0

I'm using Mamp 3 (pro) on Mac OS X Yosemite 10.10; I'v already compiled and installed mod_proxy_html (3.1.2) and mod_xml2enc, they are both correctly loaded by Apache 2.2.29 without issues.

This is my typical html file:

 <!DOCTYPE HTML> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="Authorization" content="Bearer dummyToken"> <title>Header Test</title> </head> <body> </body>

I need to convert all the <meta http-equiv="some" content="thing"> to real http headers. I've already known how to do this via ajax, it's not a problem. But I need to add an oauth token, inside the Authorization header field, to get access to various protected resources, like images or video streams, that are not served through ajax but referenced, through an url, directly inside the html.

So, directly inside my httpd.conf I have:

ProxyHTMLEnable On
ProxyHTMLMeta On

this config should globally apply to apache. At the moment my server replies with all the field contained inside the request: it seems that the ProxyHTMLMeta On is ignored and all the meta tags are not translated into http headers:

Accept: "*/*"
Accept-Encoding: "identity;q=1, *;q=0"
Accept-Language: "it,en;q=0.8"
Connection: "keep-alive"
Cookie: "laravel_session=dummy
DNT: "1"
Host: "192.168.2.2:8888"
Range: "bytes=0-"
User-Agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2535.0 Safari/537.36"

See, no Authorization header. If I call the api from SoapUI:

"Accept-Encoding": "gzip,deflate",
"Authorization": "Bearer dummy",
"Host": "fillusso:8888",
"Connection": "Keep-Alive",
"User-Agent": "Apache-HttpClient/4.1.1 (java 1.5)"

It's a kind of magic, the header is there (because it directly sent from SoapUI, no parsing or meta tag here).

How can I solve the problem? Am I doing everything all right?

2
Contributors
7
Replies
39
Views
1 Year
Discussion Span
Last Post by cereal
0

Hi,

I'm not sure I've understood what are you trying to do. The http-equiv meta:

it is a pragma directive, i.e. information normally given by the web server about how the web page should be served.

Source: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta

So, it defines the rendering of the page, not the header of the request that can start from the page.

But I need to add an oauth token, inside the Authorization header field, to get access to various protected resources, like images or video streams, that are not served through ajax but referenced, through an url, directly inside the html.

i.e. is this a clickable link?

Are you going to use PHP? If affirmative then set the headers through a curl request to get the response from the remote service, then output the results:

0

I have to set an header field then trying to access to a protected image o video <img src=""> on a plain html page. This header is used from the php server to authenticate the user (it's a token). So:

<meta http-equiv="Authorization" content="Bearer token"> in the html page, then this tag should be processed from Apache and translated in a real header field so the PHP applicaztion can find the expected header field and authenticate the user.

And curl doesn't solve my problem ;)

0

So, the restricted resource is served by your server, correct? I don't see how a meta tag could be processed by the server: the HTML page is the output of the server, it's the response to the client request.

When client ask access to a page it sends:

  • method (GET, POST)
  • address
  • query string and/or body
  • headers

If the page is returning the auth in his meta tags, it's just because your script prints that value in the meta tag:

<meta http-equiv="Authorization" content="<?php echo $_SERVER['HTTP_AUTHORIZATION']; ?>">

But this will not affect the request flow. Unless you don't want to parse the HTML source and then use it in your scripts.

As I'm not sure to have understood your request: does someone wants to help?

0

I have a web-app for mobile phones that, through a rest api, using oauth, requests resources to the server. This server provides also the video streams, and the app need to authenticate itself to access those streams. It's necessary to have the token inside the header.

If I do an ajax request from my html+javascript client to my php server running laravel I can authenticate, if the app request a source like <video><source=""></video> the token is not set in the header.

To accomplish this, iI set the token inside the meta tag and the server process this tag. In theory. Reading your comments I have a doubt, if I have something like this on my webapp:

<!DOCTYPE HTML> 
<html> 
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> 
    <meta http-equiv="Authorization" content="Bearer dummyToken">
    <title>Header Test</title> 
</head> 
<body>
     <video controls>
          <source="http://localhost:8888/video/123"
     </video>
</body>

the meta tag is sent to the server? If no, I'm trying to do something impossible missunderstanding the client-server flow.

0

Have you tried to request the video through AJAX? The video link should be a script not a direct access to the file, for example:

<?php

# remove below comment to set the header and try the script
# $_SERVER['HTTP_AUTHENTICATION'] = 'test';

/**
 * verify token example
 * 
 * @param  string $token
 * @return bool
 */
function verify_auth($token)
{
    return in_array($token, ['test', 'abc']) ? :FALSE;
}

if(array_key_exists('HTTP_AUTHENTICATION', $_SERVER) === FALSE || verify_auth($_SERVER['HTTP_AUTHENTICATION']) === FALSE)
{
    header('HTTP/1.1 401 UNAUTHORIZED', TRUE, 401);
    die();
}

$path = '../videos/';
$file = pathinfo($_GET['v'], PATHINFO_BASENAME);
$resource = $path . $file;

if(file_exists($resource))
{
    $mime = (new Finfo(FILEINFO_MIME_TYPE))->file($resource);
    header('Content-Type: '.$mime);
    header('Content-Lenght: '.filesize($resource));
    readfile($resource);
}

else
{
    header('HTTP/1.1 404 NOT FOUND', TRUE, 404);
    die();
}

Example link for the above script looks like this: http://localhost:8888/video.php?v=file.mp4

0

I'v tried requesting it using ajax, and it works, I've already told that. But, if I request it through ajax (using angular) the browser (on the mobile phone) downloads all the video before playing it (doesn't play while buffering), and if the video is really big it's a problem.

0

the browser (on the mobile phone) downloads all the video before playing it (doesn't play while buffering), and if the video is really big it's a problem.

Ok, I don't have big experience on this but, in case of .mov or .mp4 files, it seems related to metadata position:

If the production server platform will be linux, for fixing the videos, then look at avconv rather than ffmpeg because it now has better support:

A part that, you could set the headers in a previous step, save them in session and change the above IF statement to something like:

if(array_key_exists('AUTHENTICATION', $_SESSION))
    # allow access to video resource

Otherwise you could submit the token through a cookie. Not sure it makes sense for you app, but I don't see other methods.

Wait to see if someone else wants to suggest other solutions, I'm sorry but, for the moment, I don't have other suggestions. Bye!

Edited by cereal

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.