I'm trying to perform a post request and I'm trying to do it with the digest authentication. with libcurl, I set the options:
curl_easy_setopt(curl_handle, CURLOPT_HTTPAUTH, CURLAUTH_DIGEST);
curl_easy_setopt(curl_handle, CURLOPT_USERPWD, "username:password");
before setting all the other option (post, url and everything). The server closes my connection and I think that no digest is made. I just don't know how to automatically obtain the challenge-response behaviour of the digest. If I set HTTPAUTH to CURLAUTH_BASIC it encodes the stuff, I see with the VERBOSE option the header containing authorization = basic. With digest no headers.
Do you know how can I do it, or can you give me some example? I really searched everywhere.
For a basic POST request you should do:
curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:pwd");
curl_easy_setopt(hnd, CURLOPT_HTTPAUTH, (long)CURLAUTH_DIGEST);
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
For a multipart POST (a.k.a multipart/form-data):
struct curl_httppost *post;
struct curl_httppost *postend;
/* setup your POST body with `curl_formadd(&post, &postend, ...)` */
curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:pwd");
curl_easy_setopt(hnd, CURLOPT_HTTPPOST, post);
curl_easy_setopt(hnd, CURLOPT_HTTPAUTH, (long)CURLAUTH_DIGEST);
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
Pro-tip: use curl command-line tool with --libcurl request.c: it outputs into this C file the list of options used to perform the corresponding request.
Related
I have a CakePHP API Server that triggers the sending of Push Notifications to devices using the following code:
$url = 'https://fcm.googleapis.com/fcm/send';
$headers = array(
'Authorization:key = <<Authorization Key>',
'Content-Type: application/json'
);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data));
$result = curl_exec($ch);
if ($result === false ){
die('Curl failed: '. curl_error($ch));
}
curl_close($ch);
When endpoint calls are made to the Server and triggers the above code, there is a delay due to its execution (The above code works fine).
I would ideally like this time eliminated as the code does not affect the response message. Is there a way of managing push notifications in a way that can eliminate the response time on the endpoint request?
Implement a queue. Send the task of sending the API call to a worker and you don't have to wait until it's finished.
Check this plugin out https://github.com/josegonzalez/php-queuesadilla it will allow you to create tasks and queue them. Or this CakePHP specific plugin https://github.com/dereuromark/cakephp-queue
I used the following code C to make digest authentication with my http server.
curl_easy_setopt(curl, CURLOPT_USERNAME, user_id);
curl_easy_setopt(curl, CURLOPT_PASSWORD, passwd);
curl_easy_setopt(curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC|CURLAUTH_DIGEST);
my http client (libcurl) recieve http 401 and do not proceed to the digest authentication.
it works for older version.
I also retried with the following command:
root#OpenWrt:~# curl --data {"red":"00"} --digest -u "admin:admin" "http://192.168.1.200:8
080/openacs/acs"
<html><head><title>JBossWeb/2.0.1.GA - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This request requires HTTP authentication ().</u></p><HR size="1" noshade="noshade"><h3>JBossWeb/2.0.1.GA</h3></body></html>root#OpenWrt:~#
and it dosen't work.
what i'm missing?
I'm able to get HTTP response code like this:
curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &ResponseCode);
But how can I get response error text? I thought that CURLOPT_ERRORBUFFER could help me:
char error_buf[CURL_ERROR_SIZE];
curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, error_buf);
But it seems empty even if ResponseCode=500 and request status text returns (I'm sure about this because JQuery ajax request shows it). So how to do this?
Solved it:
curl_easy_setopt(curl, CURLOPT_FAILONERROR, true); //<= this is important, but not obvious
char error_buf[CURL_ERROR_SIZE];
curl_easy_setopt(curl, CURLOPT_ERRORBUFFER, error_buf);
It turns out, that despite HTTP response code 500 CURLcode was CURLE_OK - this is default behavior, and that is why was no error message in error_buf. CURLOPT_FAILONERROR forces Curl to convert all response codes >= 300 to errors.
Return value of curl_easy_perform can be passed to curl_easy_strerror to get a text represent of the error. It may not be the 'response error' you wanted, but helps to get the reason why the request end with code like 500.
I have created a method that I want to expose to outside world. My application is controlled by ACL. so to consume restful service you send the data in get or post to that method via url.
http://mysite.com?action=this&data=this etc
but I think I need to send the username and password too with it dont I? Also if I do, then where do I add it?
** WHAT HAVE I TRIED **
<?php
$ch = curl_init("http://test.local/sites/loginData");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_HTTPAUTH, CURLAUTH_BASIC);
curl_setopt($curl, CURLOPT_USERPWD, 'user:password');
// sending username and pwd.
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_USERAGENT, 'Sample Code');
curl_setopt($curl, CURLINFO_HEADER_OUT, true);
$output = curl_exec($ch);
print_r($output);
curl_close($ch);
echo '<br><br>';
echo $output;
?>
but it doesnt show me any response
If you are using http basic auth you have to configure the auth component in CakePHP properly to use that authentication mechanism.
See http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#authentication for authentication
and this http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#configuring-authorization-handlers for authorization via ACL.
I wanted to use published GoogleDocs documents and twitter tweets as the datasource of a Silverlight application but ran into clientaccesspolicy issues.
I read many articles like this and this about how difficult it is to get around the clientaccesspolicy issue.
So I wrote this CURL script and put it on my PHP site and now I can get the text of any GoogleDocs document and twitter feed into my Silverlight application:
<?php
$url = filter_input(INPUT_GET, 'url',FILTER_SANITIZE_STRING);
$validUrls[] = "http://docs.google.com";
$validUrls[] = "http://twitter.com/statuses/user_timeline";
if(beginsWithOneOfThese($url, $validUrls)) {
$user_agent = 'Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)';
$ch = curl_init();
curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie");
curl_setopt($ch, CURLOPT_COOKIEFILE, "/tmp/cookie");
curl_setopt($ch, CURLOPT_URL, $url );
curl_setopt($ch, CURLOPT_FAILONERROR, 1);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_TIMEOUT, 15);
curl_setopt($ch, CURLOPT_USERAGENT, $user_agent);
curl_setopt($ch, CURLOPT_VERBOSE, 0);
echo curl_exec($ch);
} else
echo "invalid url";
function beginsWithOneOfThese($main, $prefixes) {
foreach($prefixes as $prefix) {
if(beginsWith($main, $prefix))
return true;
}
return false;
}
function beginsWith($main, $prefix) {
return strpos($main, $prefix) === 0;
}
?>
So it makes me wonder:
Why is there so much discussion about whether or not URLs support clientaccesspolicy or not, since you just have to write a simple proxy script and get the information through it?
Why aren't there services, e.g. like the URL shortening services, which supply this functionality?
What are the security implications of having a script like this?
While you might think that a proxy gives you the same capabilities as having the client make the request, it doesn't. More specifically, you won't have the client's cookies/credentials for the target site, and in some cases, a client can reach the target site but your proxy can't (e.g. Intranet).
http://blogs.msdn.com/ieinternals/archive/2009/08/28/Explaining-Same-Origin-Policy-Part-1-Deny-Read.aspx explains Same Origin Policy at some length.
In terms of the security implications for your proxy-- well, that depends on whether you have access control on that. If not, a bad guy could use your proxy to hide his tracks as he hacks sites or downloads illegal content.