API works for Non Administrator Once, then NULL Result

DeanAtWork · June 28, 2020, 5:03am

So my next issue with the API is it all works flawlessly time after time using a hard coded administrator account. Move to using a login that has edit, add, delete and view rights on a table , this user will work the first time , then my curl just returns null. I’ve tried on the permissions making them an admin of the table but still the same result. Am i missing something in the security setup of the user permissions? I wouldn’t have thought it would have anything to do with the advanced API settings those settings would have effected the hard coded administrator account? I also haven’t posted my code as again if that was wrong it wouldn’t work for the administrator. Any ideas out there ?

Cheers Guys!

arbei · June 29, 2020, 2:32am

You may post your code for discussion.

DeanAtWork · June 29, 2020, 4:18am

<?php session_start(); ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL); $GLOBALS['checkresult'] = 0; if (isset($_GET['mode'])) { $mode = $_GET['mode']; if (isset($_GET['type'])) { $table = $_GET['type']; if($mode != 'list') { if (isset($_GET['propno'])) { $propno = $_GET['propno']; \ \ if (isset($_GET['binserial'])) { $binserial = $_GET['binserial']; } else { $binserial = 'notset'; } if (isset($_GET['binrfid'])) { $binrfid = $_GET['binrfid']; } else { $binrfid = 'notset'; } if (isset($_GET['binname'])) { $binname = $_GET['binname']; } else { $binname = 'notset'; } } else { echo "No Property Specified"; } } $url = "?action="; runapiquery($url,$mode,$table,$propno,$binserial,$binrfid,$binname); } else { echo "No Type Specified"; } } else { echo "No Mode Specified"; } ?> <?php function runapiquery($url_con,$mode_con,$table_con,$propno_con,$binserial_con,$binrfid_con,$binname_con) { $curl_con = curl_init(); curl_setopt_array($curl_con, array( CURLOPT_URL => "?action=login&username=login-of-user-in-database&password=the-password", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_2_0, CURLOPT_CUSTOMREQUEST => "GET", CURLOPT_HTTPHEADER => array( "Cache-Control: no-cache", "Content-Type: application/json" ), )); $response = curl_exec($curl_con); $chave = json_decode($response, true); echo "Key JWT : ".$chave['JWT']; echo "

"; $xaut = "X-Authorization: Bearer ".$chave['JWT']; // echo $xaut; // echo "

"; if($mode_con == "add") { api_bin_data($url_con,'view',$table_con,$propno_con,$binserial_con,$binrfid_con,$binname_con,$xaut); if($GLOBALS['checkresult'] == 1) { api_bin_data($url_con,"edit",$table_con,$propno_con,$binserial_con,$binrfid_con,$binname_con,$xaut); } else { api_bin_data($url_con,"add",$table_con,$propno_con,$binserial_con,$binrfid_con,$binname_con,$xaut); } } else { api_bin_data($url_con,$mode_con,$table_con,$propno_con,$binserial_con,$binrfid_con,$binname_con,$xaut); } curl_close($curl_con); } ?> <?php function api_bin_data($url_func,$mode_func,$table_func,$propno_func,$binserial_func,$binrfid_func,$binname_func,$auth_func) { $url_func = $url_func . $mode_func . "&object=" . $table_func; if ($mode_func == "view") { $headers = array("Content-Type: application/json",$auth_func); $request = "GET"; $url_func = $url_func . "&PROPERTY_NO=" . $propno_func; $postfeilds = $url_func . "&PROPERTY_NO="; } else if ($mode_func == "list") { $headers = array("Content-Type: application/json",$auth_func); $request = "GET"; } else if ($mode_func == "add" OR $mode_func == "edit" OR $mode_func == "delete" ){ $headers = array($auth_func); $request = "POST"; $postfeilds = "&PROPERTY_NO=" . $propno_func; if ($binserial_func != 'notset') { $postfeilds = $postfeilds . "&binserial=" . $binserial_func; } if ($binrfid_func != 'notset') { $postfeilds = $postfeilds . "&binrfid=" . $binrfid_func;; } if ($binname_func != 'notset') { $postfeilds = $postfeilds . "&binname=" . $binname_func; } $postfeilds = $postfeilds . "&updated=1"; } else { $postfeilds = "&PROPERTY_NO=" . $propno_func; } $curl2 = curl_init(); curl_setopt_array($curl2, array( CURLOPT_URL => $url_func, CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 30, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_2_0, CURLOPT_SSL_VERIFYPEER => false, CURLOPT_CUSTOMREQUEST => $request, CURLOPT_POSTFIELDS => $postfeilds, CURLOPT_HTTPHEADER => $headers, )); $response2 = curl_exec($curl2); $err = curl_error($curl2); if ($err) { echo "cURL Error #:" . $err; } else{ echo "cURL Return :

"; $jsonObj = json_decode($response2); $jsonObjInd = json_decode($response2,true); var_dump($jsonObj); echo "

"; $GLOBALS['checkresult'] = $jsonObjInd['success']; } curl_close($curl2); } ?> <?php // remove all session variables session_unset(); // destroy the session session_destroy(); ?>

Im not sure why, it doesn’t even generate the JWT in the first curl call, so there is nothing to pass to a session variable?

mobhar · June 29, 2020, 10:13am

You might probably need to save the JWT key to session variables (?)

arbei · June 30, 2020, 1:25am

Why CURLOPT_CUSTOMREQUEST => “GET”? (CURLOPT_CUSTOMREQUEST is not for setting the HTTP method, read https://www.php.net/manual/en/function.curl-setopt.php, by default the request is GET if you don’t specify CURLOPT_POST.) You may try to remove it and try again.

DeanAtWork · June 30, 2020, 4:17am

Yep i have removed that still the same, if my code works for a hard coded login it should work for a database user with the appropriate rights, you wouldn’t expect my code to work at all if it was wrong.

arbei · June 30, 2020, 5:47am

Problem is if your login for user (from user table) fails, there is no JWT returned and your code ‘$xaut = "X-Authorization: Bearer ".$chave[‘JWT’];’ will not work. You should check if the response is success (e.g. if ($chave[‘success’] && $chave[‘JWT’]) {…}). You may also uncomment your code ‘// echo $xaut;’ and call curl_error() (see https://www.php.net/manual/en/function.curl-error.php) to debug.

DeanAtWork · June 30, 2020, 9:06pm

Ok Ive added a basic check, but CURL seems to think there was no error

$response = curl_exec($curl_con);
$chave = json_decode($response, true);
echo "Key JWT : ".$chave[‘JWT’];
echo “

”;

if(curl_exec($curl_con) === false)
{
echo 'Curl error: ’ . curl_error($curl_con);
}
else
{
$xaut = "X-Authorization: Bearer ".$chave[‘JWT’];
echo $xaut;
echo “

”;
}

arbei · July 1, 2020, 12:41am

curl_error() returning no error means the HTTP request itself is OK, but the request result still might be unsuccessful (401). Did you check the result? arbei wrote:

Problem is if your login for user (from user table) fails, there is no JWT returned and your code ‘$xaut = "X-Authorization: Bearer ".$chave[‘JWT’];’ will not work.
You should check if the response is success (e.g. if ($chave[‘success’] && $chave[‘JWT’]) {…}). You may also uncomment your code ‘// echo $xaut;’ … to debug.

DeanAtWork · July 1, 2020, 3:41am

It was the setting in security to disallow simultaneous logins!

DeanAtWork · July 1, 2020, 3:42am

That’s why it would work once and not again for a period of time, now how to check from a standalone non phpmaker script to check if i already have a valid login session?

arbei · July 1, 2020, 4:43am

You need to check the content of the Profile field in the user table. You should not login twice, you should send the JWT token because the JWT token contains the login status, and you better check the API response to see if your request is successful.

DeanAtWork · July 1, 2020, 5:32am

(Here is how to customize the generated code to allow concurrent login of API user.)

thanks everyone for your assistance.

class UserProfile
{
//…
// Is valid user
public function isValidUser($usr, $sessionID)
{
if ($this->isSystemAdmin($usr)) // Ignore system admin
return TRUE;
if (IsApi()) // Ignore API request //***
return TRUE;

We will handle in future versions. Thanks.

Regards,
PHP Support