Codeigniter REST API headers & authentication

Adrian Walls picture Adrian Walls · Jan 21, 2014 · Viewed 7.8k times · Source

I am using Phil Sturgeon's REST Controller to build an API. API authentication is performed using API keys. Presently there is only one key defined in the api_keys table on the database and I have set-up my client to access the API using this key via the following cURL request:

 $ch = curl_init();
 curl_setopt($ch, CURLOPT_URL, $uri);
 //curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
 //curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
 curl_setopt($ch, CURLOPT_FOLLOWLOCATION, FALSE);
 curl_setopt($ch, CURLOPT_MAXREDIRS, 1);
 curl_setopt($ch, CURLOPT_HEADER, TRUE);
 curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
 curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 10);
 curl_setopt($ch, CURLOPT_TIMEOUT, 45);
 curl_setopt($ch, CURLOPT_HTTPHEADER, array(
     'Content-Type: application/html; charset=utf-8',
     'Accept: application/html',
     'X_API_PREFIX: ' . $this->apiPrefix(),
     'X_API_KEY: ' . $this->apiKey(),
     "User-Agent: ShowHouse/" . ShowhouseClient::API_CLIENT_VERSION . '; PHP ' . phpversion() . ' [' . php_uname('s') . ']';
     'Accept-Language: ' . $this->_acceptLanguage
  ));
    curl_setopt($ch, CURLOPT_USERPWD, $this->apiKey());

    if ('POST' == $method)
    {
        curl_setopt($ch, CURLOPT_POST, TRUE);
        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
    }
    else if ('PUT' == $method)
    {
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PUT');
        curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
    }
    else if('GET' != $method)
    {
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
    }

    $response = curl_exec($ch);  

However I keep getting an invalid API key response back from the API server. The issue appears to be that on the following line in the REST_Controller.php:

if (($key = isset($this->_args[$api_key_variable]) ? $this->_args[$api_key_variable] : $this->input->server($key_name)))

both

$this->_args[$api_key_variable] 

and

$this->input->server($key_name) 

are not actually set. 3 of us in the office have exactly the same code based checked out from the source control repository, the only difference being two of us are running Apache 2.4.4 and the other is running Apache 2.2.24. Both of us running 2.4.4 keep getting an invalid API key error but it all works fine for the guy running 2.2.24 which would suggest it's an Apache issue but we just can't get to the bottom of it.

Anyone any ideas why this would be happening like this?

Thanks in advance.

Answer

Adrian Walls picture Adrian Walls · Jan 29, 2014

Found the issue for anyone else who may have the same problem. Apache 2.4.x now enforces stricter translation of header to environment variables to mitigate against some cross-site scripting attacks via header injection. See:

http://httpd.apache.org/docs/trunk/new_features_2_4.html

"Headers containing invalid characters (including underscores) are now silently dropped."