堆栈内存溢出
  简体   繁体   English

授权标头中的多个参数不能与基本身份验证一起使用

[英]Multiple parameters in Authorization header not working with Basic Auth

 原文  2016-10-06 08:59:33       php/ rest/ api/ http/ http-headers

问题描述

I am creating a basic API using Basic Auth over SSL. 我正在使用SSL上的基本身份验证来创建基本API。 The API will be used in a mobile application and allow the creation of an account, with other fairly basic features. 该API将用在移动应用程序中,并允许创建具有其他相当基本功能的帐户。

I have decided to hard-code a API key into the mobile application to pass to the API to make it a bit harder for a hacker to access parts of the API that don't require a login (basic auth). 我决定将API密钥硬编码到移动应用程序中,以传递给API,从而使黑客更难访问不需要登录(基本身份验证)的API部分。 Based on what I've read, the API key should be stored in the Authorization header in the HTTP request. 根据我的阅读,API密钥应存储在HTTP请求的Authorization标头中。

Authorization header: 授权标头: 

Key ~@3o42jf!34vm3.!

My PHP API then readers the header and ensures that the key is correct. 然后,我的PHP API读取标头并确保密钥正确。 If it is, basic elements of the API are available. 如果可以,则可以使用API​​的基本元素。

The problem comes when trying to perform a task that requires a login to be passed to the API. 尝试执行需要将登录名传递到API的任务时,就会出现问题。 My Authorization header then looks like this: 我的授权标头如下所示: 

Key ~@3o42jf!34vm3.! Basic c3RhY2tAZ21haWwuY29tOnRlc3RpbmcxMjM=

The API can still read the key, but the email/password string that I access with $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'] are now not set. 该API仍可以读取密钥,但是现在未设置我使用$_SERVER['PHP_AUTH_USER']$_SERVER['PHP_AUTH_PW']访问的电子邮件/密码字符串。 Is the only way to get around this to read the header manually through apache_request_headers() ? 解决此问题的唯一方法是通过apache_request_headers()手动读取标头吗?

1 个解决方案

解决方案1
 1 已采纳  2016-10-06 09:03:23

Since this is a custom header, you should use a separate identifier for it. 由于这是一个自定义标头,因此应为其使用单独的标识符。 For example: 例如: 

X-Api-Key: ~@3o42jf!34vm3.!

And then you can leave the basic auth header as it is (since it indeed won't work if you insert custom data in it). 然后,您可以保留基本的auth标头(因为如果在其中插入自定义数据,它的确不起作用)。

On the PHP side, your custom header can be accessed with $_SERVER['HTTP_X_API_KEY'] 在PHP方面,可以使用$_SERVER['HTTP_X_API_KEY']访问您的自定义标头

Also make sure that your request headers are in the correct format. 另外,请确保您的请求标头采用正确的格式。 It should be like this: 应该是这样的: 

GET /api/v1/tickets HTTP/1.1
Host: 123.123.123.123
Authorization: Basic c3RhY2tAZ21haWwuY29tOnzzz3RpbmcxMjM=
X-Api-Key: z7='sL(=}24qv'3F
Cache-Control: no-cache
Postman-Token: e657c66f-2db1-bf76-78c5-777305b5bfe6

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Laravel API调用失败。 PostMan使用基本身份验证覆盖授权标头 - Laravel API call failed. PostMan overrides Authorization header with Basic Auth Filemaker - 授权标头“基本”无效 - Filemaker - Authorization header 'Basic' invalid HTTP基本身份验证不起作用 - HTTP basic auth is not working 本机PHP中具有Authorization Basic的Soap Header - Soap Header with Authorization Basic in native PHP PHP cURL格式错误的授权标头REST API基本授权 - PHP cURL Malformed Authorization header REST API Basic Authorization PHP基本身份验证在Xampp中不起作用 - PHP Basic auth not working in xampp 具有Httpful和基本身份验证标头的PHP API调用 - PHP API Call with Httpful and Basic Auth Header 如何使用 guzzle 为基本身份验证发送正确的授权标头 - How to send a correct authorization header for basic authentication using guzzle 为什么我的 postman 基本身份验证无法正常工作? - why my postman basic auth not working correctly? Laravel5 auth.basic无法正常工作 - Laravel5 auth.basic not working
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM