1

I am using Phil Sturgeon's REST Controller to build an API. API authentication is performed using API keys. Presently there is only one key defined in the api_keys table on the database and I have set-up my client to access the API using this key via the following cURL request:

 $ch = curl_init();
 curl_setopt($ch, CURLOPT_URL, $uri);
 //curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
 //curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
 curl_setopt($ch, CURLOPT_FOLLOWLOCATION, FALSE);
 curl_setopt($ch, CURLOPT_MAXREDIRS, 1);
 curl_setopt($ch, CURLOPT_HEADER, TRUE);
 curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
 curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
 curl_setopt($ch, CURLOPT_TIMEOUT, 45);
 curl_setopt($ch, CURLOPT_HTTPHEADER, array(
     'Content-Type: application/html; charset=utf-8',
     'Accept: application/html',
     'X_API_PREFIX: ' . $this->apiPrefix(),
     'X_API_KEY: ' . $this->apiKey(),
     "User-Agent: ShowHouse/" . ShowhouseClient::API_CLIENT_VERSION . '; PHP ' . phpversion() . ' [' . php_uname('s') . ']';
     'Accept-Language: ' . $this->_acceptLanguage
  ));
    curl_setopt($ch, CURLOPT_USERPWD, $this->apiKey());

    if ('POST' == $method)
    {
        curl_setopt($ch, CURLOPT_POST, TRUE);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
    }
    else if ('PUT' == $method)
    {
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
    }
    else if('GET' != $method)
    {
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
    }

    $response = curl_exec($ch);

However I keep getting an invalid API key response back from the API server. The issue appears to be that on the following line in the REST_Controller.php:

if (($key = isset($this->_args[$api_key_variable]) ? $this->_args[$api_key_variable] : $this->input->server($key_name)))

both 

$this->_args[$api_key_variable]

and

$this->input->server($key_name)

are not actually set. 3 of us in the office have exactly the same code based checked out from the source control repository, the only difference being two of us are running Apache 2.4.4 and the other is running Apache 2.2.24. Both of us running 2.4.4 keep getting an invalid API key error but it all works fine for the guy running 2.2.24 which would suggest it's an Apache issue but we just can't get to the bottom of it.

Anyone any ideas why this would be happening like this?

Thanks in advance.

Improve this question

1 Answer 1

Reset to default
2

Found the issue for anyone else who may have the same problem. Apache 2.4.x now enforces stricter translation of header to environment variables to mitigate against some cross-site scripting attacks via header injection. See:

http://httpd.apache.org/docs/trunk/new_features_2_4.html

"Headers containing invalid characters (including underscores) are now silently dropped."

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.