Hi,

First off, thank you so much for the great auth and crud APIs. You have really saved me (and I'm sure, many others) a lot of time by making them available publicly!

Anyway, I've managed to get the everything up and running in my environment to a point where I can use PostMan and/or a Browser to register a user, authenticate this user and then use the resulting CSRF token to perform GET/POST/PUT requests as advertised.

My issue arises when I try to send a cURL (GET) request from the project directory on my Production Web Server to the API to retrieve a list of Users from the database. The same URL entered into the browser retrieves the data as expected but not when it is accessed via a cURL request.

My code is as follows:

$Url = 'http://example/api/Users?transform=1&csrf='.$_SESSION['csrf'];

$ch = curl_init();

$timeout = 5;
curl_setopt($ch, CURLOPT_URL, $Url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);

$Users = curl_exec($ch);

if ($Users === FALSE) {
    die("Curl failed: " . curL_error($ch));
}

$ch_info = curl_getinfo($ch);

var_dump($Url, $Users, $Users['Users'], $ch_info);

curl_close($ch);

In the above code, var_dump shows me the following:

1. $Url -> http://example/api/Users?transform=1&csrf=1234567890123456789
2. $Users -> string (0) ""
3. $Users['Users'] -> string (0) ""
4. $ch_info -> ["url"] ->http://example/api/Users?transform=1&csrf=1234567890123456789, ["http_code"]=> int(401) amongst other things...

I worked around this issue by performing the GET using client-side AJAX/JQuery which tells me that I have a Cookies-related issue as the CSRF I receive from the User Auth request will create a client-side Cookie and I need one that sit on the Server for internal Auth.

I hope the above makes sense to you and you can give me some insight into what I've done wrong and how to go about fixing it?

Thanks in advance for your help!

csrf token is still generated when no username/password is provided or if username/password is wrong. Is this an error or should be be checked by developer?

UPDATE:
i was able to check if the fields were blank using javascript, How can i check if the username/password is wrong? Should i be using the server method in your example? I think i am using simple right now.

Hey sir,

I've been playing around with your regular API and it is great fun and very helpful. I want to add the AUTH plugin but have trouble doing so.

I've added the respective lines in the api.php (uncommented the parts near the end):

require 'auth.php'; $auth = new PHP_API_AUTH(array( 'authenticator'=>function($user,$pass){ $_SESSION['user']=($user=='admin' && $pass=='admin'); } )); if ($auth->executeCommand()) exit(0); if (empty($_SESSION['user']) || !$auth->hasValidCsrfToken()) { header('HTTP/1.0 401 Unauthorized'); exit(0); }

I've also added the auth.php and the login/logout.html pages. When using login.html I receive a token result in the body and the header and also a cookie.

Once I perform /api.php?csrf=MYTOKEN I receive the swagger output.
Trying to access /api.php?csrf=MYTOKEN/ or /api.php?csrf=MYTOKEN/TableName I receive a 401 unauthorized.

Accessing the table without the auth plugin works perfectly fine. I cant figure out what I am doing wrong. I have taken everything from the source here and just adjusted my database configuration. When sending my request for the table I can see in Fiddler that the cookie is sent, too. It is also the same cookie I have received during the login procedure.

Any hints? My .php is very limited and I have failed to turn something up in google.
Thanks a bunch for any help.
chris

I have a problem with authentication using token. I use Postman. My steps:

1. Send POST to login_token.php with username and password and I get correct token
2. Send GET to api.php with Bearer Token and I get 401 Unauthorized

Could you tell me what I'm doing wrong?

Hello
I am stuck with understanding how the Auth works.

require 'auth.php'; // from the PHP-API-AUTH project, see: https://github.com/mevdschee/php-api-auth
// uncomment the lines below for token+session based authentication (see "login_token.html" + "login_token.php"):

$auth = new PHP_API_AUTH(array(
    'secret'=>'xxxxxxxxxxxxxxxxxxxxxx',
    'authenticator'=>function($user,$pass){ 

    	$connection = new MySQL();
        $conObject = $connection->connect('xxxxxxx','xxxxxxx','xxxxxxx','xxxxxxx','xxxxxxx','xxxxxxx','xxxxxxx');
        $sql = "SELECT * FROM user where username='".$user."' AND password='".$pass."'";
        $result = $connection->query($sql);
        $recordsFound = $connection->affectedRows($result);
        if($recordsFound){
            $rows = $connection->fetchAssoc($result);
            $_SESSION['user']=($user==$rows['username'] && $pass==$rows['password']);     
        }else{
        	header('HTTP/1.0 401 Unauthorized');
            echo json_encode(["username and password are wrong"]);
            exit;
        }
   	},
    'ttl'=>30
    
));
if ($auth->executeCommand()) {
    exit(0);
}
if (empty($_SESSION['user']) || !$auth->hasValidCsrfToken()) {
    header('HTTP/1.0 401 Unauthorized');
    exit(0);
}

Here i generate successful token now stuck to get information about the user.
http://www.example.com/user/2/ ( always get 401 )

For stand-alone mode it is working fine but after adding php-api-auth it is not working properly.
// uncomment the lines below when running in stand-alone mode:

$api = new PHP_CRUD_API(array(
	'dbengine'=>'*****',
	------------------------
));
$api->executeCommand();

So please help me here
Thanks in advance.

Hey @mevdschee . First of all thanks for this awesome tool. I'm just wondering if there's any way to use the auth only for PUT/POST/DELETE requests to prevent inserts or updates of unwanted data and leave the GET requests publics (without auth).

I've enabled simple user/pass authentication and it works fine when I try to post records using get.

I use curl to post username and password as defined on api.php and get the csrf token in return I then send the csrf on the url as api.php/table/?csrf=tokenvalue and it returns the json with the records as expected.

The problem is when I try to create a record also using curl. I first post the username and password, get the proper token, but when I send the csrf as one of the post fields it does not work. I've also tried using in the curl url as /?csrf=tokenvalue but no luck.

I hope I explained the issue well enough and I would really appreciate your help perhaps with a simples post create example.

Thanks.

If we don't put the correct credentials we can get the access to the api, this is correct?

Hi!

Thanks again for the great api's!

I've been successfully using Form+Session auth and have had very little trouble (at least since the last time you pointed me in the right direction). Yesterday, I decided to try out Token+Session auth to see if it might suit some of my auth needs better.

I tried using the following block of code:

$auth = new PHP_API_AUTH(array(
 	'secret'=>'mysecrethere',
 	'authenticator'=>function($user,$pass){ $_SESSION['user']=($user=='admin' && $pass=='admin'); }
));
if ($auth->executeCommand()) exit(0);

...and expectedly receive a valid JWT indicating "user": true.

Where I am currently stuck, is what to do from here. Do I need to post the JWT back to the API in order to get a CSRF for use in the CRUD transactions or, do I use the JWT itself in place of the CSRF in the CRUD transactions? I've tried both but seem to be getting a null CSRF in the first instance and a 401-Unauthorized in the second instance.

Please help see what I'm doing wrong here...

First of all hello and thank you for this work, i am getting issue working with the authentication
Here is my code

$.ajax({
  url:"./src/api.php",
  method:"post",
  data:{
    username:"admin",
    password:"admin"
  },
  success:function(res){
    console.log(res)
    $.ajax({
      url:"./src/api.php?csrf="+[res]+"/costumers_info",
      method:"get",
      success:function(data){
        console.log(data)
      }
    })
  }
})

I was able to get the token wish for some weird reason no matter what i submit on the first post request is "N1991573504" , but in the second request where i need to fetch the data i am still getting error 401 Unauthorized
this is how the header of my request look like

http://localhost/src/api.php?csrf=%22N649003008%22/costumers_info

Accept:*/*
Accept-Encoding:gzip, deflate, br
Accept-Language:fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Connection:keep-alive
Cookie:PHPSESSID=n12nqa0m1gfgeamem270arrnl4; XSRF-TOKEN=N649003008
Host:localhost
Referer:http://localhost/apitest.html
User-Agent:Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
X-Requested-With:XMLHttpRequest

any idea on how to solve the issue
Thanks

Hi,
I implemented AUTH with authentication server (token+user+pass).
If a hacker want to view (through sniffing for example) the data that I'm sending via POST, he could know the user and password and could use the api. It's true?

If yes, for make a REAL security, should I use ALWAYS https? If I don't use https is easy to hack?

And my other question is about logout.html, when I should use the logout? I could use login_token.php and get different tokens every time I want to get or post data, and never use logout. It's wrong?

Thanks.

First, thanks so much for the time you've put into this framework.

I've read through the other issues about cURL, and have similar issues despite checking things like the cookie files. I am using the 'Simple username + password' method.

The first POST, to get the CSRF, works fine. I get the numeric CSRF as expected, and a cookie is created in the temp folder.

I do another send, this time with the CSRF attached as a GET parameter. This returns a 401.

My code is this:

//create credentials array
$data=array(
'username'=>'admin',
'password'=>'admin'
);

//encode the credentials 
$data=json_encode($data);

//create a temporary file
$tmpFname = tempnam("/tmp/api/","COOKIE");

//the URL to send to
$url='https://example.co.uk/api/v2/api.php/';

//POST credentials to the auth (/), storing the session in the COOKIEJAR
$ch = curl_init();
curl_setopt($ch, CURLOPT_COOKIEJAR, $tmpFname);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'POST');	
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$credentialsCall=curl_exec($ch);
curl_close($ch);

error_log(print_R('Response from credentials post: '.$credentialsCall,TRUE)); //eg 715552116

if(is_numeric($credentialsCall)){
//the response to the first call should be the csrf, so...
//request again, this time passing the csrf as a GET parameter
$csrf=$credentialsCall;
$url='https://example.co.uk/api/v2/api.php/my_table?csrf='.$csrf;

$ch = curl_init();
curl_setopt($ch, CURLOPT_COOKIEFILE, $tmpFname);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$apiCall=curl_exec($ch);
curl_close($ch);

error_log(print_R('Response from second request: '.$apiCall,TRUE)); //eg '' (empty)

}

unlink($tmpFname);

In api.php, I have

require 'auth.php'; // from the PHP-API-AUTH project, see: https://github.com/mevdschee/php-api-auth

$auth = new PHP_API_AUTH(array(
'authenticator'=>function($user,$pass){ $_SESSION['user']=($user=='admin' && $pass=='admin'); }
 ));
 if ($auth->executeCommand()) exit(0);
 if (empty($_SESSION['user']) || $_GET['csrf']!=$_SESSION['csrf']) {
error_log('Unauthorized');
error_log(print_R($_SESSION['user'],TRUE)); //eg '' (empty)
error_log(print_R($_GET['csrf'],TRUE)); //eg 715552116
error_log(print_R($_SESSION['csrf'],TRUE)); //eg 257581241
header('HTTP/1.0 401 Unauthorized');
exit(0);
 }

The issues seems to be:
1/ $_SESSION['user'] is empty.
2/ $_GET['csrf'] doesn't match $_SESSION['csrf'].

The temp file looks like this:

#HttpOnly_.example.co.uk	TRUE	/	FALSE	1517880843	__cfduid	d290745ee12a3cd1a25ac9ee62fb3c5091486344843`

Any ideas would be much appreciated!

Does the CSRF token expire? How should that be handled?

I always have to log in twice because after the successful first login I do not have a valid XSRF token in the session. Should this not be set when the user logs in and does not have a session yet? At the moment the cookie is only set when there is a session already.

Hi,

I have auth working and can maken the basic CRUD call but how can i combine a auth call with token with a list and filter.
The call that i have working is (from within Python):
http://localhost/api.php/tbl_mp_listtypes/?csrf='+csrf_token
but i like to combine it with http://localhost/api.php/tbl_mp_listtypes/?filter=mp_tags,eq,xxxx

Any help is appreciated, with regards,

Bart van Overbeek

how would we go about checking the username and password against the database? Would we just use MySQL query's to do this? what is the method you intended?

Am I wrong, or this can't be used with Basic Auth?

Hi,
I i've an auth problem with the API.
I don't know if the problem is the api, the server, or mine.

I'm programming an App for iOS and Android.
In iOS i'm connecting with the api and everything works fine (including the auth).
But in Andoid, with the same code that i'm using for iOS, i've auth problems.

I'm logging in and it works ok (i'm getting the correct csrf). But when I try to select registers from a table, this is the response:

ResponseCode: 401
ResponseHeader: HTTP/1.1 401 Unauthorized \n Cache-Control: no-store
ResponseData:

Is a rare behavior because the code and the server is the same.
And i'm integrating ok the api because in iOS works perfect.

Maybe should I use a different header for send request? this is my header:

    vector<string> header;
    header.emplace_back("User-Agent: MyApp/1.0");
    header.emplace_back("Content-Type: application/x-www-form-urlencoded");
    httpRequest->setHeaders(header);

Help plz.

Hi there,
First thanks for the awesome accelerator.
Please note that I am new to PHP, my last time using it goes back more than 15 years...
I'm trying to use the username + password authentication, it doesn't matter what I do, I get 200 Ok on the first post request to api.php on '/' but any subsequent request ends in 401. Is there an example of usage available that I can follow? I've only seen the client usage example but none for the server. Is there also a documentation explaining the different settings?
Thank you and sorry for the basic questions

Hi, thanks for this great job.

I am thinking of using php-crud-api with php-api-auth combining a social login (Gmail, FB ...) developed using angular (ex: https://github.com/sabyasachibiswal/angular5-social-login) . Basically, my idea is user connects with FB or Gmail before being able to call any REST API through php-crud-api. Do you have any documentation or examples somewhere?

How to setup a config parameters for the middleware to work with auth0? I already set a parameter "middleware:jwtAuth", but have no idea where/how to set the middleware to accept valid audience/authorized_iss from auth0 ( in other words, how php-crud-api knows that a token is a valid token from auth0) without using php-api-auth

I am currently implementing an admin part of my website and going to use Auth0 for authorization and splitting permissions purposes. I have deployed php-api and have a simple Auth0 app that can just authorize me into an admin panel. After login, a user obtains a token and a corresponding role, I just need somehow to verify the token and to split functionality in the API.

Is there a proven path to combine Auth0 and php-api?

Many thanks

Hi there!

I'm running ubuntu 16.06 here and a mysql database.

If I run the phpcrud api program without this auth stuff installed, I can get results by get method to /api.php

I then paste the the code from this repo in the /api.php file into the phpcrud /api file right above the the $api = new PHP_CRUD_API and uncomment the top half.

I change the 'secret' = 'testingtoken123'

I then visit /login_token.htmlI provide the username and password set as default in auth.php (username, password)

This sends me to login_token.php with a token. Clicking the OK button sends me back to the API page, but the page is blank.

If I debug the code, shows me that it is failing to recognize a session.
If I use that token and go to /api.php?csrf=eyJ0eXAicOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE0ODMyMjMyMzgsImV4cCI6MTQ4MzIyMzI2OH0.3Z1Z9CZMJwRc8HR03iN5TrczXrMrUO8q6_awuM5cf0s

I still get a blank page.
Debugging the code, i get to line 164 which tells me that I should get a success.
I also see my token getting evaluated on 113.

Any help here would be appreciated. I would assume the outofthebox examples should work with a default installation.

Thanks!

thanks for the great API. how can I get the token in JSON array?

Hi, I have tried to set up php-api-auth framework but it doesn't work as I expected. You can see it here. If you login using form you get (probably) csrf token. But if I send POST request to .../api.php/?username=admin&password=admin it doesn't give me csrf token and it doesn't check, if credentials are OK neither. I am sure I am making something wrong but I cannot find out what exactly. Thanks a lot for tips. 🙂

[03-Jan-2017 01:10:35] PHP Warning: Unexpected character in input: '' (ASCII=92) state=1 in /home4/nepalblo/public_html/API.php on line 192
[03-Jan-2017 01:10:35] PHP Parse error: syntax error, unexpected T_FUNCTION in /home4/nepalblo/public_html/API.php on line 205

Trying to get auth.php to work I get this error:
text: "Could not find configuration: default / default"

This is the code I'm using:
http.post('/auth.php', {
username: username,
password: password
});

What am I doing wrong?

Furthermore: At the end of auth.php username and password are both returned as 'admin'. Do I have to change that or can I leave this empty? I don't get it, sorry.

is it possible to use jwtauth with just axios or fetch? thanks

I was able to implement login.html and I'm receiving the token as response which I can then use to call the api using " ?csrf= "

The issue is that any user could open the developer console and see the token being used in the API calls and make its own calls.

Am I correct on assuming this or is this not a case? Is there any way of preventing the user from making his own calls using this method?

It seems the login is done by hard coding!

'validate' => function ($username, $password) {
      return $username == 'admin' && $password == 'admin';
},

While I expect it does the validation with a user table in the DB!

Also I activated this config in the api.php:

    'middlewares' => 'dbAuth,authorization',
   'authorization.tableHandler' => function ($operation, $tableName) {
         return $tableName != 'users';
   },

But then it will show the following error in the vanila.html after login by admin:admin:

{ "code": 1012, "message": "Authentication failed'" }

So it seems I need to connect the auth.php and api.php somehow to have the same session data and also do the authentication regarding a DB table!

Is it possible to setup a permanent app key such that a particular app can access the api without first fetching a csrf every time?

Possibly a way to make a csrf persistent rather than time out?

Is the redirect url needed?

I want to use your api, within an App so there are no urls.

The concept I want to achieve is, Authorize user (username and pass from database), get a jwt token and then be able to use api.php with the given token until it expires.

HTTP calls will be used in android.

I have set the ttl to 3600 but it keep the expired time to 30 seconds.

$auth = new PHP_API_AUTH(array(
	'secret'=>'someVeryLongPassPhraseChangeMe',
	'ttl' => 3600,

Hi Maurits

Thank you for your sharing your work, it's excellent code and very helpful.

Sorry for asking a simple question, I may be missing something obvious. I'm seeing a token returned for any username/password pair, even null.

How can I make this authenticate against known credentials?

$ curl http://localhost:8888/api.php
$ curl http://localhost:8888/api.php --data "username=admin&password=admin"
"3463927620177487360"
$ curl http://localhost:8888/api.php --data "username=foo&password=bar"
"6364633731514325019"
$ curl http://localhost:8888/api.php --data "username=&password="
"1322945882537392955"
$

I have a need for RSA signatures in the JWT. Can you integrate the https://github.com/firebase/php-jwt library into your PHP-API-AUTH?

I cannot find any function in the auth.php for logout, how can I logout after a login?

Hello, I have gotten your awesome PHP api to work in standalone mode, and then after uncommenting the lines for token+session auth, I have finally gotten it to return results.

The problem that I'm seeing is that I get a 401 error if I don't include the username and password in the POST request to api.php, and that once I include the username and password, it seems like anything I type in for the value of the token will give me a valid cookie and let me start to GET results from the database. I can even get a valid cookie by just POSTing the username and password with no token at all, and then still GET results from the database.

Steps I take which result in failure:

1. POST a username and password to login_token.php: get token.
2. POST the token to api.php: get 200 OK response, but a blank white screen.
3. GET request to api.php returns 401 error.

Steps I take which return results, but with no regard to the value of the "token":

1. POST a username and password to login_token.php: get token.
2. POST the username, password, and token (doesn't matter if token is random, blank, or even missing altogether) to api.php: get 200 OK response and a cookie, which is also printed on the screen.
3. GET request to api.php using the previously returned cookie in the header, and I get results.

So, it seems that the functionality of the Token+Session auth is no different than the Form+Session auth. What I mean is that I can follow the same steps for each form of authentication, POSTing only the username and password, and still GET results. Am I missing something? I have also already tried clearing my cookies to verify that I'm dealing with a fresh session.

dear @mevdschee !

first of all thanks for the great api you wrote.
after a few hours of headache and understanding the workflow of php-api-auth i understand the way it works. maybe you could also add an detailed workflow description for cases like mine.
i have an angular5 client and the php-crud-api as backend. so now i have also a login.php which is generating the jwt-token if user-credentials are found in the database. second i call api.php/ which is doing a auth and then call the api.php with database-requests.
everything is working fine if the client and php-crud-api are on the same (sub)domain. but for development i us localhost for the angular-client and the backend is on an real (sub)domain.
the problem here is that the php-session is not the same and the result is that php-api-auth fails by verifying the csrf-token.
did you have any clues or advices how to handle this problem and get the auth also working while development without creating a production-build after every change of the client?

best regards daniel

If the token that is generated is incorrect when we press the 'OK' button after the login page we can enter the api file, that is incorrect right? How can I change that?
Is supposed the token be always the same? And how I can define a timeout for the token?
Sorry for the multiples questions and good work!

Fatal error: Call to undefined function PHP_API_AUTH() in api/index.php on line 1830

what could the issue be? i did require the auth.php file.

Hi
I'm having this error :

Notice: Undefined variable: _SESSION in /home/php-crud-api-master/auth.php on line 196
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpYXQiOjE1Mjg0MTk4OTIsImV4cCI6MTUyODQxOTkyMn0.eOV6tbWX-I8Yoo1qrdDQyeO4cboSTp9yLYMf6USrQmk"/>

Why? I'm trying to implement login with token.
Regards