Authentication using custom headers

davida6 · June 11, 2017, 11:16pm

Including the userid:password (for authentication) in the URL for GETting and POSTing into a protected directory (while still working) has been depreciated, so I’ve been trying to get it to work using custom headers.

The rfc states:

The username and password are combined with a single colon. ( check
The resulting string is encoded into an octet sequence.
The resulting string is encoded using a variant of Base64.^check
The authorization method and a space is then prepended to the encoded string, separated with a space (e.g. "Basic "). param.header.Authenticate = "Basic " … <b64 string> check

#2 is the problem. I’ve converted the string into a byte table (byte array) with string.byte(<uid:pw>, 1, -1) but am stuck here. mime.b64 wont take the byte table. I’ve also looked at the utf8 plugin but dont see anything that fits there, and what the octet sequence is doing is ensuring a utf-8 string.

Anyone work with this yet?

Thanks in advance

Dave

rob · June 12, 2017, 3:09pm

Do your username/passwords have non-ASCII characters in them? You should just be able to pass a Lua string to mime.b64 and have it work. I don’t see why step 2 is really needed.

Rob

davida6 · June 12, 2017, 5:14pm

Thanks, Rob.

No non-ASCII. Here’s the code:

 local params = {} params.header = {} params.header.Authorization = "Basic " .. mime.b64("app\_access:app\_access\_pw") params.body = "sType=A" local dataURL = "https://www.\<url\>.com/php" .. "/serialnum.php" network.request(dataURL, "POST", listenForSerialNum, params )

this url works:

local dataURL = “https://app_access:app_access_pw@www.<url>.com/php” … “/serialnum.php”

btw, the “https://www.<url>.com/php” is actually held in a prefs variable. I’m not actually concatting 2 straight strings. :)

Dave

rob · June 12, 2017, 7:35pm

I’m assuming it’s not working. Are you getting an error?

In your listenForSerialNum function why not add:

print( json.prettify( event ) )&nbsp;

You will of course have to require the json library. See what information is coming back from the server. Then look in the console log and see what’s happening.

Rob

davida6 · June 12, 2017, 9:05pm

Correct - not working. I’m getting a 401 (Unauthorized).

I inserted the print and it confirmed.

I also printed the params table:

table: 130B7790 {

17:00:04.119 [header] => table: 130B7790 {

17:00:04.119 [Authorization] => “Basic YXBwX2FjY2VzczphcHBfYWNjZXNzX3NkWm9uZTE=”

17:00:04.119 }

17:00:04.119 [body] => “sType=A”

17:00:04.119 }

which looks good, from a table standpoint. Is there any way to intercept the network.request to see what is actually being formatted for the server?

Dave

rob · June 12, 2017, 9:15pm

Can you post the results of that print of the event table?

davida6 · June 12, 2017, 9:28pm

 in listenForSerialNum: 17:00:04.805 { 17:00:04.805 "bytesEstimated":1154, 17:00:04.805 "bytesTransferred":1154, 17:00:04.805 "name":"networkRequest", 17:00:04.805 "phase":"ended", 17:00:04.805 "requestId":"\<type 'userdata' is not supported by JSON.\>", 17:00:04.805 "response":"\<!DOCTYPE html\>\n\<html style=\"height:100%\"\>\n\<head\>\<title\> 401 Unauthorized\r\n\</title\>\</head\>\n\<body style=\"color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;\"\>\n\<div style=\"height:auto; min-height:100%; \"\> \<div style=\"text-align: center; width:800px; ; position:absolute; top: 30%; left:50%;\"\>\n \<h1 style=\"margin:0; font-size:150px; line-height:150px; font-weight:bold;\"\>401\</h1\>\n\<h2 style=\"margin-top:20px;font-size: 30px;\"\>Unauthorized\r\n\</h2\>\n\<p\>Proper authorization is required to access this resource!\</p\>\n\</div\>\</div\>\<div style=\"color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;\"\>\n\<br\>Proudly powered by \<a style=\"color:#fff;\" href=\"http://www.litespeedtech.com/error-page\"\>LiteSpeed Web Server\</a\>\<p\>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.\</p\>\</div\>\</body\>\</html\>\n", 17:00:04.805 "responseHeaders":{ 17:00:04.805 "Connection":"Keep-Alive", 17:00:04.805 "Content-Length":"1154", 17:00:04.805 "Date":"Mon, 12 Jun 2017 21:00:00 GMT", 17:00:04.805 "WWW-Authenticate":"Basic realm=\"p\_docs\"", 17:00:04.805 "Cache-Control":"private, no-cache, no-store, must-revalidate, max-age=0", 17:00:04.805 "Content-Type":"text/html", 17:00:04.805 "Accept-Ranges":"bytes", 17:00:04.805 "Pragma":"no-cache", 17:00:04.805 "HTTP-STATUS-LINE":"HTTP/1.1 401 Unauthorized", 17:00:04.805 "Server":"LiteSpeed" 17:00:04.805 }, 17:00:04.805 "responseType":"text", 17:00:04.805 "status":401, 17:00:04.805 "url":"https://www.safedrivezone.com/php/serialnum.php", 17:00:04.805 "isError":false 17:00:04.805 }

rob · June 12, 2017, 9:36pm

Is there any documentation about the API’s the site is trying to use? Is this a site you’re building? Who is hosting this?

davida6 · June 12, 2017, 10:06pm

hostek is hosting it. nothing on the api. Linux server, using, I thought, apache - though the response says its a litespeed - web server. I’m using .htaccess to password protect the php directory, using a cPanel tool to manage the access and password file. I have a support ticket opened with them to see if there is anything special it requires; though they had also pointed me to the rfc wiki. That’s why I wondered if there was a way to see what actual headers were being sent by network.request.

davida6 · June 13, 2017, 12:24am

@Rob,

It turns out to be a LiteSpeed vs Apache issue.

As they explained it:

–[HEADER]–

X-Accept-Charset,X-Accept,Content-Type,Origin LiteSpeed

X-Accept-Charset, X-Accept, Content-Type, Origin Apache

–[END]–

There is a configuration item that will recognize the spaces, but it would cause other issues (Apache failures). I’m trying to find out what those other issues are.

There doesnt happen to be something that I can pass to network.request to tell it to strip spaces in headers is there…

Thanks

dave

rob · June 13, 2017, 1:12am

There isn’t anything I know that will allow you to control that.

davida6 · June 13, 2017, 1:22am

Thanks, I didnt think so.

How come I never ask you the easy ones? :)

I appreciate the help. I’ll see what Hostek comes back with on Litespeed. At least the URL method still works, so there is time.

Thanks again.

Dave

rob · June 12, 2017, 3:09pm

Do your username/passwords have non-ASCII characters in them? You should just be able to pass a Lua string to mime.b64 and have it work. I don’t see why step 2 is really needed.

Rob

davida6 · June 12, 2017, 5:14pm

Thanks, Rob.

No non-ASCII. Here’s the code:

 local params = {} params.header = {} params.header.Authorization = "Basic " .. mime.b64("app\_access:app\_access\_pw") params.body = "sType=A" local dataURL = "https://www.\<url\>.com/php" .. "/serialnum.php" network.request(dataURL, "POST", listenForSerialNum, params )

this url works:

local dataURL = “https://app_access:app_access_pw@www.<url>.com/php” … “/serialnum.php”

btw, the “https://www.<url>.com/php” is actually held in a prefs variable. I’m not actually concatting 2 straight strings. :)

Dave

rob · June 12, 2017, 7:35pm

I’m assuming it’s not working. Are you getting an error?

In your listenForSerialNum function why not add:

print( json.prettify( event ) )&nbsp;

You will of course have to require the json library. See what information is coming back from the server. Then look in the console log and see what’s happening.

Rob

davida6 · June 12, 2017, 9:05pm

Correct - not working. I’m getting a 401 (Unauthorized).

I inserted the print and it confirmed.

I also printed the params table:

table: 130B7790 {

17:00:04.119 [header] => table: 130B7790 {

17:00:04.119 [Authorization] => “Basic YXBwX2FjY2VzczphcHBfYWNjZXNzX3NkWm9uZTE=”

17:00:04.119 }

17:00:04.119 [body] => “sType=A”

17:00:04.119 }

which looks good, from a table standpoint. Is there any way to intercept the network.request to see what is actually being formatted for the server?

Dave

rob · June 12, 2017, 9:15pm

Can you post the results of that print of the event table?

davida6 · June 12, 2017, 9:28pm

 in listenForSerialNum: 17:00:04.805 { 17:00:04.805 "bytesEstimated":1154, 17:00:04.805 "bytesTransferred":1154, 17:00:04.805 "name":"networkRequest", 17:00:04.805 "phase":"ended", 17:00:04.805 "requestId":"\<type 'userdata' is not supported by JSON.\>", 17:00:04.805 "response":"\<!DOCTYPE html\>\n\<html style=\"height:100%\"\>\n\<head\>\<title\> 401 Unauthorized\r\n\</title\>\</head\>\n\<body style=\"color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;\"\>\n\<div style=\"height:auto; min-height:100%; \"\> \<div style=\"text-align: center; width:800px; ; position:absolute; top: 30%; left:50%;\"\>\n \<h1 style=\"margin:0; font-size:150px; line-height:150px; font-weight:bold;\"\>401\</h1\>\n\<h2 style=\"margin-top:20px;font-size: 30px;\"\>Unauthorized\r\n\</h2\>\n\<p\>Proper authorization is required to access this resource!\</p\>\n\</div\>\</div\>\<div style=\"color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;\"\>\n\<br\>Proudly powered by \<a style=\"color:#fff;\" href=\"http://www.litespeedtech.com/error-page\"\>LiteSpeed Web Server\</a\>\<p\>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.\</p\>\</div\>\</body\>\</html\>\n", 17:00:04.805 "responseHeaders":{ 17:00:04.805 "Connection":"Keep-Alive", 17:00:04.805 "Content-Length":"1154", 17:00:04.805 "Date":"Mon, 12 Jun 2017 21:00:00 GMT", 17:00:04.805 "WWW-Authenticate":"Basic realm=\"p\_docs\"", 17:00:04.805 "Cache-Control":"private, no-cache, no-store, must-revalidate, max-age=0", 17:00:04.805 "Content-Type":"text/html", 17:00:04.805 "Accept-Ranges":"bytes", 17:00:04.805 "Pragma":"no-cache", 17:00:04.805 "HTTP-STATUS-LINE":"HTTP/1.1 401 Unauthorized", 17:00:04.805 "Server":"LiteSpeed" 17:00:04.805 }, 17:00:04.805 "responseType":"text", 17:00:04.805 "status":401, 17:00:04.805 "url":"https://www.safedrivezone.com/php/serialnum.php", 17:00:04.805 "isError":false 17:00:04.805 }

rob · June 12, 2017, 9:36pm

Is there any documentation about the API’s the site is trying to use? Is this a site you’re building? Who is hosting this?

davida6 · June 12, 2017, 10:06pm

hostek is hosting it. nothing on the api. Linux server, using, I thought, apache - though the response says its a litespeed - web server. I’m using .htaccess to password protect the php directory, using a cPanel tool to manage the access and password file. I have a support ticket opened with them to see if there is anything special it requires; though they had also pointed me to the rfc wiki. That’s why I wondered if there was a way to see what actual headers were being sent by network.request.