[SOLVED] Setting up Rest API Web Service using API Key - Access denied

This topic is locked

[SOLVED] Â Setting up Rest API Web Service using API Key - Access denied	8/8/2020 3:11:29 AM
PHPRunner General questions
A acpan author Hi all! I just upgraded to 10.04. and trying out the PHPRunner's REST API using the cars template. Remove any existing event codes in the pages you want to send REST API call. Steps to enable HTTP basic for REST API: I enabled the REST API at MISC menu. I then choose HTTP Basic. Tested with POSTMAN, it works. Postman Settings: `URL GET: http://localhost:8089/api/v1.php?table=carscategory&action=list'>http://localhost:8089/api/v1.php?table=carscategory&action=list Authorization: Basic Auth Username: admin Password: admin` Results: {"data":[{"id":"1","category":"Passenger Carss"},{"id":"2","category":"Sporting Cars"}],"success":true} So far so good. Now, here's what i faced a problem when i used API Key instead of Basic Auth. When request using postman, i get: {"error":"Access denied","success":false} Steps: I set to use API Key at the PHPR's MISC menu, and choose username as the apikey (to keep it simple for testing). According to PHPRunner 10.04 menu, about API Key settings: API Key Authorization: `An example of authentication of the user with apikey dsagdsew45234etw435. curl -H "X-Auth-Token: dsagdsew45234etw435" "http://localhost:8086/api/v1.php?table=customers&action=list";` So I set up with POSTMAN the following settings: `URL GET: http://localhost:8089/api/v1.php?table=carscategory&action=list'>http://localhost:8089/api/v1.php?table=carscategory&action=list Authorization: API Key Key: apikey Value: admin Add to: header` When run on postman, it failed. it gave: {"error":"Access denied","success":false} 3. I tried also from browser: `http://localhost:8089/api/v1.php?apikey=admin&table=carscategory&action=list` again gave: {"error":"Access denied","success":false} 4. I check through the Security and Permission settings on PHPRunner for the tables, all enabled for Guest, admin and default groups. (P.S. I have also watched Corrie's video: https://www.youtube.com/watch?v=MHr67SWh8xU ) What could be the issue? Many thanks if anyone tried it and share the experience. ACP

Mark as Solved Mark as not solved

15 replies


	admin 8/8/2020
	Try that CURL command and it will work. Also in Postman instead of "apikey" use "X-Auth-Token" and it should also work.


M	MikeT 8/9/2020
	Can anyone confirm that it works as expected in the newest build of phpr? I also tried it with the cars template, removed event code that could interfer, and I also get {"error":"Access denied","success":false} with Api_key method. (Basic Auth works). I think I tried every possible curl/postman method for a GET request, but might still miss something, that's why I'm asking before complaining too much;-)


A	acpan author 8/9/2020
	Can anyone confirm that it works as expected in the newest build of phpr? I also tried it with the cars template, removed event code that could interfer, and I also get {"error":"Access denied","success":false} with Api_key method. (Basic Auth works). I think I tried every possible curl/postman method for a GET request, but might still miss something, that's why I'm asking before complaining too much;-) I tried again, it is still the same problem. ACP


A	acpan author 8/10/2020
	Try that CURL command and it will work. Also in Postman instead of "apikey" use "X-Auth-Token" and it should also work. Tried that, it is still the same problem. Do check if this is a bug or provide a demo so we can follow closely. Many thanks. ACP


	admin 8/10/2020
	Show me your CURL command and the results it yields.


A	acpan author 8/10/2020
	Show me your CURL command and the results it yields. Hi Sergey, Here's the Curl Command Output: MISC Setting: Autorization: API key Field in users table where key is kept: username C:\Users\admin>curl -H "X-Auth-Token:admin" "http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"; {"error":"Access denied","success":false} C:\Users\admin>curl -H "X-Auth-Token:admin" "http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"; --verbose * Trying ::1... * TCP_NODELAY set * Trying 127.0.0.1... * TCP_NODELAY set * Connected to localhost (127.0.0.1) port 8089 (#0) > GET /api/v1.php?table=carscategory&action=list HTTP/1.1 > Host: localhost:8089 > User-Agent: curl/7.55.1 > Accept: / > X-Auth-Token: admin > < HTTP/1.1 401 Unauthorized < Date: Mon, 10 Aug 2020 23:12:54 GMT < Server: Apache/2.4.37 (Win32) PHP/5.6.40 < X-Powered-By: PHP/5.6.40 < Set-Cookie: 74Fbjlq0zC5XeSr2KOaw=gofbaqiemjar4ddf65ar9548v6; path=/ < Set-Cookie: runnerSession=qfwaffcatfug1maqoq0l; Path=/api/; HttpOnly; SameSite=Strict; < Cache-Control: no-cache, no-store, max-age=0, must-revalidate < Pragma: no-cache < Expires: Fri, 01 Jan 1990 00:00:00 GMT < Content-Length: 41 < Content-Type: text/html; charset=utf-8 < {"error":"Access denied","success":false}* Connection #0 to host localhost left intact Using HTTP basic: C:\Users\admin>curl --user "admin:admin" "http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"; {"data":[{"id":"1","category":"Passenger Carss"},{"id":"2","category":"Sporting Cars"}],"success":true} C:\Users\admin>curl --user "admin:admin" "http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"'>http://localhost:8089/api/v1.php?table=carscategory&action=list"; --verbose * Trying ::1... * TCP_NODELAY set * Trying 127.0.0.1... * TCP_NODELAY set * Connected to localhost (127.0.0.1) port 8089 (#0) * Server auth using Basic with user 'admin' > GET /api/v1.php?table=carscategory&action=list HTTP/1.1 > Host: localhost:8089 > Authorization: Basic YWRtaW46YWRtaW4= > User-Agent: curl/7.55.1 > Accept: / > < HTTP/1.1 200 OK < Date: Mon, 10 Aug 2020 23:18:29 GMT < Server: Apache/2.4.37 (Win32) PHP/5.6.40 < X-Powered-By: PHP/5.6.40 < Set-Cookie: 74Fbjlq0zC5XeSr2KOaw=b21cg9tm1jgk29fvkuir22tc04; path=/ < Set-Cookie: runnerSession=b7wmafbsv0pg56wnpm8s; Path=/api/; HttpOnly; SameSite=Strict; < Cache-Control: no-cache, no-store, max-age=0, must-revalidate < Pragma: no-cache < Expires: Fri, 01 Jan 1990 00:00:00 GMT < Set-Cookie: runnerSession=nljvks7dkf1879exlg4g; Path=/api/; HttpOnly; SameSite=Strict; < Content-Length: 103 < Content-Type: text/html; charset=utf-8 < {"data":[{"id":"1","category":"Passenger Carss"},{"id":"2","category":"Sporting Cars"}],"success":true}* Connection #0 to host localhost left intact Thanks ACP


	admin 8/10/2020
	`C:\tmp>curl -H "X-Auth-Token: admin" "http://localhost:8086/api/v1.php?table=todousers&action=list"; {"data":[{"id":"1","username":"admin","password":"admin","fullname":"","avatar":"","daystoadd":"30","apikey":"dsagdsew45234etw435"}],"success":true}` Maybe you are using an old version of PHPRunner?


A	acpan author 8/11/2020
	Maybe you are using an old version of PHPRunner? Downloaded the latest copy Build 35571 (x64), and installed on a new directory, still no luck. ACP


M	MikeT 8/11/2020
	I tried it again with a new project, starting from scratch, and there it works with API token. Maybe it's somehow related to the Cars template? I tried a lot of things (e.g. removing event code) but couldn't get it to work with the cars template. Just a thought, because both acpan and me started with a new project from the cars template. (BTW: I'm on the newest build of phpr)


	admin 8/11/2020
	Yes, it might be something related to the template. It is always a smart idea to start from scratch.


F	fdiazp 8/11/2020
	I have a project that donÂ´t use templates and donÂ´t work APIKey security get the same error, IÂ´m working in 35571 version (64 bits) the curl is curl -H "X-Auth-Token: $2y$10$WWK3VK6aX6VYj7JIY/LEeuJJNE2xYaaGWfKvnbvtZL.KgWwKAdxKO" "http://localhost/apitest/api/v1.php?table=per&action=list"; Get this Error: % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 41 100 41 0 0 336 0 --:--:-- --:--:-- --:--:-- 338{"error":"Access denied","success":false}


	admin 8/11/2020
	We have found that currently REST API authorization via API key doesn't work with password encryption/hashing enabled. We will fix it shortly.


A	acpan author 8/11/2020
	We have found that currently REST API authorization via API key doesn't work with password encryption/hashing enabled. We will fix it shortly. Thanks for the confirmation and all that tried. Shall wait for the fix. ACP.


	admin 8/24/2020
	Here it is: https://asprunner.com/forums/topic/27703-august-24-2020-phprunner-asprunernet-asprunnerpro-104-maintenance-release/


A	acpan author 8/26/2020
	Here it is: https://asprunner.com/forums/topic/27703-august-24-2020-phprunner-asprunernet-asprunnerpro-104-maintenance-release/ Thank you. Tested working on both HTTP Basic and API Key as described. Great! ACP

15 replies

Mark as Solved Reply