I'm building out a RESTful API. I'm using API keys for my GET requests (base64 encoded over https to be secure) however I'm confused how to "authenticate" with POST requests.
I've read about basic authentication but that uses a username and password.
Is it good practice/correct to authenticate a POST request with an API key also? Is that something you would include as part of the headers?
How do I process the authentication on the server side (endpoint)?
Here's an example of the endpoint that I have for logging in (POST request):
if ($_POST) {
$email = $_POST['email'];
$email = stripslashes($email);
$email = strip_tags($email);
$password = $_POST['password'];
$password = stripslashes($password);
$password = strip_tags($password);
// Regular Login
$user = system::shared()->customers->login(
$email,
$password,
$error
);
if ($user) {
$output = json_encode($user);
} else {
$output = "Incorrect email/password. Please try again.";
}
echo $output;
} else {
http_response_code(405);
}
How would I use the code above to "authenticate" an API key. Is that just a POST field?
Thank you for your assistance
Related
I need help, while deploying slim framework on plesk shared hosting below mentioned issue is coming up.
actually it is working fine at local wamp server.
404 - File or directory not found.
The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.
here is my code.
index.php:
require '../vendor/autoload.php';
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With');
header('Access-Control-Max-Age: 86400');
$config = ['settings' => [
'addContentLengthHeader' => true,
'displayErrorDetails' => true
]];
$app = new \Slim\App($config);
require '../src/routes/hostUser.php';
require '../src/routes/user.php';
$app->run();
hostUser.php:
use \Psr\Http\Message\ServerRequestInterface as Request;
use \Psr\Http\Message\ResponseInterface as Response;
use Slim\Http\Message;
include_once 'Database.php';
var_dump($app);
$app->get('/loadprofile', function (Request $request, Response $response) {
$user_email = $_GET['emailid'];
$userid = $_GET['usertypeid'];
$database = new Database();
$db = $database->getConnection();
try {
$stmt = $db->prepare("SELECT * FROM user_details WHERE userid='".$userid."' AND email='".$user_email."'");
$stmt->execute();
$res = $stmt->fetch(PDO::FETCH_ASSOC);
return json_encode($res);
$db = null;
} catch(PDOException $e){
echo '{"error":{"text":'. $e->getMessage() .'}}';
}
});
The control reached till var_dump($app) but it is not executing loadprofile service.
enter image description here
i have issue with google api service account i have done successfull authentication and got the access token. when i try to run the query it shows error
Warning: You need to set Client ID, Email address and the location of
the Key from the Google API console:
http://developers.google.com/consoleThere wan a general error : Error
calling GE T
(403)
User does not have any Google Analytics account.
i have multiple websites and multiple accounts in it. the google account is an admin account please check the code below.
$key_file_location = 'key path';
$client = new Google_Client();
$client->setApplicationName("name");
$client->setClientId($client_id);
if (isset($_SESSION['service_token'])) {
$client->setAccessToken($_SESSION['service_token']);
}
$key = file_get_contents($key_file_location);
$cred = new Google_Auth_AssertionCredentials(
$service_account_name,
array('https://www.googleapis.com/auth/analytics.readonly'),
$key
);
$client->setAssertionCredentials($cred);
if ($client->getAuth()->isAccessTokenExpired()) {
$client->getAuth()->refreshTokenWithAssertion($cred);
}
$client->setAccessType('offline_access');
$client->getAccessToken();
$service = new Google_Service_Analytics($client);
$analytics_id = 'ga:xxxxxx';
$lastWeek = date('Y-m-d', strtotime('-1 week'));
$today = date('Y-m-d');
try {
$results = $service->data_ga->get($analytics_id, $lastWeek, $today,'ga:visits');
echo '<b>Number of visits this week:</b> ';
echo $results['totalsForAllResults']['ga:visits'];
} catch(Exception $e) {
echo 'There was an error : - ' . $e->getMessage();
}
I have a CGI server side script that accepts GET and POST, with login parameters.
I want to test it to make sure it is not vulnerable. So the plan is to use Perl LWP, and send login parameters in GET and POST, and compare the results. the interface has been changed, so that only in POST we can send user-name and password in session cookies ( not sure if that is a great idea ) , so how do i test it ? Here is what i have so far:
#!/usr/bin/perl
use LWP;
print "This is libwww-perl-$LWP::VERSION\n";
# Create a user agent object
use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
$ua->agent("MyApp/0.1 ");
# Create a request
#my $req = HTTP::Request->new(POST => 'http://search.cpan.org/search');
#my $req = HTTP::Request->new(GET => 'https://qa.co.net:443/cgi-bin/n-cu.cgi');
my $req = HTTP::Request->new(GET => 'https://qa.co.net:443/cgi-bin/n-cu.cgi?mode=frameset&JScript=1&remote_user&login=foo&password=foo HTTP/1.1');
$req->content_type('application/x-www-form-urlencoded');
$req->content('query=libwww-perl&mode=dist');
# Pass request to the user agent and get a response back
my $res = $ua->request($req);
# Check the outcome of the response
if ($res->is_success) {
print $res->content;
#print $res->code;
#print $res->message;
}
else {
print $res->status_line, "\n";
}
This is not going to do it, since it does not have the session cookie stuff. But might be a good start though. Is this the right way to test the GET and POST ?
Here is what was implemented in the cgi:
#cr_login for POST && login for GET -- leave GET param as it used to be.
if ($m eq 'GET' && defined($req->param('login'))) {
$msg = 'parameter "login" is invalid for this request type.';
+ my $seclog = $event_logging_directory . '/invalid_request.log';
+ open(S, ">>$seclog") or die $!;
+ my $logmsg = sprintf("%4d-%02d-%02d %02d:%02d:%02d",Today_and_Now())
+ . "|mode:" . $req->param('mode')
+ . "|login:" . $req->param('login')
+ . "|remote_addr:" . $ENV{REMOTE_ADDR}
+ . "|$msg\n";
+ print S $logmsg;
and :
POST request to n-cu.cgi should use parameter "cr_login". If the parameter "login" is passed in a post request, it should throw error and return to login screen.
GET request to n-cu.cgi should use the parameter "login". If the parameter "cr_login" is passed in a post request, it should throw error and return to login screen.
so here is how we do it:
Keep the session cookie and context alive :
my $browser = LWP::UserAgent->new(keep_alive => 10);
$browser->cookie_jar( {} );
$browser->agent('Mozilla/8.0');
#$browser->ssl_opts({ verify_hostname => 0 });
$browser->show_progress(1);
and later: print the response
print "Cookies:\n", Dumper($browser->cookie_jar()), "\n\n";
my $content = $response->as_string;
print "$content\n";
Sending password in a cookie? Nope.
Disallow GET for /login.
POST username and password to /login, over SSL.
In CGI, the GET/POST is indicated via the REQUEST_METHOD environment variable.
You cannot stop determined people from issuing a GET request to your server, but you can refuse to process it like so (untested code - you have to fill in details):
if ($ENV{REQUEST_METHOD} ne 'POST') {
# issue a redirect to a suitable error page, then return.
}
my $q = CGI->new();
my $user = $q->params('username');
my $password = $q->params('password');
my $encrypted_password = my_password_encryptor($password);
unless ( can_log_in($user, $encrypted_password) ) {
# issue an error message - redirect&return or fall-through...
}
else {
$session->set_user_logged_in();
}
Most people do not roll their own authentication or session handling. They mostly use one from CPAN, or one included with the larger app framework. If you're doing CGI, you can use CGI::Session.
You might give CGI::Application and/or its offspring a look. Those authors have already solved a bunch of the problems that you're encountering.
I'm creating an intranet, therefore all users have account automatically created for them. They then go to a url to create their password. All that works great. I'm now trying to allow them to "attach" their Facebook account to their user account. This is where my troubles have started...
I've successfully gotten the user to authenticate properly after a facebook login with this
method in SecurityController
public function loginCheckFacebookAction()
{
$request = $this->getRequest();
$session = $request->getSession();
$response = new Response();
$sessionUser = $this->getUser();
$facebook = $this->get('facebook');
$fbUser = $facebook->getUser(); // facebook id
if ($fbUser) {
try {
$em = $this->getDoctrine()->getManager();
$repo = $em->getRepository("IntranetBundle:User");
$user = $repo->findUserByFBID($fbUser);
if($user){
$targetPath = $session->get("_target_path");
$firewall = "secured_area";
$roles = $user->getRoles();
$rolesArray = array();
foreach($roles as $role):
$rolesArray[] = $role->getRole();
endforeach;
$token = new UsernamePasswordToken($user, $user->getPassword(), $firewall, $rolesArray);
$event = new InteractiveLoginEvent($this->getRequest(), $token);
$this->get("event_dispatcher")->dispatch("security.interactive_login", $event);
$this->get('security.context')->setToken($token);
/*
If I uncomment out either of the following redirects
the redirect happens but the user is not authenticated properly
If I comment them out I'm just rendering my error template. The user
however, is authenticated properly.
*/
if(isset($targetPath)){
//return $this->redirect($targetPath);
} else {
//return $this->redirect($this->generateUrl("ssla_intranet_homepage"));
}
}
} catch (FacebookApiException $e) {
$user = null;
}
// I just render this template to be able to view debug bar.
//User is authenticated properly.
$pageParameters = $this->getPageParameters();
$pageParameters["page"] = "error";
$pageParameters["error"] = array();
$pageParameters["error"]["message"] = "Something went wrong with authentication";
return $this->render('IntranetBundle:Error:index.html.twig', $pageParameters);
}
Do I need to register a listener for all interactive_login events that then handles all post-login redirection rather than trying to redirect within the same method?
First project using Symfony, and this is killing me. Any thoughts?
By the way, I've looked into the FOSFacebookBundle, but wanted to be able to authenticate with a number of different methods, including doctrine, gmail, facebook, and twitter.
The user is logged in successful via fosfacebookbundle in symfony2.1
Related to this topic: "A user access token is required to request this resource." Facebook graph for notifications
I want to send a notification to a user. The access token looks like this ...234|asdf....
$token_url = 'https://graph.facebook.com/oauth/access_token?grant_type=
client_credentials&client_id=' . $app_id . '&
client_secret=' . $app_secret;
$access_token = file_get_contents($token_url);
//After that I do a preg_split. Or for testing I print out the access token
and I define it manual in the php file `$access_token = '...234|asdf...';`
$userid = 12345;
$inviteMessage = 'Test_message';
$inviteMessage = urlencode($inviteMessage);
$url = "https://graph.facebook.com/" . $userid . "/notifications?access_token=" .
$access_token . "&template=" . $inviteMessage;
$c = curl_init($url);
// necessary so CURL doesn't dump the results on your page
curl_setopt($c, CURLOPT_POST, true);
$result = curl_exec($c);
curl_close($c);
$r = json_decode($result);
print_r($r);
print_r gives me this: Sorry, something went wrong! Facebook Inc.
If I am directly put this in the address line:
https://graph.facebook.com/12345/notifications?access_token=access_token=...234|asdf...&template=Test_message
Error message:
{
"error": {
"message": "Invalid OAuth access token signature.",
"type": "OAuthException",
"code": 190
}
}
What is wrong?
Update
What is the meaning of href in developers.facebook.com/docs/concepts/notifications?