codeigniter-restserver: Authentication not working

I’ve been reading and searching for hours and have seen similar reports but no solution. Authentication does not seem to be working.

I have tried:

$config[‘rest_auth’] = ‘basic’; $config[‘auth_source’] = ‘’;

Using this, both postman as well as the browser just displays the page (shows me results) without asking for login or credentials.

When I use

$config[‘rest_auth’] = ‘digest’; $config[‘auth_source’] = ‘’;

I can enter any username / password combination and results are shown also (I am not denied access despite entering wrong credentials).

Not sure what I am missing here…

UPDATE:

Have also tested with this method described here:

https://github.com/chriskacerguis/codeigniter-restserver/issues/283

Using a library for authentication. It pops the login box as expected but will accept any username / password combination and it shows results (it doesn’t actually validate credentials).

UPDATE 2:

I enabled logging in the database to get a better sense of what is happening and I can see in succession one “authorized” request next to a NOT authorized request with response codes 200 and 403 respectively. However, visually all requests are showing me results, so I think something is wrong with the application and not correctly validating login and showing error message as expected.

UPDATE 3:

I’m a little burned from all the debugging but here is the info I can offer. Going back to basic auth to test the fundamentals, I am provided access regardless I send credentials or not via postman as well as the browser.

Each request I make, two entries are created in the database on the logs table. The first one is always a 403 code with “authorized” value of 0. Params are showing as follows (I’ve masked sensitive data):

a:10:{s:2:"id";s:1:"2";s:4:"Host";s:32:"**.sandbox.**.**";s:15:"X-Forwarded-For";s:14:"***";s:10:"Connection";s:5:"close";s:13:"cache-control";s:8:"no-cache";s:13:"Postman-Token";s:36:"a44d5bdb-ea53-4954-9829-f1239a668b10";s:13:"Authorization";s:22:"Basic YWRtaW46MTIyMw==";s:10:"User-Agent";s:20:"PostmanRuntime/7.1.5";s:6:"Accept";s:3:"*/*";s:15:"accept-encoding";s:13:"gzip, deflate";}

The second request with status code 200 and authorization value of 1 is:

I have no idea how to debug this any further but it is definitely not working as expected.

About this issue

Original URL
State: closed
Created 6 years ago
Comments: 15 (3 by maintainers)

Most upvoted comments

Hi All, I’ve been trying this library recently and also experienced same issue. After some debugging, I’ve found out that the problem lies with how Codeigniter set output value. Codeigniter use output class to working with output. By default, these output class’s method are called internally when use $this->load->view() method.

But, this library is not using view method, it uses it’s own $this->response() method. In this method, we can see that it uses method from output class:

    public function response($data = NULL, $http_code = NULL)
    {
	ob_start();
...
...
        // Output the data
        $this->output->set_output($output);

        ob_end_flush();
    }

As we can see from the codeigniter user guide, this method comes with a warning:

If you do set your output manually, it must be the last thing done in the function you call it from. For example, if you build a page in one of your controller methods, don’t set the output until the end.

When we use basic authentication , method $this->response() is called twice. The first one is when REST_Controller is constructed and go to $this->_prepare_basic_auth();. And the second one is in our API method to send out whatever result we wanted. So basically, the output is replaced with the latest $this->response() call, and by this is the result that we want to show if we pass the authentication and the authentication is not work. So if you try to call an empty API method like this:

       public function user_get(){
           // empty method
       }

the authentication is working fine.

So my workaround is to add a check to response method to check if output is already been set (either by authentication or error message) using codeigniter $this->output->get_output() method. If yes, we will send out that output instead.

So, this is my response method look like:

    public function response($data = NULL, $http_code = NULL)
    {
        if ($this->output->get_output()!=null) {
            return;
        }
	ob_start();
...
...
...
        ob_end_flush();

        // Otherwise dump the output automatically
    }

And the authentication is working fine now.

ainulhamdani on May 9, 2019

Evidently sometimes the Authorization header can be stripped? I had success adding the following to my .htaccess:

RewriteCond %{HTTP:Authorization} ^(.+)$ RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

I had to come back to this thread because it stopped working for me on my applications and after much debugging this .htaccess code did the trick for me.

Before adding it, my usr:pwd combination was not giving me access and also enabling: allow_auth_and_keys to allow both authentication as well as keys was not working either.

After applying the above rules on the .htaccess, it started working across the board, so thank you!

momon on Apr 8, 2020

I have a similar problem when using the basic authentication, the server is removing the header, I found a solution here, https://hetzner.co.za/help-centre/website/php_auth-fastcgi/, but this implies the modification of the class REST_Controller.php, I wonder if the author has another solution or can add these instructions to the code. Note function _prepare_basic_auth would have to add the field in REDIRECT_HTTP_AUTHORIZATION

yurisnel on Jun 20, 2019

Evidently sometimes the Authorization header can be stripped? I had success adding the following to my .htaccess:

RewriteCond %{HTTP:Authorization} ^(.+)$ RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

antiartificial on Nov 2, 2018

I think I found a way to make it work (it definitely works for me).

At the end of function _remap($object_called, $arguments = []) there’s a bit of code which seems to actually call the controller method and passed arguments no matter what happens(Line: 795). As I’m not entirely sure what are the cases covered by the function’s logic, I switched a variable on false every time an error response was called and then modified the last bit to only run if no responses were already sent:

if ($go)
        {
            // Call the controller method and passed arguments
            try
            {
                call_user_func_array([$this, $controller_method], $arguments);
            }
            catch (Exception $ex)
            {
                if ($this->config->item('rest_handle_exceptions') === FALSE) {
                    throw $ex;
                }
                // If the method doesn't exist, then the error will be caught and an error response shown
                $_error = &load_class('Exceptions', 'core');
                $_error->show_exception($ex);
            }
        }

So, basically I added that $go variable which I initialized on true and switched on false every time a response happened:

$response = [$this->config->item('rest_status_field_name') => FALSE, $this->config->item('rest_message_field_name') => $this->lang->line('text_rest_ip_address_time_limit')];
$this->response($response, self::HTTP_UNAUTHORIZED);
$go = false;

One might still get 2 rows in the logs(because of the function’s logic) but now, the second response code should be 0 instead 200.

zodus on Aug 25, 2018