Carje Posted April 12, 2020 Share Posted April 12, 2020 I'm trying to get some data from an API with php-cURL. I went to Chrome Developer Tools and copied as cURL (as I usually do): curl 'https://api.domain.co/data/network.php?action=balance&id=#####' -H 'authority: api.domain.co' -H 'pragma: no-cache' -H 'cache-control: no-cache' -H 'accept: application/json, text/javascript, */*; q=0.01' -H 'sec-fetch-dest: empty' -H 'api_token: #######################' -H 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36' -H 'origin: https://app.domain.com' -H 'sec-fetch-site: cross-site' -H 'sec-fetch-mode: cors' -H 'referer: https://app.domain.com/' -H 'accept-language: en-US;q=0.9,en;q=0.8,de;q=0.7,ru;q=0.6,en-GB;q=0.5' --compressed I converted the code to php-cURL and placed it in my page: $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, 'https://api.domain.co/data/network.php?action=balance&id=#####'); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'GET'); curl_setopt($ch, CURLOPT_ENCODING, 'gzip, deflate'); $headers = array(); $headers[] = 'authority: api.domain.co'; $headers[] = 'pragma: no-cache'; $headers[] = 'cache-control: no-cache'; $headers[] = 'accept: application/json, text/javascript, */*; q=0.01'; $headers[] = 'fec-fetch-dest: empty'; $headers[] = 'api_token: #######################'; $headers[] = 'user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36'; $headers[] = 'origin: https://app.domain.com'; $headers[] = 'sec-fetch-site: cross-site'; $headers[] = 'sec-fetch-mode: cors'; $headers[] = 'referer: https://app.domain.com/'; $headers[] = 'accept-language: en-US;q=0.9,en;q=0.8,de;q=0.7,ru;q=0.6,en-GB;q=0.5'; curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); $result = curl_exec($ch); if (curl_errno($ch)) { echo 'Error:' . curl_error($ch); } curl_close($ch); print_r($result); And I got the following response: {"message":"Forbidden"} I played around with the headers and other cURL parameters, but with no success. Then I said I should try with Postman, and imported the code from Chrome to Postman, and voilà, it worked. At this point, I thought that maybe I wasn't converting the code properly. So I took the code from Postman Code Generator as PHP - cURL and placed it in my page, only to get the same result as before: $curl = curl_init(); curl_setopt_array($curl, array( CURLOPT_URL => "https://api.domain.co/data/network.php?action=balance&id=#####", CURLOPT_RETURNTRANSFER => true, CURLOPT_ENCODING => "", CURLOPT_MAXREDIRS => 10, CURLOPT_TIMEOUT => 0, CURLOPT_FOLLOWLOCATION => true, CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1, CURLOPT_CUSTOMREQUEST => "GET", CURLOPT_HTTPHEADER => array( "authority: domain.co", "pragma: no-cache", "cache-control: no-cache", "accept: application/json, text/javascript, */*; q=0.01", "sec-fetch-dest: empty", "api_token: #######################", "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36", "origin: https://app.domain.com", "sec-fetch-site: cross-site", "sec-fetch-mode: cors", "referer: https://app.domain.com/", "accept-language: en-US;q=0.9,en;q=0.8,de;q=0.7,ru;q=0.6,en-GB;q=0.5" ), )); $response = curl_exec($curl); curl_close($curl); echo $response; Again I tried to play with different headers (Also checked in Postman what headers are mandatory and tried only with those - but nothing). PS: I have cleared my cache and cookies, also tried with different browsers and different user-agent. I am using this method for many other API's, but with this one, I can't figure out what I'm doing wrong Quote Link to comment Share on other sites More sharing options...
requinix Posted April 12, 2020 Share Posted April 12, 2020 It seems right. Is there any more information you can get from the remote service? More detailed error message? An error log? Any logs at all? Quote Link to comment Share on other sites More sharing options...
Carje Posted April 12, 2020 Author Share Posted April 12, 2020 18 minutes ago, requinix said: It seems right. Is there any more information you can get from the remote service? More detailed error message? An error log? Any logs at all? I tried to get the headers with many different codes and finally got something: HTTP/2 403 server: nginx date: Sun, 12 Apr 2020 21:30:19 GMT content-type: application/json content-length: 23 vary: Accept-Encoding x-powered-by: PHP/7.3.4 access-control-allow-headers: API_TOKEN access-control-allow-origin: * {"message":"Forbidden"}403 I have also tried to make the request through jQuery-Ajax (just to test) and I get this error in console: GET https://api.domain.co/data/network.php?action=balance&id=##### 403 I am not very experienced. If you have any suggestions on how to get more info/logs/messages, that will be appreciated. Quote Link to comment Share on other sites More sharing options...
requinix Posted April 12, 2020 Share Posted April 12, 2020 Are you running PHP locally? That's the only thing I can think of. Quote Link to comment Share on other sites More sharing options...
Carje Posted April 12, 2020 Author Share Posted April 12, 2020 11 minutes ago, requinix said: Are you running PHP locally? That's the only thing I can think of. No Quote Link to comment Share on other sites More sharing options...
requinix Posted April 12, 2020 Share Posted April 12, 2020 Then that could be it. They're tracking client IP address with the token, and the token is not valid when used from another location. You'd have to generate the token from within PHP. Can't just copy and paste what your browser is doing. Quote Link to comment Share on other sites More sharing options...
Carje Posted April 13, 2020 Author Share Posted April 13, 2020 6 hours ago, requinix said: Then that could be it. They're tracking client IP address with the token, and the token is not valid when used from another location. You'd have to generate the token from within PHP. Can't just copy and paste what your browser is doing. It's the same token every time. As I said before. the first thing I did was to replicate what the browser was doing. Quote Link to comment Share on other sites More sharing options...
requinix Posted April 13, 2020 Share Posted April 13, 2020 So every time you log out, clear your browser cookies, blah blah blah, and log back in, you get the same token? Every time? And when you log in using PHP code they give you the same token as well? Quote Link to comment Share on other sites More sharing options...
macfanpl Posted April 13, 2020 Share Posted April 13, 2020 4 hours ago, requinix said: So every time you log out, clear your browser cookies, blah blah blah, and log back in, you get the same token? Every time? And when you log in using PHP code they give you the same token as well? That should not happen. Its serious security flaw. One token = one session (provided that TTL = RST) Quote Link to comment Share on other sites More sharing options...
requinix Posted April 13, 2020 Share Posted April 13, 2020 3 minutes ago, macfanpl said: That should not happen. Its serious security flaw. One token = one session (provided that TTL = RST) Exactly my point. Quote Link to comment Share on other sites More sharing options...
Carje Posted April 13, 2020 Author Share Posted April 13, 2020 6 minutes ago, macfanpl said: That should not happen. Its serious security flaw. One token = one session (provided that TTL = RST) 2 minutes ago, requinix said: Exactly my point. Sorry for the delay. I was too tired last night and misunderstood your question. There is a new token for every login. I finally managed to get someone to talk with their tech, and apparently there was an "internal" problem (didn't give me any real answer), although it was working through Postman. I don't know what it was but now works with no issues. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.