I'm using the recess framework. Does somebody knows how to get the Authorization header from the request.
Normally, to get the request, we do $this->request, but how to extract the Authorization header which is in a form
Authorization:Basic jadfasdbaHGDWDSJDN==
When the request arrives at the server, the username and password is already decoded, to get the
$Username=$this->request->username;
$Password=$this->request->password;
Related
authorizationResponse = {type: "authorization_response",response: {"access_token":"3VH1nr_EukBPqelzH5h5INuwaMh4rIsw","id_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6Im9ubGluZWludm9pY2Uy
NjE5QGdtYWlsLmNvbSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ1c2VyX21ldGFkYXRhIjp7ImZpcnN0X25hbWUiOiJIIiwiZ2l2ZW5OYW1lIjoiQmVhbGUiLCJsYXN0X25hbWUiOiJCZWFsZSIsIm5hbWUiOiJIIiwidXNlcl9wcmVmZXJlbmNlcyI6eyJQYXBlcmxlc3MiOiJmYW
xzZSIsIlByb21vdGlvbmFsU3RhdHVzIjoiZmFsc2UiLCJQcm9tb3Rpb25hbENvbW1UeXBlIjoiRW1haWwiLCJTZXJ2aWNlQWxlcnRzQ29tbVR5cGUiOiJFbWFpbCIsIlNlcnZpY2VBbGVydHNTdGF0dXMiOiJmYWxzZSIsIlBob25lTnVtYmVyIjoiIiwiTW9iaWxlTnVtYmVyIjoi
IiwiT0JQU3RhdHVzIjoidHJ1ZSIsIklzU2V0dGluZ1VwZGF0ZWQiOiIifSwiZGVmYXVsdF9hY2NvdW50IjoiNDA2NDQxMCJ9LCJ1c2VyX2lkIjoiYXV0aDB8NWUwYmM4OGY0MjhiM2IxMDMzZTVhMzc0IiwiYXBwX21ldGFkYXRhIjp7ImZpc191c2VybmFtZSI6IjEyMzllODlhNT
ExZDRkYzQ4YjU0ZTQ2ZWE2NDBiZTk2IiwidXNlcl9yb2xlIjoiQ3VzdG9tZXIiLCJjZGhfY29udGFjdF9wcm9maWxlX2lkIjoiMzcwMTExNSIsInJlZ2lzdHJhdGlvbl9zdGF0dXMiOiJDRCIsInVzZXJfdHlwZSI6Ik9SIiwiZmlzX3N5bmNfc3RhdHVzIjoiQ0QiLCJzc29fZmxh
ZyI6Ik4iLCJjZGhfaWQiOiIzNTkzNDg1IiwibXJfb3JpZ2luYWxfaWQiOiIifSwiaWRlbnRpdGllcyI6W3sidXNlcl9pZCI6IjVlMGJjODhmNDI4YjNiMTAzM2U1YTM3NCIsInByb3ZpZGVyIjoiYXV0aDAiLCJjb25uZWN0aW9uIjoiVXNlcm5hbWUtUGFzc3dvcmQtQXV0aGVudG
ljYXRpb24iLCJpc1NvY2lhbCI6ZmFsc2V9XSwiaXNzIjoiaHR0cHM6Ly9hdXRoLnJlcHVibGljc2VydmljZXMuY29tLyIsInN1YiI6ImF1dGgwfDVlMGJjODhmNDI4YjNiMTAzM2U1YTM3NCIsImF1ZCI6ImFrN2czc3pJNTV6ZVQzWWR2c2FIcktCTVN6dWYwN1JqIiwiaWF0Ijox
NTkxNjM5OTY2LCJleHAiOjE1OTE2NDIwNjZ9.O6Lr6mwdRDGnkajLvjles5OZUE6bdgeIc5NDmerKkyk","scope":"openid email user_metadata user_id app_metadata identities given_name offline_access","expires_in":86400,"refresh_token
":"wOSUKBkpPBE5cP2Fvjhqk_IyaVaUe1Yn-PMDlqvz2PiDr","token_type":"Bearer","state":"-cnRVfTo5leolNpTONy-08usnorvye89"}};v
From this page, I get the id_token because I need to put it in headers to get another page, but when I do it, I can't get the JSON page, instead, I receive and simple HTML page and that is not what I need. I also tried with the postman, I copied all headers and URL in postman but can't get the good response that i need. My header look like this:
authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJlbWFpbCI6InAzcmVwdWJsaWMxMEBnbWFpbC5jb20iLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwidXNlcl9tZXRhZGF0YSI6eyJmaXJzdF9uYW1lIjoiUDMiLCJsYXN0X25hbWUiOiJXQyIsIm5hbWUiOiJQMyBXQyIsInVzZXJfcHJlZmVyZW5jZXMiOnsiUGFwZXJsZXNzIjpmYWxzZSwiUHJvbW90aW9uYWxTdGF0dXMiOiJmYWxzZSIsIlByb21vdGlvbmFsQ29tbVR5cGUiOiIiLCJTZXJ2aWNlQWxlcnRzQ29tbVR5cGUiOiJFbWFpbCIsIlNlcnZpY2VBbGVydHNTdGF0dXMiOiJmYWxzZSIsIlBob25lTnVtYmVyIjoiMTg4ODY3NjY0OTQiLCJNb2JpbGVOdW1iZXIiOiIiLCJPQlBTdGF0dXMiOiJ0cnVlIiwiSXNTZXR0aW5nVXBkYXRlZCI6InRydWUifSwib25ib2FyZFBhZ2VWaXNpdGVkIjpmYWxzZSwiZGVmYXVsdF9hY2NvdW50IjoiNDA2NDQxMCJ9LCJ1c2VyX2lkIjoiYXV0aDB8NWExZDcyYzhkNTFkZGQxOGUwODM3ZWFiIiwiYXBwX21ldGFkYXRhIjp7ImZpc191c2VybmFtZSI6IjIzOTM4NzUiLCJ1c2VyX3JvbGUiOiJDdXN0b21lciIsImNkaF9jb250YWN0X3Byb2ZpbGVfaWQiOiIyMzkzODc1IiwicmVnaXN0cmF0aW9uX3N0YXR1cyI6IkNEIiwidXNlcl90eXBlIjoiT1IiLCJmaXNfc3luY19zdGF0dXMiOiJDRCIsInNzb19mbGFnIjoiWSIsImNkaF9pZCI6IjIzNjU0MTMiLCJtcl9vcmlnaW5hbF9pZCI6IiJ9LCJpZGVudGl0aWVzIjpbeyJ1c2VyX2lkIjoiNWExZDcyYzhkNTFkZGQxOGUwODM3ZWFiIiwicHJvdmlkZXIiOiJhdXRoMCIsImNvbm5lY3Rpb24iOiJVc2VybmFtZS1QYXNzd29yZC1BdXRoZW50aWNhdGlvbiIsImlzU29jaWFsIjpmYWxzZX1dLCJpc3MiOiJodHRwczovL2F1dGgucmVwdWJsaWNzZXJ2aWNlcy5jb20vIiwic3ViIjoiYXV0aDB8NWExZDcyYzhkNTFkZGQxOGUwODM3ZWFiIiwiYXVkIjoiYWs3ZzNzekk1NXplVDNZZHZzYUhyS0JNU3p1ZjA3UmoiLCJpYXQiOjE1OTE2MzkxNzAsImV4cCI6MTU5MTY0MTI3MH0.RnPasIlFFHOhn7yvs7aHKepLZqdlobM3rAJH1TzxfNU
but something doesn't work good, any help, how at least I can get a good response in postman?
So, from I understood, you have troubles sending a request using the authorization header bearer token with Postman ?
If it is indeed the case, here's how to do it (just put the token in the form to the right, without the quotes of course) =>
If it's not what you asked, well I tried to help ^^
How can i get Basic authorization header and authenticate it for API by using PHP. I had created a unique key which is encoded and stored in database. i am using Slim Framework for rest API.
I can get the header by using $request->headers(); in Slim Framework. It returns all the headers specified, but how do i check that key with my database token.
Is there any proper way to do this?
I did it like this in Slim Framework 3:
I added the Middleware to all of the requests and checked the Authorization header for certain string and if the Authorization header is not set or doesnt match my string i just return 400 HTTP code.
$app->add(function($request,$response,$next){
$authorization_header = $request->getHeader("Authorization");
if(empty($authorization_header) || ($authorization_header[0]!="test")){ //you can check the header for a certain string or you can check if what is in the Authorization header exists in your database
return $response->withStatus(400);
}
$response = $next($request,$response);
return $response;
});
I'm making a request to retrieve a JSON file to a server at a particular secure DocuSign uri. However, unless I put in the authorization information (which I do have), I am unable to have the file returned.
<?php
$json = file_get_contents("https://example.docusign.com/sensitiveIDs/moreID");
echo $json
?>
Where would I put in authorization information for the specific server/username/password/other info needed to access the particular DocuSign server using a method like this in PHP? Is there a better method to use for this scenario in PHP?
It depends on how the authorization is implemented. If its basic or digest HTTP authentication then specify it in the URL:
file_get_contents("https://$USER:$PASSWORD#example.docusign.com/sensitiveIDs/moreID");
Cookie based authentication is a lot more difficult (and probably easier to use Curl or even a more complex system like Guzzle. If its oauth2, then you probably want an oauth2 library.
Your call needs to include authentication to make the GET call to retrieve the file.
If your app is initiated by a human use Oauth to retrieve access and refresh tokens. Then included the access token with the GET request.
If your app is a "system app" that wants to autonomously retrieve the file, then you should authenticate by using X-DocuSign-Authentication -- include the following header in your HTTPS request. Since the request is HTTPS, the content is encrypted on the wire:
X-DocuSign-Authentication: <DocuSignCredentials><Username>{name}</Username><Password>{password}</Password><IntegratorKey>{integrator_key}</IntegratorKey></DocuSignCredentials>
Replace {name} with your email address (no braces), etc.
The bottom line is that you can't use the file_get_contents Php method. Instead, you'd do something like the following:
Use https://github.com/rmccue/Requests or a similar library to help with the https request. (http is not allowed due to security issues.)
(untested code)
$url = $base_url . $the_url_section_for_this_call
$headers = array('X-DocuSign-Authentication' =>
'<DocuSignCredentials><Username>your_name</Username><Password>your_password</Password><IntegratorKey>your_integrator_key</IntegratorKey></DocuSignCredentials>');
$request = Requests::get($url, $headers);
# Check that the call succeeded (either 200 or 201 depending on the method
$status_code = $request->status_code;
if ($status_code != 200 && $status_code != 201) {
throw new Exception('Problem while calling DocuSign');
}
$json = $request->body;
The quick question is: is there ane way to change http authorisation header with html / php / javascript?
The goal
I'd like to make an auth service used for user login as well as providing with whole site protection. I want user to be restricted from viewing any file except login page unless authorised. For php I can of course check at the beginning for example session token availability, and redirect if missing, but I can't do it directly for for example jpg images. I thought of creating htaccess file that will verify if user is logged.
The solution
1.
Using Apache I've created .htaccess file, that verifies, if HTTP authorisation is set. If not it redirects any request to login page. With that solution one can not open any file (no matter if it is php script or for example jpg image) except of the login page:
RewriteCond %{HTTP:Authorization} ^$
RewriteCond %{REQUEST_URI} !^/login.php
RewriteRule .* /login.php [L,R]
2.
The login page should display form and when login and password are correct set the http request auth header with proper token.
Unfortunately I can't find a way to create manually http request auth header. The only way I found was to use basic auth:
$auth = new Auth();
if (!empty($_SERVER['PHP_AUTH_USER']) && !empty($_SESSION)) {
$auth->logout();
}
if (!empty($_SERVER['PHP_AUTH_USER']) && empty($_SESSION)) {
$login = $_SERVER['PHP_AUTH_USER'];
$haslo = (!empty($_SERVER['PHP_AUTH_PW']) ? Auth::hashPassword($_SERVER['PHP_AUTH_PW']) : null);
$auth->login($login, $haslo);
}
$auth->getLoginForm();
Where getLoginForm() displays Basic Auth standard form
public function getLoginForm()
{
header(self::HEADER_ERROR_ASK_CLIENT_DATA);
header(self::HEADER_RESPONSE_401);
exit;
}
This solution works, but http request auth header holds the original login data all the time, which is what I want to avoid. I want to inject there "Bearer + token" string, which will help in securing whole system.
What I've tried
I can easily do that with external frontend. For example with windows desktop app I can send one request with basic auth header and the next with bearer header.
The same I can do with JQuery and AJAX - I can retrieve token using url with basic auth, and then use token with custom header for next requests.
I can also make different requests with PHP CURL.
But I can't find a way to force regular browser to login with Basic auth header and after success keep new, custom bearer header for next requests.
There is no standard mechanism to get a User Agent (browser) to provide an Authorization: Bearer header by itself.
What you can do:
make sure all your requests are done via XHR (Ajax), and send the header there. But this will not allow "regular" file loads (new pages, images, scripts, CSS...).
what most people do: send a cookie with your authentication token, and check for that cookie. The browser will automatically send the cookie.
As an aside, note that your .htaccess only checks that there is an Authorization header present, not its value, so it's quite useless. You want to channel all reads via a script that will actually verify the header or cookie before delivering the file.
I've been banging my head against this problem for nearly two days now, and I'm hoping someone on this site can help me.
I live in China and have a server (shared hosting) located in Hong Kong. I've set up a PHP Twitter proxy on the server, and I connect to the proxy using Twitter for iPhone (AKA Tweetie). It's worked beautifully for the past year or so.
Twitter for iPhone was updated yesterday and now requires XAuth authorization to connect to twitter.com (previously, it used Basic Auth). Since the update, I haven't been able to authenticate myself using my proxy, in spite of making (what I believe to be) the appropriate changes to my proxy.
Conceptually, this isn't a very difficult problem to crack. In order to authenticate with twitter.com using XAuth, an app must send a POST request to https://api.twitter.com/oauth/access_token. The POST body must be of the form:
x_auth_username=aUserName&x_auth_mode=client_auth&x_auth_password=aPassword
Additionally, the POST request must have an Authorization header in the form:
OAuth oauth_signature_method="HMAC-SHA1", oauth_consumer_key="IQKbtAYlXsomeLGkey0HUA", oauth_nonce="8B265865-3F57-44FF-BCD6-E009EA7D4615", oauth_signature="sbwblaho64blahr934mZQ+23DYQ=", oauth_timestamp="1277356846", oauth_version="1.0"
So, what I've done is used .htaccess to copy the Auth header to a $_REQUEST variable using this code:
RewriteCond %{HTTP:Authorization} ^OAuth.*
RewriteRule (.*) index.php?OAuth=%{HTTP:Authorization} [QSA,L]
My proxy copies the contents of that $_REQUEST variable to an instance variable called $self->oauthHeader. Then, I make add it as a header to my cURL request using the following code:
if (isset($this->oauthHeader)) {
$headers[] = 'Authorization: '.$this->oauthHeader;
$headers[] = 'Content-Type: application/x-www-form-urlencoded';
$curl_options[CURLOPT_HTTPHEADER] = $headers;
}
I also add the original request's POST body to the cURL's POST body using:
$curl_options[CURLOPT_POST] = true;
$curl_options[CURLOPT_POSTFIELDS] = #file_get_contents("php://input");
I send the cURL request to Twitter. Everything seems to work correctly, but I inevitably receive a response of "Failed to validate oauth signature and token."
I'm at my wit's end, and I can't for the life of me think what I'm doing wrong. Any help would be much appreciated.
You can use this alternative solution, for jailbroken iOS devices only: http://code.google.com/p/gfwinterceptor/