4
Good with the help of the Inkeliz, made in this question, i got authentication with Twitter via form.
Filing cabinet login.php:
<?php
require_once '../modules/config.php';
require_once '../modules/class/Cookies.php';
$cookie = [];
$username = trim(filter_input(INPUT_POST, 'username'));
$password = trim(filter_input(INPUT_POST, 'password'));
$index_url = 'https://twitter.com';
$token = curl_init();
curl_setopt_array($token, [
CURLOPT_URL => $index_url,
CURLOPT_CUSTOMREQUEST => 'GET',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => 2,
CURLOPT_USERAGENT => $_SERVER['HTTP_USER_AGENT'],
//CURLOPT_COOKIEFILE => __DIR__ . DIRECTORY_SEPARATOR . 'cookies' . DIRECTORY_SEPARATOR . $username . '.txt',
CURLOPT_COOKIEJAR => __DIR__ . SEPARATOR . 'cookies' . SEPARATOR . $username . '.txt',
CURLOPT_COOKIESESSION => true,
CURLOPT_REFERER => $index_url,
CURLOPT_HEADER => true,
CURLOPT_HTTPHEADER => ['Cookie:' . http_build_query($cookie, '', ';') . ';'],
CURLOPT_HEADERFUNCTION => function ($curl, $header) use (&$cookie) {
if (stripos($header, 'Set-Cookie:') === 0) {
if (preg_match('/Set-Cookie:\s?(.*?)=(.*?);/i', $header, $matches)) {
$cookie[$matches[1]] = urldecode($matches[2]);
}
}
return strlen($header);
}
]
);
$access = curl_exec($token);
preg_match('/value="(.*?)" name="authenticity_token"/', $access, $matches);
$authenticity_token = $matches[1];
$session_post = "session[username_or_email]=$username&session[password]=$password&return_to_ssl=true&scribe_log=&redirect_after_login=%2F&authenticity_token=$authenticity_token";
$session_url = 'https://twitter.com/sessions';
curl_setopt_array($token, [
CURLOPT_URL => $session_url,
CURLOPT_CUSTOMREQUEST => 'POST',
CURLOPT_POSTFIELDS => $session_post,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => [
"Content-type: application/x-www-form-urlencoded",
'Cookie: '. http_build_query($cookie, '', ';').';',
],
CURLOPT_USERAGENT => $_SERVER['HTTP_USER_AGENT'],
CURLOPT_HEADER => true,
CURLOPT_FOLLOWLOCATION => true,
CURLOPT_MAXREDIRS => 2,
CURLOPT_REDIR_PROTOCOLS => CURLPROTO_HTTP | CURLPROTO_HTTPS,
CURLOPT_POSTREDIR => 2,
CURLOPT_AUTOREFERER => 1
]
);
$auth = curl_exec($token);
if (isset($cookie['auth_token']))
{
$twid = filter_var($cookie['twid'], FILTER_SANITIZE_NUMBER_INT);
Cookies::set('login_token', $cookie['ct0']);
Cookies::set('kdt', $cookie['kdt']);
Cookies::set('user_id', $twid);
Cookies::set('auth_token', $cookie['auth_token']);
Cookies::set('username', $username);
$_SESSION[SITE_TITLE . '_session'] = $username;
echo json_encode(array(
"status" => "success",
"message" => "Autenticação bem sucedida, estamos te redirecionando.",
));
}
else
{
echo json_encode(
array(
"status" => "error",
'message'=> "Não foi possível autenticar com o Twitter.",
));
}
Note that saved two tokens in cookies: auth_token
and login_token
, being auth_token = $authenticity_token;
and login_token = cookie[ct0]
, ct0 comes from Twitter.
Login is ok, then I have the cURL
to obtain information from the logged-in user, who was also able to do so with the help of of my question and answered by Anderson Carlos Woss, is also ok, I recover, screen_name
, name
, foto
, among others...
Now comes my question, I know that to use the API you need a token, and also know that this token is the cookie
ct0, but I don’t know how to use it, see my code.
Filing cabinet, Friend.php
<?php
require_once '../modules/config.php';
require_once '../modules/class/Cookies.php';
$username = Cookies::get('username');
$friend_url = 'https://api.twitter.com/1.1/friendships/create.json';
$friend = curl_init();
curl_setopt_array($friend, [
CURLOPT_URL => $friend_url,
CURLOPT_SSL_VERIFYPEER => 1,
CURLOPT_SSL_VERIFYHOST => 2,
CURLOPT_CAINFO => ROOT . 'modules' . SEPARATOR . 'cacert' . SEPARATOR . 'cacert-2017-06-07.pem',
CURLOPT_CUSTOMREQUEST => 'POST',
CURLOPT_POSTFIELDS => 'screen_name=' . $username,
CURLOPT_USERAGENT => $_SERVER['HTTP_USER_AGENT'],
CURLOPT_COOKIEJAR => __DIR__ . SEPARATOR . 'cookies' . SEPARATOR . $username . '.txt',
CURLOPT_COOKIESESSION => true,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HTTPHEADER => [
"Content-type: application/json; charset=utf-8",
],
CURLOPT_HEADER => 0,
]
);
$response = curl_exec($friend);
var_dump($response);
When running the code in the browser returns the error 215 Bad Authentication data
.
Good as I know it’s the cookie[ct0] what should I use? , Take a look at this question on ONLY ENGLISH, much (gambiarra) that I’m sure only with cURL
, resolves.
EDIT 1
Class Cookie.php
<?php
class Cookies {
private static $storage = array();
public static function get($key) {
if( isset($_COOKIE[$key])) {
return $_COOKIE[$key];
} else {
if(isset(static::$storage[$key])) {
return static::$storage[$key];
}
}
}
public static function set($key, $value) {
static::$storage[$key] = $value;
setcookie($key, $value, time() + (2 * 3600), '/');
}
public static function remove($key, $value) {
setcookie($key, $value, time()-3600, '/');
}
}
EDIT 2
In accordance with Inkeliz mentioned in the comments the token is in a JS file, and I was able to extract this token, but how should I use it now? anyone have any idea? See my code:
require_once './system/config.php';
$TwitterUser = null;
if (isset($_SESSION[SITE_TITLE . '_SESSION'])) {
$TwitterUser = $_SESSION[SITE_TITLE . '_SESSION'];
}
$twitter_url_js = 'https://abs.twimg.com/k/pt/init.pt.8a8c7bc568e38012a94b.js';
$getToken = curl_init();
curl_setopt_array($getToken, [
CURLOPT_URL => $twitter_url_js,
CURLOPT_CUSTOMREQUEST => 'GET',
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => 2,
CURLOPT_USERAGENT => $_SERVER['HTTP_USER_AGENT'],
CURLOPT_HEADER => true,
]
);
$token = curl_exec($getToken);
preg_match('/\"([A-z0-9%]{114})\";/', $token, $matches);
$auth_token = $matches[1];
$friend_post = http_build_query([
'screen_name' => $TwitterUser
]
);
$twitter_friend_url = 'https://api.twitter.com/1.1/friendships/create.json';
curl_setopt_array($getToken, [
CURLOPT_URL => $twitter_friend_url,
CURLOPT_CUSTOMREQUEST => 'POST',
CURLOPT_POSTFIELDS => $friend_post,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => 2,
CURLOPT_USERAGENT => $_SERVER['HTTP_USER_AGENT'],
CURLOPT_HEADER => true,
]
);
$friend = curl_exec($getToken);
var_dump($friend);
Good with the var_dump($friend);
I receive as an answer this:
'HTTP/1.1 400 Bad Request
content-length: 62
content-type: application/json; charset=utf-8
date: Sun, 16 Jul 2017 23:41:51 GMT
server: tsa_d
set-cookie: guest_id=v1%3A150024851187284588; Domain=.twitter.com; Path=/; Expires=Tue, 16-Jul-2019 23:41:51 UTC
strict-transport-security: max-age=631138519
x-connection-hash: 8c0410547b9456c4ac13f360b8c8dbc3
x-response-time: 132
x-tsa-request-body-time: 0
{"errors":[{"code":215,"message":"Bad Authentication data."}]}' (length=472)
EDIT 3
I exchanged some information on HTTP now call me back 200 OK
:
$twitter_friend_url = 'https://api.twitter.com/1.1/friendships/create.json';
curl_setopt_array($getToken, [
CURLOPT_URL => $twitter_friend_url,
CURLOPT_CUSTOMREQUEST => 'OPTIONS',
CURLOPT_HTTPHEADER => [
'Access-Control-Request-Method: POST',
'Access-Control-Request-Headers: authorization,x-csrf-token,x-twitter-active-user,x-twitter-auth-type',
'DNT: 1',
'Origin: https://twitter.com'
],
CURLOPT_RETURNTRANSFER => true,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_SSL_VERIFYHOST => 2,
CURLOPT_USERAGENT => $_SERVER['HTTP_USER_AGENT'],
CURLOPT_HEADER => true,
]
);
$friend = curl_exec($getToken);
var_dump($friend);
This token is not a cookie, this token is in the Twitter JS and this javascript needs the cookie. :)
– Inkeliz
Any idea how to do it? @Inkeliz
– user76271
What would be the difficulty? The token is here (https://abs.twimg.com/k/pt/init.pt.8a8c7bc568e38012a94b.js), just search for "AAAAAAAAAAAA", I believe a
/\"([A-z0-9%]{114})\";/
solve the case. Already CT0 is used for CSRF-Token, I believe. I don’t know if the name of this JS changes, so if you can’t access see the traffic (F12 > Network) and see the first JS that is usually obtained, with the prefix ofinit.
.– Inkeliz
@Inkeliz, yes I tried, the difficulty is that I can’t use the token with Curl, if you have a basic answer to my question, I can put my code in the Mediafire tomorrow for you to take a closer look.
– user76271
@Inkeliz edited my question, see that I extracted the token as you mentioned in the comments, but how to use Curl to do what I need? without those gambiarras used in the question in Sous, well, for more details I need an answer, I believe you have.
– user76271