Problem with authorization header

Timothy_J_Kearns · December 17, 2019, 7:06am

After boiling down a problem to it’s simplest form I used the example from the docs and run my requests through ngrok to prove my theory.

When using the encodeBase64 on the sbId and sbkey the
request fails to reach ngrok and I get a 400 Bad request … (not sure where that comes from)
if I remove the encoding and send just sbId + “:” + sbKey the request displays in ngrok

[code]dim sbId As String =“ZABejjVi5nGv60shPI4oEAStnjGsCvziIFCquP8KsP2On8J6V4z”
dim sbKey As String=“ZbmJAXkMiUjszfyvdBvbbw4A13Dqu0Rh8XQxN4MGM”
dim authString As String =EncodeBase64(sbId + “:” + sbKey)

Dim form As Dictionary
Dim socket1 As New SecureSock
// create and populate the form object
form = New Dictionary
form.Value(“firstname”) = “Jim”
form.Value(“lastname”) = “Brown”
socket1.SetRequestHeader(“Authorization”, "Basic " + authString) // (sbId + “:” + sbKey))//+
// setup the socket to POST the form
socket1.SetFormData(form)
dim url as String
url=“https://7d757d0cd.ngrok.io”
dim results as string= socket1.post(url,10)[/code]

Any help would be greatly appreciated.

TIA
TK

Andrew_Lambert · December 17, 2019, 9:00am

EncodeBase64 wraps long lines by inserting an end-of-line character, but HTTP headers cannot contain an end-of-line (hence 400 Bad Request). Try:

dim authString As String =EncodeBase64(sbId + ":" + sbKey) authString = ReplaceLineEndings(authString, "")

Emile_Schwarz · December 17, 2019, 9:35am

I suppose the above is a simple typo here

John_A_Knight_Jr · December 17, 2019, 9:51am

Xojo has a second parameter to EncodeBase64 for the number of characters per ‘line’. Use 0 for no breaks.

dim authString As String = EncodeBase64(sbId, 0) + ":" + EncodeBase64(sbKey, 0)

Basic ‘Auth’ also won’t work if you encode the ‘:’

Thom_McGrath · December 17, 2019, 12:00pm

This is incorrect. RequestHeader(Authorization) = Basic + EncodeBase64(Username + : + Password, 0) is the correct implementation.

Timothy_J_Kearns · December 17, 2019, 5:44pm

Thanks!

Looks like this should at least get passed that roadblock.

Just curious about where the 400 comes from, (Is that a server or httpsock generated error?)

Thom_McGrath · December 17, 2019, 5:53pm

That is the server. 400 means bad request but it really could mean anything. 400 is often used for general error caused by the client and 500 is usually general error caused by the server.

Thom_McGrath · December 17, 2019, 5:55pm

I realized this could be misleading when I said its the server, then that 400 is a client error. So just to clarify, 400 is the server saying Id like to fulfill this request, but I cant because what you requested doesnt make sense.

WHY it doesnt make sense is the mystery.

John_A_Knight_Jr · December 17, 2019, 8:31pm

Apologies, I shouldn’t post from memory when I’m dead tired
It’s been a couple of years since I had to implement that.

Unexpected line breaks in the header probably make an unusable request.

Thom_McGrath · December 17, 2019, 8:32pm

You’re likely correct, but my description was meant as more of a general meaning of a 400 status.