New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WooCommerce API Basic Auth fails over https on PHP-FPM (FCGI) #12230

Closed
seagyn opened this Issue Nov 2, 2016 · 4 comments

Comments

Projects
None yet
2 participants
@seagyn
Copy link

seagyn commented Nov 2, 2016

For the last couple of days, I've dedicated time to solve a basic auth issue I've been having an issue with. I looked at the API docs over and over to see if there is something I missed and eventually decided to just debug the authentication class line by line.

What I found is that the auth headers get stripped on PHP-FPM although it may be a module that is causing the issue. Is there anyway this can be checked prior to implementation for the sake of bleeding eyes?

oauth 1 seems a bit of a nightmare to implement and passing credentials via a URL seems a little insecure but may be the only way. Note: it does work using basic auth via query params - would this be best practice though?

@claudiosanches

This comment has been minimized.

Copy link
Member

claudiosanches commented Nov 3, 2016

The problem is because your server is not getting the HTTP_AUTHORIZATION.
Should parse it into $_SERVER['PHP_AUTH_USER'] and $_SERVER['PHP_AUTH_PW'].
So you just need to fix it on your server or use the basic auth as query params, since we implemented it as fallback for people with servers configured wrong like yours.

@seagyn

This comment has been minimized.

Copy link

seagyn commented Nov 3, 2016

Hey @claudiosanches,

Thanks for the feedback. Yeah I already understand the problem, is there no check that can be done so a more appropriate response can be given? (I guess you guys would have done it already)

This specific client is running on a Hetzner managed dedicated server so telling them that they must fix it would most likely get a response "You need to fix your software" although they are generally pretty friendly.

Last question before I stop bugging you (sorry that I have, I know you're pretty busy), when you say that our server is configured wrong, do you know why a company like Hetzner would not parse the headers or is it just a matter of them not knowing what they're doing?

Anyway, still love Woo, keep up the great work :)

@claudiosanches

This comment has been minimized.

Copy link
Member

claudiosanches commented Nov 3, 2016

This specific client is running on a Hetzner managed dedicated server so telling them that they must fix it would most likely get a response "You need to fix your software" although they are generally pretty friendly.

You need fix it on Apache or Nginx.

Last question before I stop bugging you (sorry that I have, I know you're pretty busy), when you say that our server is configured wrong, do you know why a company like Hetzner would not parse the headers or is it just a matter of them not knowing what they're doing?

No idea who Hetzner is. But by default installing Apache or Nginx you don't have this kind of problem.

@seagyn

This comment has been minimized.

Copy link

seagyn commented Nov 3, 2016

You need fix it on Apache or Nginx.

Again, I can't fix it, I wish I could. It's a managed server which means they manage the software. I've asked them why they would remove this although it seems pretty common for PHP running as CGI/FastCGI.

No idea who Hetzner is. But by default installing Apache or Nginx you don't have this kind of problem.

Hetzner is the biggest hosting company in South Africa. Apologies, I assumed you might have heard it mentioned by your South African colleagues. (It's also based in Germany)

I'll just go with the query params for now because that's been working (naturally, I'll still try find a way to make this work). Thanks again, Claudio.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment