0

I am working on a login page functionality in a SPA built with Angular CLI. My backend is tomcat, php with mysql on a hosting server to which I am able to successfully connect, get and update via post call all the other content in the app using httpclient module. I run CLI with proxy. App is running at localhost:4200

Without Authorization Header, API calls succeeds and I get the proper response:

{"status":true,"resp":"Login Success."}

from my login.php file.

Login Service:

const headers = new HttpHeaders({
  'Content-Type': 'application/x-www-form-urlencoded',
  'Authorization': 'Basic ' + btoa(email+':'+pwd)    <---Including this line gives me error
});

When I add this line 'Authorization': 'Basic ' + btoa(email+':'+pwd), the API calls itself fails. It doesn't even show is it OPTIONS/POST in console. It gives (failed) net::ERR_EMPTY_RESPONSE on some line in zone.js. Not sure if this angular issue.

Req Headers I see in console:

Provisional headers are shown
Accept: application/json, text/plain, */*
Authorization: Basic YXNkZjphc2Rm
Content-Type: application/x-www-form-urlencoded
Referer: http://localhost:4200/home
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.129 Safari/537.36

Below is the screenshot link. enter image description here

/public-html/project/api/login.php:

header("Access-Control-Allow-Origin: *");
header("Content-Type: application/json; charset=UTF-8");
header("Access-Control-Allow-Methods: POST");
header("Access-Control-Max-Age: 3600");
header ("Access-Control-Allow-Credentials: true");
header("Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token, Access-Control-Allow-Headers, Authorization, X-Requested-With");

    $json = file_get_contents('php://input');
    $data = json_decode($json,true);

I've also tried most of the .htaccess solutions. Nothing worked.

.htaccess(in /public_html):

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

//Tried this too
RewriteEngine On
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

Header add Access-Control-Allow-Credentials true
    Header add Access-Control-Allow-Methods "GET, POST, PUT, HEAD, OPTIONS, DELETE, PATCH"
    Header add Access-Control-Allow-Headers *
    Header always set Access-Control-Expose-Headers "*"
    Header add Access-Control-Allow-Origin *
    Header set Connection keep-alive
    Header set Access-Control-Max-Age "3600"
    Header set Access-Control-Allow-Headers "X-Requested-With, Content-Type, Origin, Authorization, Accept, Client-Security-Token"

The same request works in postman when I use Basic Auth, I am able to print the authorization header in php script as well. But it doesnt work in browser, any ideas why ? Struck since 2 days. Can't get this to work. I dont want to expose username/password in POST formData, but want to send it in Authorization header. How can I get this to work ? Should I add .htaccess somewhere in subfolders ?

Anil Kumar
  • 41
  • 3
  • The problem is not with angular but on the web server. As ERR_EMPTY_RESPONSE is a timeout error. Browser timeout triggered . You can tell the browser to wait using keep alive header. For your get request failing post your get call. – CoderSam Sep 21 '20 at 01:10
  • I added below lines to my .htaccess, still see the same issue: Header set Connection keep-alive Header set Access-Control-Max-Age "1000" – Anil Kumar Sep 21 '20 at 03:04
  • RewriteEngine On RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule .* - [e=HTTP_AUTHORIZATION:%1] in .htaccess. please refer this link https://stackoverflow.com/questions/26475885/authorization-header-missing-in-php-post-request – CoderSam Sep 21 '20 at 14:59
  • Updated .htaccess and removed headers from login.php, still I see the same ERR_EMPTY_RESPONSE. This works from postman though. – Anil Kumar Sep 22 '20 at 03:11
  • I don't find any reason why it will not run in apache. Can you try it in IIS – CoderSam Sep 22 '20 at 14:32
  • Did you find a solution, I'm stuck here too. Thank you. – Alejandro Vargas Jul 20 '21 at 18:57
  • I switched to a JWT token based authentication. On first login, the token is generated at server, saved to a session table and sent to the browser and is stored in local storage. Every subsequent call sends this token to server and user is authenticated and the response is served. Since the token is present in local storage, when user visits at a later time, the same token lets him automatically sign in. The token is removed only when user clicks sign out. – Anil Kumar Feb 01 '22 at 06:38

0 Answers0