't even realize that I was logged into the site when I sent requests with it.
http://httpd.apache.org/docs/2.2/howto/auth.html
Are you requiring a valid-user? in a block like this.
AuthType Basic
AuthName "By Invitation Only"
# Optional line:
AuthBasicProvider file
AuthUserFile /usr/local/apache/passwd/passwords
AuthGroupFile /usr/local/apache/passwd/groups
Require group GroupName
Can you post the relevant httpd.conf block?
Recently I enabled ssl encription on my website. I'm using the PHP SDK to connect with facebook. The problem is that when I navigate throught HTTPS and I try to get the current user with
$facebookUser = $this->facebook->getUser();
the response always is false... if I try the same with HTTP it works perfectly...
Is there some setting that I need to change?
I'm sure that ssl encription is working.
Facebook api didn't throw any exception...
Thank you.
I don't know the solution to your problem, but I'd bet the URL isn't quite right.
To help diagnose this, Try using an http debugging proxy, like Fiddler2. It allows you to construct and submit http(s) requests, and examine the responses. Also you can use it as a proxy to see what http(s) messages get generated and sent by your app, and what responses come back.
i'm developing an application with multiple login and information export options like yahoo, google contacts, live contacts etc. I tried to do the oauth wrapper for aol, followed the examples in the http://dev.aol.com/api/openauth page but it doesnt works.
I just only wanted to know if there is anyone that chad succeeded with its specs and got some sample code working, i tried and got the token in response but when i try to do an api request i get the response : Key Used From unauthenticated site
does it have to run in a online server? do i have to get some rsa signed file on my server?
any hint is welcome, thank you very much!
I haven't tried it before but I think you have to tell them your the IP you will sent requests from..
I was making project over enom API and I had to send them my IP to authorize my API requests
sorry for my late response, have being little busy here. The code in the example finally worked right last time i tried, maybe their servers had some issues or i misconfigured the example, not sure, but in my project it didnt worked, finally i managed the solution by using the CURLOPT_REFERER parameter i found in the example. I am sure that it was the issue in my code, because i was testing in a devel environment with a .loc top level domain.
Finally i want to give a hint to all the people trying to develop 3rd party apps that check the validity of the urls asking for permissions, you could use a testing environment by using the CURLOPT_REFERER paramater by setting the production url you want in the testing environment.
file in the testing environment http://www.mycoolsite.loc.
curl_setopt( CURLOPT_REFERER 'http://www.mycoolsite.com' );
The site that will receive the answer will check the referer and assume the .com one instead the .loc
Thanks to everybody that tried to help me.
I've been developing a site for a client that uses the Tweetr API to post messages to a user's Twitter account. It has now been discovered that the destination server is running IIS, so no mod_rewrite for the Tweetr proxy. Also cURL is not available, which prevents the proxy from forwarding requests.
The lack of mod_rewrite can be got around, but I need an alternative to using cURL that doesn't require anything not included in a very basic PHP 5.2 install. I'm considering trying to recreate the proxy functionality with jQuery AJAX, but at the same time that seems like a very lengthy solution. Can anyone point me in the right direction here?
I think that this might be what you're looking for.
I've been developing locally and exposing them with OAuth (oauth-php framework). Everything works perfectly fine locally on my laptop but when I deploy everything on my server it doesn't work anymore I get the following error when I'm trying to get a request_token:
Can't verify request, missing oauth_consumer_key or oauth_token
I've be investigating why it doesn't behave the same and the only clue that I found is in the log of OAuth: it looks like the oauth-php framework doesn't fetch properly the parameters in my POST Requests.
I have the same version of PHP on my server and on my local environment. I don't know what else could be affecting the oauth-php framework.
What can I do to find the problem? I don't know where to look...
Thanks!
Martin
I noticed that the Authorize header was stripped from the request, I renamed it on the client and server side and everything is working great.