4

I made a simple PHP app that provides RESTful API for registering, logging in and updating user's geolocation. I tested it out with MySQL database on a local Apache sever and everything was fine.

Recently I migrated the PHP code to an online host HostGator. Part of my code stopped working when it involves recognizing HTTP request header. Like this:

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Origin: chrome-extension://hgmloofddffdnphfgcellkdfbfbjeloo
Authorization: f0cc696e44f76f9638331b5487f4b01d
Content-Type: application/x-www-form-urlencoded 
Accept: */*
DNT: 1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4

I wrote my PHP code such that it reads the api-key under header Authorization. It worked fine on my local server but reported api-key missing when the same code was migrated on HostGator

I suspect there may be certain settings that are default in my local environment but need to be set explicitly in HostGator. Here's my current .htaccess:

RewriteEngine On 
RewriteCond %{REQUEST_FILENAME} !-f 
RewriteRule ^(.*)$ %{ENV:BASE}index.php [QSA,L]
AddType application/x-httpd-php54 .php

I'm using XAMPP for local sever and database, and Chrome extension Advanced Rest Client for sending HTTP requests.

Edit: My code to retrieve the header value:

$headers = apache_request_headers();

if (isset($headers['Authorization'])) {
    $api_key = $headers['Authorization'];
    // validating api key
    // ...
} else {
    // api key is missing in header
    // ...
}
TheInvisibleFist
  • 445
  • 1
  • 6
  • 12

3 Answers3

5

You are using the authorization header for a custom API key. That is not it's intention and Apache will discard Authorization headers that are invalid.
I learned that from Request headers bag is missing Authorization header in Symfony 2?

So what you need to do is use an actual custom header. Instead of using the Authorization field send your key as

X-Apikey: this_is_my_magic_key_that_put_in_the_header

then retrieve it as 

$headers['X-Apikey'];

Apache won't discard that.

Note: the headers will get CamelCased on new words. Sending "X-API-KEY" becomes "X-Api-Key" So use the format above to be able to retrieve it properly.

Community
  • 1
  • 1
greg_diesel
  • 2,955
  • 1
  • 15
  • 24
  • Nice insight about custom headers! Just in case, I solved it adding a rule to my _.htaccess_ file instead: `RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]` – Leopoldo Sanczyk Jan 17 '17 at 05:36
0

You didn't post the code for how you are retrieving the "Authorization" header

I'd recommend looking at the SERVER variables in your receiving PHP script.

$myauthorization=$_SERVER['HTTP_Authorization'];

It that doesn't work. Check out the what's available

print_r($_SERVER);
greg_diesel
  • 2,955
  • 1
  • 15
  • 24
  • Thanks for the advice! After putting in print_r, I get "Unexpected token A"... Not sure what that means – TheInvisibleFist Feb 03 '15 at 01:23
  • I figured out I had the "Unexpected token A" error because my server response was in json. So now it looks like the server receives regular headers such as "Accept-Language" just fine but not my custom headers – TheInvisibleFist Feb 03 '15 at 03:51
  • Post your print_r($headers); – greg_diesel Feb 03 '15 at 12:40
  • I did... See my first comment. So if I take json response into account, $headers[Authorization] gives "null" but $headers[Accept-Language] gives "zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4" which is correct – TheInvisibleFist Feb 03 '15 at 14:12
0

Authorization is part of RFC 2617 - HTTP Authentication and it can't be used. Just rename it for another named and it will works fine.

lynx_74
  • 1,633
  • 18
  • 12