Question about PHP CURL parsing OPTIONS for headers prior to POST

[mosb3rgler]

Hey everyone, so im trying to utilize a systems OPTION command send prior to the POST command, the OPTION command will for example state that it would like to request specific headers. im trying to perform this to get the headers needed before the POST command im trying to execute, the values are required for the POST command i need to perform to get a response.

The URL in question would be:

https://media-entitlement.mlb.com/api/v3/jwt?os=windows&did=ffeae86c-9447-4bac-a021-caad0c02c605&appname=mlbtv_web

Request method: OPTIONS (to get required headers):

Host: media-entitlement.mlb.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization,x-api-key
Referer: https://www.mlb.com/tv/g566992/v4db99327-63d3-4f23-a94d-a1ff465e177d
Origin: https://www.mlb.com
Connection: keep-alive
Cache-Control: max-age=0
 

then a post command is performed just after which retrieves the values originally requested by the OPTIONS command prior to the POST:

Host: media-entitlement.mlb.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.mlb.com/tv/g566992/v4db99327-63d3-4f23-a94d-a1ff465e177d
x-api-key: arBv5yTc359fDsqKdhYC41NZnIFZqEkY5Wyyn9uA
Authorization: bearer eyJraWQiOiJUNXQteURjQ2pQeWg0anBpOF9Dcm5YR2hkR0hjLUhLb1F6cmo5X3QyeENZIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULjVudzBlOElzZlFLaDhHYWE1Qzc1blMyQ1FwWVpkSHVCdVFhVFd0a25CY0EiLCJpc3MiOiJodHRwczovL2lkcy5tbGIuY29tL29hdXRoMi9hdXMxbTA4OHlLMDdub0JmaDM1NiIsImF1ZCI6ImFwaTovL21sYl9kZWZhdWx0IiwiaWF0IjoxNTYwNDcwNjYyLCJleHAiOjE1NjA1NTcwNjIsImNpZCI6IjBvYXA3d2E4NTdqY3ZQbFo1MzU1IiwidWlkIjoiMDB1N2psN2UxSjlhM0JGVVMzNTYiLCJzY3AiOlsib3BlbmlkIiwiZW1haWwiXSwic3ViIjoicmF5bmFqcGFudGhlckBtc24uY29tIiwiaXBpZCI6IjY3NzIwMjEiLCJndWlkIjoiNjc1ZmYxNzdiZTE2NTE0ZDRjYmYxNmVhOTNmYzg3NTcifQ.YDW-3f8T5ZcHg2wTvyAfHX0A5LdijP3lgvoSTKla_hBoE5_RBwU9aUYinrATQDNg8d_6wQkCo-ejAX_t9SGE7IGE8j-FE-oQlqIz2ubG7XDz3-84l5zJrSZ0QwxPoGOXMt_0-9DkZ_V4uzISGhN_pI_HnUr26IW-8sf0XK3yNSBOJLQnqx-iZ6HtiUEuI9Qi2T2J2zZuFSnDytxGlqmjC1mAyf0inLdr1LIuUfDayak3G5-YnP91z-8f2_k8QwSVw9IMg_bOCUaMD9suu67VaCU5EnREgZoTxCKEUIIKeJtlSCx6VgW_oXbOguRO0L0BlMR6eHDX9pDt0CgPftfxTw
Origin: https://www.mlb.com
Connection: keep-alive
Cache-Control: max-age=0

 

Now Generally speaking, i fully understand their authorization etc. but this specific set of values seem only used in this one situation, they use bam-sdk which i understand pretty well. but needless to say this authorization bearer, and api-key value only seem generated via the initial OPTIONS grab in browser. so in summary i need to understand how these OPTIONS commands can be utilized to store the required headers as a variable which can be used in the POST command.

Thanks in advance for your time and energy responding.

mosb3rgler

Edited June 14, 2019 by mosb3rgler
typo

[requinix]

You would have to set up handling for all possible headers that may come back from the Access-Control-Request-Headers. Which is silly.

Which is why nobody does that. Their API uses an Authorization (apparently Authorization: Bearer) and an X-API-Key. Just do that. If they change the API then you can change your code.

[mosb3rgler]

the issue is the api key is only delivered through the OPTIONS, the bearer i can generate no problem and insert. but i don't seem to have any other way to get the api key value without the OPTIONS header that is shown first. so if that is actually the only way and we know we only need specific headers and we know the naming convention of the headers, is it still not possible to use the OPTIONS to accomplish this, not sure how to approach that 1specific value or any of the instances on other projects where it only delivers specific values through OPTIONS.