API call works in Postman but not in php-cURL

[Carje]

I'm trying to get some data from an API with php-cURL. I went to Chrome Developer Tools and copied as cURL (as I usually do):

curl 'https://api.domain.co/data/network.php?action=balance&id=#####' -H 'authority: api.domain.co' -H 'pragma: no-cache' -H 'cache-control: no-cache' -H 'accept: application/json, text/javascript, */*; q=0.01' -H 'sec-fetch-dest: empty' -H 'api_token: #######################' -H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36' -H 'origin: https://app.domain.com' -H 'sec-fetch-site: cross-site' -H 'sec-fetch-mode: cors' -H 'referer: https://app.domain.com/' -H 'accept-language: en-US;q=0.9,en;q=0.8,de;q=0.7,ru;q=0.6,en-GB;q=0.5' --compressed

I converted the code to php-cURL and placed it in my page:

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, 'https://api.domain.co/data/network.php?action=balance&id=#####');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'GET');

curl_setopt($ch, CURLOPT_ENCODING, 'gzip, deflate');

$headers = array();
$headers[] = 'authority: api.domain.co';
$headers[] = 'pragma: no-cache';
$headers[] = 'cache-control: no-cache';
$headers[] = 'accept: application/json, text/javascript, */*; q=0.01';
$headers[] = 'fec-fetch-dest: empty';
$headers[] = 'api_token: #######################';
$headers[] = 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36';
$headers[] = 'origin: https://app.domain.com';
$headers[] = 'sec-fetch-site: cross-site';
$headers[] = 'sec-fetch-mode: cors';
$headers[] = 'referer: https://app.domain.com/';
$headers[] = 'accept-language: en-US;q=0.9,en;q=0.8,de;q=0.7,ru;q=0.6,en-GB;q=0.5';
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$result = curl_exec($ch);
if (curl_errno($ch)) {
    echo 'Error:' . curl_error($ch);
}
curl_close($ch);
print_r($result);

And I got the following response:

{"message":"Forbidden"}

I played around with the headers and other cURL parameters, but with no success.

Then I said I should try with Postman, and imported the code from Chrome to Postman, and voilà, it worked.

At this point, I thought that maybe I wasn't converting the code properly. So I took the code from Postman Code Generator as PHP - cURL and placed it in my page, only to get the same result as before:

$curl = curl_init();

curl_setopt_array($curl, array(
  CURLOPT_URL => "https://api.domain.co/data/network.php?action=balance&id=#####",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_ENCODING => "",
  CURLOPT_MAXREDIRS => 10,
  CURLOPT_TIMEOUT => 0,
  CURLOPT_FOLLOWLOCATION => true,
  CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
  CURLOPT_CUSTOMREQUEST => "GET",
  CURLOPT_HTTPHEADER => array(
    "authority: domain.co",
    "pragma: no-cache",
    "cache-control: no-cache",
    "accept: application/json, text/javascript, */*; q=0.01",
    "sec-fetch-dest: empty",
    "api_token: #######################",
    "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36",
    "origin: https://app.domain.com",
    "sec-fetch-site: cross-site",
    "sec-fetch-mode: cors",
    "referer: https://app.domain.com/",
    "accept-language: en-US;q=0.9,en;q=0.8,de;q=0.7,ru;q=0.6,en-GB;q=0.5"
  ),
));

$response = curl_exec($curl);

curl_close($curl);
echo $response;

Again I tried to play with different headers (Also checked in Postman what headers are mandatory and tried only with those - but nothing).

PS: I have cleared my cache and cookies, also tried with different browsers and different user-agent.

I am using this method for many other API's, but with this one, I can't figure out what I'm doing wrong

[requinix]

It seems right. Is there any more information you can get from the remote service? More detailed error message? An error log? Any logs at all?

[Carje]

18 minutes ago, requinix said:

It seems right. Is there any more information you can get from the remote service? More detailed error message? An error log? Any logs at all?

I tried to get the headers with many different codes and finally got something:

HTTP/2 403 
server: nginx
date: Sun, 12 Apr 2020 21:30:19 GMT
content-type: application/json
content-length: 23
vary: Accept-Encoding
x-powered-by: PHP/7.3.4
access-control-allow-headers: API_TOKEN
access-control-allow-origin: *

{"message":"Forbidden"}403

I have also tried to make the request through jQuery-Ajax (just to test) and I get this error in console:

GET https://api.domain.co/data/network.php?action=balance&id=##### 403

I am not very experienced. If you have any suggestions on how to get more info/logs/messages, that will be appreciated.

[requinix]

Are you running PHP locally? That's the only thing I can think of.

[Carje]

11 minutes ago, requinix said:

Are you running PHP locally? That's the only thing I can think of.

No

[requinix]

Then that could be it. They're tracking client IP address with the token, and the token is not valid when used from another location.

You'd have to generate the token from within PHP. Can't just copy and paste what your browser is doing.

[Carje]

6 hours ago, requinix said:

Then that could be it. They're tracking client IP address with the token, and the token is not valid when used from another location.

You'd have to generate the token from within PHP. Can't just copy and paste what your browser is doing.

It's the same token every time. As I said before. the first thing I did was to replicate what the browser was doing.

[requinix]

So every time you log out, clear your browser cookies, blah blah blah, and log back in, you get the same token? Every time? And when you log in using PHP code they give you the same token as well?

[macfanpl]

4 hours ago, requinix said:

So every time you log out, clear your browser cookies, blah blah blah, and log back in, you get the same token? Every time? And when you log in using PHP code they give you the same token as well?

That should not happen. Its serious security flaw. One token = one session (provided that TTL = RST)

[requinix]

3 minutes ago, macfanpl said:

That should not happen. Its serious security flaw. One token = one session (provided that TTL = RST)

Exactly my point.

[Carje]

6 minutes ago, macfanpl said:

That should not happen. Its serious security flaw. One token = one session (provided that TTL = RST)

 

2 minutes ago, requinix said:

Exactly my point.

Sorry for the delay. I was too tired last night and misunderstood your question. There is a new token for every login.

I finally managed to get someone to talk with their tech, and apparently there was an "internal" problem (didn't give me any real answer), although it was working through Postman.

I don't know what it was but now works with no issues.