I have two websites, a Wordpress blog that hosts the majority of the content. I also have written an API with Flask. I would like to consume the API within Wordpress (a password-protected page), but I need to verify that the request is authenticated before responding from Flask.
How can I verify that there is a user logged in from Wordpress when I get a request to the Flask API?
You can implement an API Key Authentication (example in Flask: https://blog.teclado.com/api-key-authentication-with-flask/) or simply just use JWT.
For extra security, we can limit to accept request from certain domains like your Wordpress page, add expiration or allow to revoke a key.
I'm not clear whether you are communicating directly between WordPress and the Flask app (i.e. a server-to-server API) or whether you want the browser that is showing a WordPress page to then call an API hosted in the Flask app. If the former, then the API key method described by hungtran273 could work well for you.
This answer focuses on the latter (JS in the browser that proves the WordPress identity to the Flask app). This plugin uses a private key to produce a JWT for the user login. This avoids adding an API key per-user The Flask app can then use the associated public key to verify the JWT.
As written, this requires you put the private key in PEM format in the same directory as the plugin, which is not a good practice in production use.
rk_certinfo.php
<?php
/**
* Plugin Name: CertifiedUserInfo
* Plugin URI: https://ricardkelly.com/
* Description: Provides a JWT asserting the logged-in user to the site
* Version: 1.0.0
* Requires at least: 5.2
* Requires PHP: 7.2
* Author: Ricard Kelly
* Author URI: https://ricardkelly.com/
*/
function rk_certinfo_infoblock() {
if ( is_user_logged_in() ) {
$current_user = wp_get_current_user();
$subject = $current_user->user_login;
$header = json_encode([
'typ' => 'JWT',
'alg' => 'RS256',
]);
$payload = json_encode([
'iss' => get_site_url(),
'sub' => $subject,
'iat' => time(),
'exp' => time() + (60*60*24),
]);
$base64UrlHeader = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($header));
$base64UrlPayload = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($payload));
$data = $base64UrlHeader . "." . $base64UrlPayload;
$keyPrivatePath = plugin_dir_path( __FILE__ ) . 'private-key.pem';
$fp = fopen($keyPrivatePath,"r");
$privateKey = fread($fp,8192);
fclose($fp);
openssl_sign($data, $signature, $privateKey, OPENSSL_ALGO_SHA256);
$base64UrlSignature = str_replace(['+', '/', '='], ['-', '_', ''], base64_encode($signature));
$jwt = $data . "." . $base64UrlSignature;
echo "<script>\nfunction rk_certinfo() {\n";
echo " return \"" . $jwt . "\";\n";
echo "}\n";
echo "</script><!-- \n";
echo $payload;
echo "\n -->\n";
}
}
add_action( 'wp_footer', 'rk_certinfo_infoblock' );
?>
The code emits a script function that you can call from elsewhere in your page to get the JWT for passing to the Flask API. It also emits a comment that just gives you the signed info, which you would probably remove from the plugin after verifying it is producing the information you expect.
Here's a Flask app that consumes the JWT token in the Authorization header.
app.py
from flask import Flask, jsonify, request
from functools import wraps
import jwt
app = Flask(__name__)
public_key = """-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArKY5qH99Ouc/M/egCu6Z
ignTibNPXjNMOK2JYF00ytkfvafqMLuKrEjfExs6U+VQxqQQ4ZyzG/owaqht/zlR
aNhJMJOf0GA5EjtrT++uLh5k5MkA+hgWkRqIB869vctEpUSWzSOwOAR1OFoRXDAR
eESAw+LM4U/o9jq7A9IkgrgpoTC2F5th3ps4Sm7d2xiCLxyRWBmHHTYm7xaybOMe
xA7RzJCT04eUWwobYXdpvfhL8+izOuQlaA1+/dMCnaUWLModULgDlQFYDItULLNk
CF9UkrfpwYJUsO6oP/Ue7GvqtRHYkOfTh5GKtmB+pSlCuc+k+IPbeq6ljHFOLFTl
kQIDAQAB
-----END PUBLIC KEY-----
"""
def token_required(f):
#wraps(f)
def decorator(*args, **kwargs):
token = None
if 'Authorization' in request.headers:
token = request.headers['Authorization']
token = token.replace('Bearer','').strip()
if not token:
return jsonify({'message': 'a valid token is missing'})
try:
data = jwt.decode(token, public_key, algorithms=["RS256"])
current_user = data['sub']
except Exception as ex:
return jsonify({'message': 'token is invalid'})
return f(current_user, *args, **kwargs)
return decorator
#app.route('/api/<id_value>')
#token_required
def api_call(current_user, id_value):
return jsonify({'message': f'id provided was {id_value} by {current_user}'})
if __name__ == '__main__':
app.run(host='0.0.0.0', port='5000')
Related
I am having a problem while trying out symfony for my course projects
To make it simple I have an api route
Which allows you to create a subscription (fictitious of course)
In the controller of this route I call another url (that of the teacher to simulate the payment)
The teacher in turn calls one of my API routes to register the transaction made via a POST route.
Or the symfony server does not allow it.
Indeed it waits for the return of a route and therefore puts everything else on standby until the arrival of the 504 error ... or only then it triggers the insertion.
Anyone a little idea? :)
Cordially,
Quillian
For the code this is my custom controller.
The client request send me a post when i call it but symfony server just lock on response.
But for the response we need to insert the post ...
$abo = $this->abonnementRepository->findOneBy(['id' => $id]);
$response = $this->client->request(
'GET',
$this::URL. '/cardpay/' . $this::UUID . '/' . $id . '/' . $cardNumber . '/' . $month . '/' . $years . '/50'
);
$statusCode = $response->getStatusCode();
$data = new stdClass();
$data->status = $statusCode;
$myJSON = json_encode($data);
return new JsonResponse($myJSON, $statusCode, [], true);
is there a way to create a Custom login with the API Rest of Wordpress and angular.
Currently I'm using the WP REST API - OAuth 1.0a Server plugin but I can´t figure out how to do it
Or maybe its posible using the two methods (Basic Authentication and OAuth)?
I would appreciate any help
I have been wrestling with this the past couple weeks. It kind of depends on your use case.
First, don't use Basic Auth. It's insecure and for development only. Not worth the time to set up.
OAuth (I think) is for when you already have a repository of users somewhere, and those users want to give your app approval to access their info, create an account for them, etc. Think of a "Login with Faceook!" button or something, that's OAuth. Could be wrong but I don't think that's what you want.
What I landed on, and what I think you are asking for, was JWT or JSON Web Token Auth. This is best for me because I want users to be able to create new user accounts and login to them completely within the app.
First, install the JWT Authentication for WP-API plugin:
https://wordpress.org/plugins/jwt-authentication-for-wp-rest-api/
This will expose a new endpoint for JWT authentication in the REST API. You will ping that endpoint with user credentials, and get a token response. You then store that token somehow (I'm currently using localStorage) and append it to the request headers of every request that requires permissions. De facto you are logged in! See the plugin docs for details. The example code for attaching the request is in AngJS, not Ang2/4, but the concept is the same. Here's an example from a service that posts a comment.
postComment(comment): any {
let headers = new Headers({ 'Authorization': 'Bearer ' + JSON.parse(localStorage.getItem('currentUser')).token});
let options = new RequestOptions({ headers: headers });
return this.http
.post(this._wpBase + "comments", comment, options)
.subscribe((res: Response) => {
res.json();
});
}
There is probably a fancier, global way to do this but I am still figuring it all out. Hope this is helpful!
Paste Following code in your themes function.php file.
Make sure that WP-REST-API plugin Should be installed on wordpress site
add_action( 'rest_api_init', 'register_api_hooks' );
function register_api_hooks() {
register_rest_route(
'custom-plugin', '/login/',
array(
'methods' => 'GET',
'callback' => 'login',
)
);
}
function login($request){
$creds = array();
$creds['user_login'] = $request["username"];
$creds['user_password'] = $request["password"];
$creds['remember'] = true;
$user = wp_signon( $creds, false );
if ( is_wp_error($user) )
echo $user->get_error_message();
return $user;
}
add_action( 'after_setup_theme', 'custom_login' );
Then your API will be created as
http://www.url.com/wp-json/custom-plugin/login?username=xyz&password=xyz
Try it with Postman You will get 200 as a response and user info
I'm searching for a solution to receive a Bearer token from an API using username and password.
Right now I'm reading the token through Chrome and extract my data, which is less then ideal of course.
I tried with httr and curl to optain through R and receive the Bearer token, but i think i am quite lost.
I think it should be quite simple, from the login information i gathered the mask from the login as
{"username":"name","password":"pw"}, shouldn't this just work with the POST command and the right headers?
POST(url="api_login",config=add_headers(c("username: name"
,"password: pw")))
Doesn't work at all. I can provide the example for php which looks like this:
<?php
// Include Request and Response classes
$url = 'url';
$params = array(
'username' => 'sample_username',
'password' => 'sample_password'
);
// Create a new Request object
$request = new Request($url, 'POST', $params);
// Send the request
$request->send();
// Get the Response object
$response = $request->getResponse();
if($response->getStatusCode() == 200) {
print_r($response->getBodyDecoded());
}
else {
echo $response->getStatusCode() . PHP_EOL;
echo $response->getReasonPhrase() . PHP_EOL;
echo $response->getBody() . PHP_EOL;
}
?>
As I'm not very familiar with php i would be very pleased for any help or a guide into the right direction. I searched hours
for API access through R but everything looks very specific to a special login.
I figured out this API uses a deprecated version of Swagger, if this is any useful information.
Thats what I'm doing atm, login with the website and read the token out of my browser. I want to login from inside R, sorry if I wasn't clear.
I updated my code now to:
opts=curlOptions(verbose=TRUE,
ssl.verifypeer = T)
postForm(url,
"username:" = uname, "password:"=pswd,
httpheader = c('Content-Type' = 'application/json', Accept = 'application/json'),
.opts=opts,
style='POST'
)
Which results in an error: SSL certificate problem: self signed certificate in certificate chain.
I tried a lot of different certificates with 'cainfo' inside the argument but can't make it work.
I'm getting an error (INVALID_SESSION_ID) when trying to send an authenticated GET request to Salesforce.com.
Here is the plug-in in its entirety, which basically just outputs the body of the REST response to whatever page has the [MembershipTables] shortcode:
if (!class_exists('WP_Http')) {
include_once(ABSPATH . WPINC . '/class-http.php');
}
// This is obviously the real username
$username = 'xxxx#xxxx.xxx';
// And this is obviously the real password concatonated with the security token
$password = 'xxxxxxxxxxxxxx';
function getMembershipTables() {
$api_url = 'https://na15.salesforce.com/services/apexrest/directory';
$headers = array('Authorization' => 'Basic ' . base64_encode("$username:$password"));
$args = array('headers' => $headers);
$request = new WP_Http;
$result = $request->request($api_url, $args);
$body = $result['body'];
echo "$body";
}
add_shortcode( 'MembershipTables', 'getMembershipTables' );
I should note that I can successfully hit this endpoint with Curl, though I use a session token I get from Salesforce using the old SOAP API to keep it equivalent (i.e., no client id/secret).
Am I doing something wrong with WP_Http? Or cannot I not authenticate a salesforce.com request using basic auth?
Thanks.
The salesforce API does not support Basic authentication, you need to call it with a sessionId. You can obtain a sessionId by various methods include interactive & programatic OAuth2 flows, and via a Soap login call.
Basis Interactive had a similar problem to solve. When I worked on the project I opted to to call the SalesForce CRM via the preset form plugin and a custom JS Cookie PHP Wordpress Plugin. We had this problem easily resolved by developing custom calls to SalesForce CRM via a getRequest in PHP passing data to the SalesForce CRM.
Test Site in Use:
http://newtest.medullan.com/wp/?page_id=3089
Here is the code and recycle the logical queries
Download Link:
http://basisinteractive.net/webdesign.html#wordpress
This is for a canvas app on the Facebook Platform using the new(est) Facebook PHP SDK.
We are using the PHP example from the Facebook tutorial (https://developers.facebook.com/docs/appsonfacebook/tutorial/) to trigger the OAuth dialog and get the test user to the redirect URL.
At the redirect URL, we use the PHP example from the Facebook signed request docs page (https://developers.facebook.com/docs/authentication/signed_request/) and our test users can successfully authorize the app.
However, after the test user auths the app, we are not able to capture the access token and its expiration. We can see it in the address bar appended to the redirect URL, but it does not show up in the $_REQUEST array. If we add {$access_token = $facebook->getAccessToken();} to the redirect URL page, it shows a value for the access token, but the value it shows is not the full token string that we see when we click on Show Token in the Test User Roles page (which we believe is the correct access token for the test user).
Here is an example of the redirect URL with an access token appended:
http://karmakorn.com/karmakorn/alpha20/kk-fb-auth.php#access_token=126736467765%7C2.AQDavId8oL80P5t9.3600.1315522800.1-100002908746828%7CJICJwM1P_97tKmqkEO5pXDCf-7Y&expires_in=6008
Here is what var_dump shows for the $REQUEST array for that same page:
array(3) { ["_qca"]=> string(26) "P0-709927483-1291994912966" ["__switchTo5x"]=> string(2) "30" ["PHPSESSID"]=> string(26) "euois02ead39ijumca7nffblh2" }
We have no idea why the $_REQUEST array varies from the values appended to the URL, and more importantly -- how to capture the access token and its expiration date.
Can someone show us a working example of how they capture this data after running the parse_signed_request($signed_request, $secret) function on the redirect page? Thanks!
ADDITIONAL INFO:
Here is the pertinent code from A) our test index page, and B) our test redirect page. If we use our text index page as the redirect url it gets stuck in an endless loop -- because the user is never identified.
A) Index Page
// Create kk-fb app instance
$facebook = new Facebook(array(
'appId' => KKFB_ID,
'secret' => KKFB_KY,
'oauth' => true,
));
$app_id = KKFB_ID;
$secret = KKFB_KY;
$canvas_auth = 'http://karmakorn.com/karmakorn/alpha20/kk-fb-auth.php';
$auth_url = "https://www.facebook.com/dialog/oauth?"
. "client_id=" . $app_id
. "&redirect_uri=" . urlencode($canvas_auth)
. "&response_type=token"
. "&scope=email,publish_stream";
$signed_request = $_REQUEST["signed_request"];
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
$data = json_decode(base64_decode(strtr($payload, '-_', '+/')), true);
if (empty($data["user_id"])) {
echo("<script> top.location.href='" . $auth_url . "'</script>");
} else {
echo ("Welcome User: " . $data["user_id"]);
}
B) Redirect Page
// Create kk-fb app instance
$facebook = new Facebook(array(
'appId' => KKFB_ID,
'secret' => KKFB_KY,
'oauth' => true,
));
$app_id = KKFB_ID;
$secret = KKFB_KY;
$signed_request = $_REQUEST["signed_request"];
list($encoded_sig, $payload) = explode('.', $signed_request, 2);
$data = json_decode(base64_decode(strtr($payload, '-_', '+/')), true);
$user = $facebook->getUser();
$access_token = $facebook->getAccessToken();
echo "User: $user <br>";
echo "Access Token: $access_token <br>";
echo "Signed Request: $signed_request <br>";
var_dump($_REQUEST);
Here is what shows up as these echo results:
User: 0
Access Token: 126736467765|**SECRET**
Signed Request:
array(3) { ["_qca"]=> string(26) "P0-709927483-1291994912966" ["_switchTo5x"]=> string(2) "30" ["PHPSESSID"]=> string(26) "frugi545cdl15gjind1fnv6pq1" }
Interestingly, when the test user goes back to the index page the if condition is satisfied and we can get the correct access token:
Welcome User: 100002908746828
Access Token: 126736467765|2.AQBgcyzfu75IMCjw.3600.1315544400.1-100002908746828|m5IYEm976tJAkbTLdxHAhhgKmz8
Obviously, we are still missing something!? Also, we need to learn how to get the expiration time as a variable too so we can store both of these in our database.
OK, let's try this again.
Server-side vs Client-side Authentication
You are exclusively using the PHP SDK, so you want to do server-side authentication, where the authentication code is sent to the server over HTTP via the URL. This will allow you to fetch an access token for the user on the first page load after auth (in your case, the redirect page). The auth_url you are currently constructing is setting response_type=token, which forces the redirect to use client-side auth mode and set the token in the URL fragment instead of in the query. You should remove that parameter completely. In fact, I highly recommend you just use the PHP SDK instead of constructing that URL yourself. See example below.
Application Access Tokens
The odd-looking access token 126736467765|SECRET is your application access token, which is composed of your app ID and secret key. The application access token is returned by getAccessToken() if no user access token is available (because some API calls require at least some sort of access token). This also means that you've revealed your secret key to the world via this blog post, so you should reset your app secret otherwise anyone will be able to make API calls on your behalf. I highly recommend you elide parts of your access tokens if you share them with others.
Token Expiration
The OAuth 2.0 flow and v3.1.1 of the PHP SDK don't make determining the expiration time of a token all that easy. I would suggest attempting to make the API call, and then refreshing the token if the API call fails with an OAuthException. Tokens can be invalid even if they haven't expired, so this deals with more cases. However, if you still want to maintain the expiration date on your end, you might just want to extract it from the token itself. If you have an expiring token, then the expiration timestamp will be contained within that string. Here's a function I put together quickly to extract that:
function extractExpirationFromToken($access_token) {
$segments = explode('|', $access_token);
if(count($segments) < 2) { return 0; }
$segments = explode('.', $segments[1]);
if(count($segments) < 4) { return 0; }
$expires = $segments[3];
$dash_pos = strrpos($expires, '-');
if($dash_pos !== false) {
$expires = substr($expires, 0, $dash_pos);
}
return $expires;
}
New Index Page Code
// Create kk-fb app instance
$facebook = new Facebook(array(
'appId' => KKFB_ID,
'secret' => KKFB_KY,
));
$canvas_auth = 'http://karmakorn.com/karmakorn/alpha20/kk-fb-auth.php';
$auth_url = $facebook->getLoginUrl(array(
'scope' => 'email,publish_stream',
'redirect_uri' => $canvas_auth, // you could just redirect back to this index page though
));
$user = $facebook->getUser();
if (empty($user)) {
echo("<script> top.location.href='" . $auth_url . "'</script>");
} else {
echo ("Welcome User: " . $user);
}
Redirect Page
I don't think you need this page at all. You could just redirect the user back to your original index page.
// Create kk-fb app instance
$facebook = new Facebook(array(
'appId' => KKFB_ID,
'secret' => KKFB_KY,
));
$user = $facebook->getUser();
$access_token = $facebook->getAccessToken();
// also copy the function definition given earlier
$expiration = extractExpirationFromToken($access_token);
echo "User: $user <br>";
echo "Access Token: $access_token <br>";
echo "Expiration: $expiration <br>";
echo "Request: <br>";
var_dump($_REQUEST);
You can use the facebook build in method getAccessToken() for example;
$access_token = $facebook->getAccessToken();
This will give you the access token to your variable, now if you are getting it empty, remember to first check if the fuid is being properly catch, if it isn't you might need to review your settings be sure your "App Domain" is set this part is very important after setting it correctly you need to reset your app secret, then set your new values in your auth code. Hope this help, let me know :)
pd. Also remember to keep the scope of your variables visible in your whole php file or class.
Problem
The access_token in your pasted URL is not part of the query string, but instead contained in the URL fragment (after the #). URL fragments are not sent to the web server, and are readable only by client-side code like Javascript. Therefore the PHP SDK only sees http://karmakorn.com/karmakorn/alpha20/kk-fb-auth.php, which is why $_REQUEST does not contain an access_token key.
Questions / Notes
What are you using for your redirect_uri? I think you want to be using something like http://apps.facebook.com/your_canvas_url/
You shouldn't need to call parse_signed_request yourself or copy any code from the signed request page. The PHP SDK will do that for you. Just call:
$facebook = new Facebook(array(
'appId' => '…',
'secret' => '…',
));
$access_token = $facebook->getAccessToken();
Possible solutions
Also use the Facebook Javascript SDK. You can start by adding its <script> tag in your destination page (kk-fb-auth.php) (see the docs for full details; don't forget to set oauth: true). The JS SDK should set a cookie (named fbsr_126736467765) which the PHP SDK will be able to read via $_REQUEST or $_COOKIE on subsequent page loads.
If you want to do this with PHP, you can get the user's access token with a separate call to the Graph API at your redirect_uri. For this you need to change the response_type of your $auth_url in your index page to "code" or "code token".
Then, at your redirect page, Facebook will add a "code" parameter in the querystring. This API call will return you the full access_token and expiration time:
https://graph.facebook.com/oauth/access_token?
client_id=YOUR_APP_ID&
redirect_uri=YOUR_URL&
client_secret=YOUR_APP_SECRET&
code=$_REQUEST['code']
For more information you can refer to the docs on authentication.