jskidd3 jskidd3 - 1 year ago 88
HTTP Question

Multiple parameters in Authorization header not working with Basic Auth

I am creating a basic API using Basic Auth over SSL. The API will be used in a mobile application and allow the creation of an account, with other fairly basic features.

I have decided to hard-code a API key into the mobile application to pass to the API to make it a bit harder for a hacker to access parts of the API that don't require a login (basic auth). Based on what I've read, the API key should be stored in the Authorization header in the HTTP request.

Authorization header:

Key ~@3o42jf!34vm3.!

My PHP API then readers the header and ensures that the key is correct. If it is, basic elements of the API are available.

The problem comes when trying to perform a task that requires a login to be passed to the API. My Authorization header then looks like this:

Key ~@3o42jf!34vm3.! Basic c3RhY2tAZ21haWwuY29tOnRlc3RpbmcxMjM=

The API can still read the key, but the email/password string that I access with
are now not set. Is the only way to get around this to read the header manually through

Answer Source

Since this is a custom header, you should use a separate identifier for it. For example:

X-Api-Key: ~@3o42jf!34vm3.!

And then you can leave the basic auth header as it is (since it indeed won't work if you insert custom data in it).

On the PHP side, your custom header can be accessed with $_SERVER['HTTP_X_API_KEY']

Also make sure that your request headers are in the correct format. It should be like this:

GET /api/v1/tickets HTTP/1.1
Authorization: Basic c3RhY2tAZ21haWwuY29tOnzzz3RpbmcxMjM=
X-Api-Key: z7='sL(=}24qv'3F
Cache-Control: no-cache
Postman-Token: e657c66f-2db1-bf76-78c5-777305b5bfe6
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download