Php curl server authentication

PHP cURL: Authentication

While testing; knocking on a server’s door that performs validation is not a good idea. After a few failed attempts you are bound to trigger some defense mechanism. This can take the form of a timed delay to next login or awaken the draconian dragon, which will ban your IP address.

With the above in mind it is best to simulate before committing to a real server.

Note: Always first check to see if a test server is provided for example most financial gateways do. Hence you can hammer these to your hearts content without awaking that draconian dragon.

Authentication Test Server

Our test server curl_2 is easily converted into a authentication server you don’t even have to restart it.

Edit file C:\curl_2\UniServer\www\.htaccess

#AuthName "Uniform Server - Server Access" #AuthType Basic #AuthUserFile C:/curl_2/UniServer/htpasswd/www/.htpasswd #Require valid-user

AuthName "Uniform Server - Server Access" AuthType Basic AuthUserFile C:/curl_2/UniServer/htpasswd/www/.htpasswd Require valid-user

Type http://localhost:82/ into your browser, when challenged for a name and password press cancel.

A page is displayed with something like Authorization Required, this confirms authentication is enabled.

Example 5 — Download and display a page

Create a new text file in folder C:\curl_1\UniServer\www and name it test5.php add the following content

• Run both servers
• Type http://localhost/test5.php into your browser
• Result: Page displayed as follows

Authorization Required This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.

The above proves our servers are set-up and working correctly.

Add Name and Password response

The above fails because we have not informed Curl how to respond when challenged for a name and password.

In reality all that is requied is to pass Curl a name and password it knows how ro respond to a challenge.

A name and password is passed to Curl using the following function:

Our test server curl_2 uses Uniform Server’s defaults name=root password=root

Modify file C:\curl_1\UniServer\www\test5.php

• Run both servers
• Type http://localhost/test5.php into your browser
• Result: Your IP is 127.0.0.1 — displayed

When a Curl session is closed communication to a remote server is also closed.

What that means every time a script is run a remote server will always issue a name/password challenge.

Example 6 — Download and save page to a variable

I have taken example 4 and added the above line.

Create a new text file in folder C:\curl_1\UniServer\www and name it test6.php add the following content

"; > else< print "There was data returned using curl.
"; print "Buffer content = ".$buffer."
"; // Extract IP address if(preg_match("/(\d\.\d\.\d\.\d)/", $buffer, $ipmatch)) < $ip = $ipmatch[0]; // Save IP to variable print $ip; >> ?>

There was data returned using curl. Buffer content = Your IP is 127.0.0.1 127.0.0.1

Summary

Well returning a name and password when challenged was not difficult requiring only a single function.

Very few providers allow name/passwords over an unencrypted connection.

The next page covers connecting to a server using https (SSL)

Источник

PHP cURL API calls with authentication (REST GET POST)

If you’re here because you want to connect your php code to an external API, please check my cURL api-calls with php tutorial first. This is part 2 of how to connect to an API using cURL in php, as I received a lot of questions on how to connect if the API requires authentication (utoken) first.

Heads up: This time, I will be using Javascript for more flexibility. As I need to make an ‘authentication’ api call first before our initial GET call. Therefore I create my API calls in my own php files on the side, and will target these files using ES6 async/fetch from within my page. If you see me linking to my-site.com, this means I created the file myself, on my own server. If I’m linking to api-site.com, this means I’m making a call the the external API.

Generating an auth key

Some API’s only allow POST or GET requests if you use an auth-token. We need to generate this auth-token first, before we are allowed to make API calls. Normally the API docs should explain how you can generate their auth-token. In my example, I can generate an auth-token by posting my API client ID, client_secret and a login type to their API Auth file.

Here is how I can generate and use my auth-token, based on the cURL script of my part-1 tutorial. In this tutorial, I’ll be calling this file api/auth.php

$curl = curl_init(); $auth_data = array( 'client_id' => 'XBnKaywRCrj05mM-XXX-6DXuZ3FFkUgiw45', 'client_secret' => 'btHTWVNMUATHEnF-XXX-2nQabKcKVo3VXtU', 'grant_type' => 'client_credentials' ); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, $auth_data); curl_setopt($curl, CURLOPT_URL, 'https://api-site.com/oauth/token'); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); $result = curl_exec($curl); if(!$result) curl_close($curl); echo $result;

This will return an auth-token for me. With this auth token, I can start making normal API calls like POST and GET. However.. My example API only keeps my auth-token alive for 2 weeks AND will only allow 3 auth-tokens at a time. So for each call I make, I need to regenerate this. This is why I’m using JS as example, so we can easily quickly generate the AUTH token before our own call. For this, I have a separate JS function to post to our own api/auth.php: JS

const apiAuth = async () => < try< const response = await fetch('https://my-site.com/api/auth.php'); if(response.ok)< return response.json(); >throw new Error(`apiAuth_response: $`); >catch(error)< console.error(`apiAuth: $`); > >

This is the JS-script and the PHP-script I’m using to generate an auth-token for my API. I’m using await to make sure our script only continuous when we do have received the Auth token. If we don’t await this token, it’s possible the rest of our script will already try to make the API call without the utoken, and will return errors.

How to use our Auth-token?

Ok good, now we have an auth-token for our app… How do we use this?

cURL GET request (with Authentication)

In most cases (I think) you need to add your auth-token to the url you’re using to make a valid API call. Again, you should be able to find this in the documentation of the API your using. In my example, if I want to make an API call, my link should look like this: api/get_all_reviews.php

https://api-site.com/v1/apps/' . $app_key . '/reviews?utoken=' . $utoken;

We do know our $app_key and we just generated our $utoken. So our .php file to make the GET-call would look like this: ($_POST[‘auth_token’] will be our received utoken from our previous function.

if(isset($_POST['access_token'])) < $app_key = 'XBnKaywRCrj05m-XXX-v6DXuZ3FFkUgiw45'; $utoken = $_POST['access_token']; $url = 'https://api-site.com/v1/apps/' . $app_key . '/reviews?utoken=' . $utoken; $curl = curl_init(); curl_setopt($curl, CURLOPT_URL, $url); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); $result = curl_exec($curl); if(!$result)curl_close($curl); echo $result; >

This will return all our product-reviews in the example I picked for this tutorial. Now we still need to target this GET php file with our JS and don’t forget to generate our utoken first! JS

const getAllReviews = async () => < const auth = await apiAuth(); const data = < access_token: auth.access_token, token_type: auth.token_type, >try< $.post(< type: 'POST', url: 'http://my-site.com/api/get_all_reviews.php', data: data >) .success(res => < const data = JSON.parse(res); const reviews = data.reviews; displayAllReviews(reviews, $('.review-list')); >); >catch(error)< console.error(`getAllReviews: $`); > >

As you can see we await the Auth function again, before we continue with our original API call. We post the received auth.access_token together with our form data to our GET php script. The displayAllReviews() is a random function, that I am passing our received data to. So here you can call your own functions, depending on what you want to do with this data.

cURL POST request (with Authentication)

Same for POST as with GET, we need to add our utoken (Auth-token) to the url. Here is an example of my POST link to the API, with my utoken: api/post_review.php

if(isset($_POST['success'])) < $p_url = 'https://product-link.com'; $email = $_POST['email']; $post_array = array( 'appkey' =>'XBnKaywRCrj05m-XXX-v6DXuZ3FFkUgiw45', 'domain' => 'https://api-site.com', 'product_url' => $p_url, 'email' => $email, 'review_content' => $_POST['message'], 'review_title' => $_POST['title'], 'review_score' => $_POST['star_rating_value'] ); postReview($post_array); >else < $response = array( 'response' =>'error', 'message' => 'POST is required to use this function' ); > function postReview($post_array) < $curl = curl_init(); curl_setopt($curl, CURLOPT_POST, 1); curl_setopt($curl, CURLOPT_POSTFIELDS, $post_array); curl_setopt($curl, CURLOPT_URL, 'https://api-site.com/v1/reviews'); curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1); curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC); $result = curl_exec($curl); if(!$result)curl_close($curl); echo $result; >

To make a POST, I first gather all the information I need to make the post. (like user-email and the product URL I want to post a review for). When I have all the data, I call the postReview function, that will make the POST API call. We need to gather all this data up-front, otherwise we are not allowed to make our API call. As our POST request doesn’t require a utoken variable.

Now the JS script I used for this: JS

function postSiteReview(data, form)< $.ajax(< url: 'https://my-site.com/api/post_review.php', type: 'post', data: data, success: function(result)< let res = JSON.parse(result); let message = ''; if(res.code === 200)< form.find('.success-message').fadeIn(); >else < if(res.response === 'error')< message = res.message; >if(res.status && res.status.code === 500) < message = res.status.message; >$('p.error-msg').text(`Uh ooh.. $`); > >, error: function(err) < console.log('$.ajax error: ' + err); >>); >

No Access-Control-Allow-Origin header is present – (CORS)

If you’re making JS calls to your own php-files, but your files are on a different server, please at following line at the top of each .php file you’re using:

header("Access-Control-Allow-Origin: https://my-site.com");

This should fix the access-control error you’re seeing in the js-console.

I really hope this part is well-explained as well. If not, please feel free to ask in the comments. (I can not guarantee you will get a response).

Let me know if it works for you.
Happy coding!

Get the latest posts and other things in your inbox

Receive our best-off articles straight in your inbox! Just once each quarter, because no one likes spam.

Thank You!

Thank you for subscribing. Our thank you message is already heading your way!

Read more related topics?

Leave a Reply Cancel reply

10 Comments

Hi weichie, I’ve been struggling to call external API using cURL and php. I have client secret and client id as well as callback URL but i cannot get the user email or user id. Can you help me with this?

i really appreciated your efforts to explain this concept succinctly.
all other parts of this tutorial work smoothly as expected.
However, i did not fully get the javascript implementation.
for this function “function postSiteReview(data, form)” kindly explain the meaning of the parameters how to invoke it.

You may always reach out to me through the contact page. Please note that I cannot offer one-on-one support for every request, but you can always try your chances.

Hi,
first of all thanks a lot for this post.
Here $app_key and client_id both are the same ?
$auth_data = array(
‘client_id’ => ‘XBnKaywRCrj05mM-XXX-6DXuZ3FFkUgiw45’,
‘client_secret’ => ‘btHTWVNMUATHEnF-XXX-2nQabKcKVo3VXtU’,
‘grant_type’ => ‘client_credentials’
);
here client_credentials means username and password that will be provided by the api provider ?

Oh, I see $_POST in the PHP documentation. I guess I’m not using it right, though. It doesn’t seem to be working for me. I’m guessing [‘access_token’] is an endpoint specific to your API.

How do you authenticate when calling https://my-site.com/api/auth.php? or can anyone call this service and get a valid auth token?

Anyone can call the url, but only if you post the correct user data you will receive a valid auth token. Otherwise it should return an error like ‘invalid user credentials’ or something

Источник

How to make a PHP curl request with basic authentication

When accessing API request over PHP curl, some routes are authentication required. Also third party API mostly required to authenticate before accepting request. This can be done by Bearer or Basic authentication method.

In this article, we will see how to send PHP curl request on authentication protected url. You need to send user and password data with the request. Below example send the get request which requires basic authentication:

[email protected]'; $password = '123456'; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_USERPWD, $username.':'.$password); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch);

You can also send curl request using Authorization header. Curl CURLOPT_USERPWD option basically send Authorization header with value of username:password in a base64 format. You can do it as below:

[email protected]'; $password = '123456'; $headers = array( 'Authorization: Basic '. base64_encode($username.':'.$password) ); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_HEADER, 1); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch);

This way, you can also make curl request over the routes which requires authentication. If you like the article,like our Facebook page and follow us on Twitter.

Источник