Jump to content
mosb3rgler

Question about PHP CURL parsing OPTIONS for headers prior to POST

Recommended Posts

Posted (edited)

Hey everyone, so im trying to utilize a systems OPTION command send prior to the POST command, the OPTION command will for example state that it would like to request specific headers. im trying to perform this to get the headers needed before the POST command im trying to execute, the values are required for the POST command i need to perform to get a response.

The URL in question would be:

https://media-entitlement.mlb.com/api/v3/jwt?os=windows&did=ffeae86c-9447-4bac-a021-caad0c02c605&appname=mlbtv_web

Request method: OPTIONS (to get required headers):

Host: media-entitlement.mlb.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Access-Control-Request-Method: GET
Access-Control-Request-Headers: authorization,x-api-key
Referer: https://www.mlb.com/tv/g566992/v4db99327-63d3-4f23-a94d-a1ff465e177d
Origin: https://www.mlb.com
Connection: keep-alive
Cache-Control: max-age=0
 

then a post command is performed just after which retrieves the values originally requested by the OPTIONS command prior to the POST:

Host: media-entitlement.mlb.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.mlb.com/tv/g566992/v4db99327-63d3-4f23-a94d-a1ff465e177d
x-api-key: arBv5yTc359fDsqKdhYC41NZnIFZqEkY5Wyyn9uA
Authorization: bearer eyJraWQiOiJUNXQteURjQ2pQeWg0anBpOF9Dcm5YR2hkR0hjLUhLb1F6cmo5X3QyeENZIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULjVudzBlOElzZlFLaDhHYWE1Qzc1blMyQ1FwWVpkSHVCdVFhVFd0a25CY0EiLCJpc3MiOiJodHRwczovL2lkcy5tbGIuY29tL29hdXRoMi9hdXMxbTA4OHlLMDdub0JmaDM1NiIsImF1ZCI6ImFwaTovL21sYl9kZWZhdWx0IiwiaWF0IjoxNTYwNDcwNjYyLCJleHAiOjE1NjA1NTcwNjIsImNpZCI6IjBvYXA3d2E4NTdqY3ZQbFo1MzU1IiwidWlkIjoiMDB1N2psN2UxSjlhM0JGVVMzNTYiLCJzY3AiOlsib3BlbmlkIiwiZW1haWwiXSwic3ViIjoicmF5bmFqcGFudGhlckBtc24uY29tIiwiaXBpZCI6IjY3NzIwMjEiLCJndWlkIjoiNjc1ZmYxNzdiZTE2NTE0ZDRjYmYxNmVhOTNmYzg3NTcifQ.YDW-3f8T5ZcHg2wTvyAfHX0A5LdijP3lgvoSTKla_hBoE5_RBwU9aUYinrATQDNg8d_6wQkCo-ejAX_t9SGE7IGE8j-FE-oQlqIz2ubG7XDz3-84l5zJrSZ0QwxPoGOXMt_0-9DkZ_V4uzISGhN_pI_HnUr26IW-8sf0XK3yNSBOJLQnqx-iZ6HtiUEuI9Qi2T2J2zZuFSnDytxGlqmjC1mAyf0inLdr1LIuUfDayak3G5-YnP91z-8f2_k8QwSVw9IMg_bOCUaMD9suu67VaCU5EnREgZoTxCKEUIIKeJtlSCx6VgW_oXbOguRO0L0BlMR6eHDX9pDt0CgPftfxTw
Origin: https://www.mlb.com
Connection: keep-alive
Cache-Control: max-age=0

 

Now Generally speaking, i fully understand their authorization etc. but this specific set of values seem only used in this one situation, they use bam-sdk which i understand pretty well. but needless to say this authorization bearer, and api-key value only seem generated via the initial OPTIONS grab in browser. so in summary i need to understand how these OPTIONS commands can be utilized to store the required headers as a variable which can be used in the POST command.

Thanks in advance for your time and energy responding.

mosb3rgler

Edited by mosb3rgler
typo

Share this post


Link to post
Share on other sites

You would have to set up handling for all possible headers that may come back from the Access-Control-Request-Headers. Which is silly.

Which is why nobody does that. Their API uses an Authorization (apparently Authorization: Bearer) and an X-API-Key. Just do that. If they change the API then you can change your code.

Share this post


Link to post
Share on other sites

the issue is the api key is only delivered through the OPTIONS, the bearer i can generate no problem and insert. but i don't seem to have any other way to get the api key value without the OPTIONS header that is shown first. so if that is actually the only way and we know we only need specific headers and we know the naming convention of the headers, is it still not possible to use the OPTIONS to accomplish this, not sure how to approach that 1specific value or any of the instances on other projects where it only delivers specific values through OPTIONS.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.