phpList 3.4.3 API

ℹ️ Support
1

phpList 3.4.3
PHP 7.3

phpList “user” is a Super Admin user.

I want to receive mailing lists through API.
I get the following error:
string(89) “{“expiry”:“2019-06-20T06:14:37+00:00”,“key”:“c41e6707d76104cb6ec7b20afb6b0392”,“id”:1614}” string(34) “{“code”:403,“message”:“Forbidden”}”

<?php
	$api_path = 'https://domain.com/lists/api/v2/';
	$loginName = 'name';
	$loginPass = 'pass';
	
	// login
	
	$credentials = base64_encode($loginName . ':' . $loginPass);
	$curl = curl_init();
	curl_setopt_array($curl, array(
		CURLOPT_URL => $api_path . "sessions",
		CURLOPT_RETURNTRANSFER => true,
		CURLOPT_ENCODING => "",
		CURLOPT_MAXREDIRS => 10,
		CURLOPT_TIMEOUT => 0,
		CURLOPT_FOLLOWLOCATION => false,
		CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
		CURLOPT_CUSTOMREQUEST => "POST",
		CURLOPT_POSTFIELDS =>"{\n    \"login_name\": \"$loginName\",\n    \"password\": \"$loginPass\"\n}",
		CURLOPT_HTTPHEADER => array(
			"Content-Type: application/json",
			"Authorization: Basic $credentials"
		),
	));
	$response = curl_exec($curl);
	curl_close($curl);
	
        var_dump($response);	
        $response = json_decode($response);
	
	// call API
	
	$credentials = base64_encode($loginName . ':' . $response->key);
	$curl = curl_init();
	curl_setopt_array($curl, array(
		CURLOPT_URL => $api_path . "lists",
		//CURLOPT_URL => $api_path . "lists/1/members",
		CURLOPT_RETURNTRANSFER => true,
		CURLOPT_ENCODING => "",
		CURLOPT_MAXREDIRS => 10,
		CURLOPT_TIMEOUT => 0,
		CURLOPT_FOLLOWLOCATION => false,
		CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
		CURLOPT_CUSTOMREQUEST => "GET",
		CURLOPT_POSTFIELDS => '',//"{\n    \"loginName\": \"$loginName\",\n    \"password\": \"$loginPass\"\n}",
		CURLOPT_HTTPHEADER => array(
			"Content-Type: application/json",
			"Authorization: Basic $credentials"
		),
	));
	
	$response = curl_exec($curl);
	curl_close($curl);
	var_dump($response);
?>
2

I’m not sure your authentication code is correct in the second call. I think only the token is required for the basic authentication, not the login name as well. Might be wrong, check the example api client on GitHub.

3

I’ve checked the following example, and I believe that my code is correct:

//Use session key as password for basic auth
$credentials = base64_encode($loginname . ':' . $key);
// Get list info  where id=1
$listInfo = $client->get($base_uri . '/lists/1',
    [
        'headers' => [
            'Authorization' => 'Basic ' . $credentials,
            'Content-Type' => 'application/json',
        ],
    ]);
5

Should sessions be stored in the “lists/base/var/session” folder?
“lists/base/var/session” has only an empty “prod” directory in my case.

6

I created a new example. It has only “login” and “logout” calls. “logout” does not work. Why?

Result:

string(89) "{"expiry":"2019-06-24T15:29:15+00:00","key":"aa07ee7b3fdbfd626f0a1a7709e16f0d","id":1736}"
string(34) "{"code":404,"message":"Not Found"}"

Script:

    <?php
    	$api_path = 'http://domain.com/lists/api/v2/';
    	$loginName = 'name';
    	$loginPass = 'pass';
    	
    	// login
    	
    	$credentials = base64_encode($loginName . ':' . $loginPass);
    	$curl = curl_init();
    	curl_setopt_array($curl, array(
    		CURLOPT_URL => $api_path . "sessions",
    		CURLOPT_RETURNTRANSFER => true,
    		CURLOPT_ENCODING => "",
    		CURLOPT_MAXREDIRS => 10,
    		CURLOPT_TIMEOUT => 0,
    		CURLOPT_FOLLOWLOCATION => false,
    		CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
    		CURLOPT_CUSTOMREQUEST => "POST",
    		CURLOPT_POSTFIELDS =>"{\n    \"login_name\": \"$loginName\",\n    \"password\": \"$loginPass\"\n}",
    		CURLOPT_HTTPHEADER => array(
    			"Content-Type: application/json",
    			"Authorization: Basic $credentials"
    		),
    	));
    	$response = curl_exec($curl);
    	curl_close($curl);
    	
    	var_dump($response);
    	$response = json_decode($response);		
    	
    	$key = $response->key;
    	$credentials = base64_encode($loginName . ':' . $key);
    	
    	// logout
    	
    	$url = $api_path . "sessions/" . $key;
    	//var_dump($url);
    	
    	$curl = curl_init();
    	curl_setopt_array($curl, array(
    		CURLOPT_URL => $url,
    		CURLOPT_RETURNTRANSFER => true,
    		CURLOPT_ENCODING => "",
    		CURLOPT_MAXREDIRS => 10,
    		CURLOPT_TIMEOUT => 0,
    		CURLOPT_FOLLOWLOCATION => false,
    		CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
    		CURLOPT_CUSTOMREQUEST => "DELETE",
    		CURLOPT_POSTFIELDS => '',
    		CURLOPT_HTTPHEADER => array(
    			"Content-Type: application/json",
    			"Authorization: Basic $credentials"
    		),
    	));
    	$response = curl_exec($curl);
    	curl_close($curl);
    	var_dump($response);
    ?>
7

Unfortunately without running your code locally I cannot easily check this. I think you’ll need to continue debugging on your own unless someone else steps in to assist.

8

Hello All,
I have the same problem.
I have installed PHPList in Docker container based on CentOS 7, PHP 7.3.6, 5.5.60-MariaDB,
enabled PHP API following instruction on the page: manual/ch049_api-and-integrations.xhtml
Now I am trying API queries using curl.
I checked if API works trying to authenticate, and it works well:
curl --request POST --url http://localhost:8090/lists/api/v2/sessions --header ‘Content-Type: application/json’ --data ‘{“login_name”: “admin”,“password”: “password”}’{“expiry”:“2019-07-12T08:29:19+00:00”,“key”:“1cfd8597c325ba5c0c7a77bef20f7245”,“id”:79}

But any other query returns me {“code”:403,“message”:“Forbidden”}
For example:
curl --location --request GET “http://127.0.0.1:8090/lists/api/v2/lists/2” --header “Content-Type: application/json” --header “Authorization: Basic 1cfd8597c325ba5c0c7a77bef20f7245” --data “”
{“code”:403,“message”:“Forbidden”}

Appreciate any advice on how it can be further investigated!

9

Sorry to hear that; @xheni might have thoughts on this.

1 Like
10

The authorization token in the query looks wrong.
The generated login token (“key” value) is passed as basic auth password for requests that require authentication like this: base64_encode($login_name: $session_key)
In your example, the result would be base64_encode(admin:1cfd8597c325ba5c0c7a77bef20f7245) which returns YWRtaW46MWNmZDg1OTdjMzI1YmE1YzBjN2E3N2JlZjIwZjcyNDU= and this is the authorization token.
Make sure to generate a new token when you try this as session tokens expire :slight_smile:

1 Like
11

In the $url, please try using session ID instead of the key.

1 Like
12

Changed it as:
$url = $api_path . ‘sessions/’ . $response->id;
Now my script returns {“code”:403,“message”:“Forbidden”}

13

Thank you @samtuke @xheni for fast reply!
Looks like (not looks like, but it is really true) I do not know http protocol well. Just trying to compose the query using samples I took here: https://documenter.getpostman.com/view/3293511/phplist-4-rest-api-demo/RVftkC9t?version=latest

Following your advice I tried to rewrite my query. Now it returns something different (better?):

curl --location --request GET “http://127.0.0.1:8090/lists/api/v2/lists/82” --header “Content-Type: apication/json” --header “Authorization: Basic base64_encode(admin:c4c12ca836dc1113637ebc13111c16e9)” --data “”
{“code”:404,“message”:“Not Found”}

The result from previous query to open session was:
{“expiry”:“2019-07-12T12:43:40+00:00”,“key”:“c4c12ca836dc1113637ebc13111c16e9”,“id”:82}

What I want to achieve is to execute
GET get list info
sample working.

What I am not sure, is where to specify session ID?

Can I ask you for a favor to correct my curl request above to make it working, so that I have some firm starting point to further study the subject?

14

please do not hardcode this in the curl request, that’s an example for PHP. The idea is that you should encode the value using base64 or use --user as explained here https://ec.haxx.se/http-auth.html

1 Like
15

@xheni

did you mean this way?
curl --location --request GET “httpts/83” --header “Content-Type: apication/json” --user admin:password --data “”

But it still does not work…

curl --request POST --url http://localhost:8090/lists/api/v2/sessions --header ‘Content-Type: application/json’ --data ‘{“login_name”: “admin”,“password”: “password”}’
{“expiry”:“2019-07-14T08:15:14+00:00”,“key”:“22850e86e3ca0ebcd029f5c65989d756”,“id”:83}

curl --location --request GET “http://localhost:8090/lists/api/v2/lists/83” --header “Content-Type: apication/json” --user admin:22850e86e3ca0ebcd029f5c65989d756 --data “”
{“code”:404,“message”:“Not Found”}

16

Hi,
I have the same problem with a 403 response.
I can call the sessions api and get the key but calling the lists api returns 403 response.
I copied an extract of the sample posted in the api manual page.

<!DOCTYPE html>
<html>
<body>

<?php
require __DIR__ . '/vendor/autoload.php';

$client = new \GuzzleHttp\Client();

//Please replace the following values with yours.
$loginname = 'mvd';
$password = 'yyyy';
$base_uri = 'http://mydomain.com/phplist/api/v2';

try {
    $response = $client->request('POST', $base_uri . '/sessions', [
        'form_params' => [
            'login_name' => $loginname,
            'password' => $password,
        ],
    ]);
} catch (\GuzzleHttp\Exception\GuzzleException $e) {
}

//get session key
if ($response->getBody()) {

    $obj = json_decode($response->getBody(), true);
    $key = $obj['key'];
    $id = $obj['id'];
    echo 'Session key is: ' . $key . ' id: ' . $id . '<br><br>';
}

//Use session key as password for basic auth
$credentials = base64_encode($loginname . ':' . $key);

echo 'Encoded credentials:' . $credentials . '<br><br>';


try {
$listInfo = $client->get($base_uri . '/lists/4',
    [
        'headers' => [
            'Authorization' => 'Basic ' . $credentials,
            'Content-Type' => 'application/json',
        ],
    ]);
if ($listInfo->getBody()) {
    $listInfoResponse = json_decode($listInfo->getBody(), true);
    echo 'List Info: <br><br>';
    foreach ($listInfoResponse as $key => $value) {
        echo "$key : $value<br>";
    }
    echo '<br>';
}
} catch (Exception $e) {
    echo 'Caught exception: ',  $e->getMessage(), "\n";
}


?>

</body>
</html>

The output is:
Session key is: c54ada8fa215f41d0818d9b57a9d5def id: 1986

Encoded credentials:bXZkOmM1NGFkYThmYTIxNWY0MWQwODE4ZDliNTdhOWQ1ZGVm

Caught exception: Client error: GET http://lsqanet.info/phplist/api/v2/lists/4 resulted in a 403 Forbidden response: {“code”:403,“message”:“Forbidden”}

Thanks in advance.

17

Hi All,
back from vacation things look much easier. No problems any more :slight_smile:

Here is shell equivalent of sample php script RESTAPIphpListClient.php provided on GitHub:

#!/bin/bash

loginname=‘admin’
password=‘password’
base_uri=’ ’ # I had to remove my base uri, as far as site does not permits me to publish it

#Initialize session

echo “Itializing session…”

response=curl --request POST --url "${base_uri}/sessions" --header 'Content-Type: application/json' --data "{\"login_name\": \"$loginname\",\"password\": \"password\"}"

#$response=’{“expiry”:“2019-08-17T18:37:27+00:00”,“key”:“3de46ddd6930def96bf1ac63d38e1985”,“id”:94}’
echo $response

#Extract sesson key from response

key=echo $response | jq '.key' | sed -e 's/^"//' -e 's/"$//'
echo “Got session key: $key”

#Use session key as password for basic auth

credentials=echo -n "$loginname:$key" | base64
echo “Encoded credentials: $credentials”

#echo $credentials | base64 --decode

#Get list info where id=1 (pipe to jq. to make result more readable

echo “Get list info where id=1”
curl --location --request GET “${base_uri}/lists/1” --header “Content-Type: application/json” --header “Authorization: Basic $credentials” | jq .

#Get all subscribers where list id=1

echo “Get all subscribers where list id=1”
curl --location --request GET “${base_uri}/lists/1/members” --header “Content-Type: application/json” --header “Authorization: Basic $credentials” | jq .

#Add a new subscriber

echo “Add a new subscriber”

curl --location --request POST “${base_uri}/subscribers”
–header “Content-Type: application/json”
–header “Authorization: Basic $credentials”
–data “{“email”:“restapi7@example.com”,“confirmed”:true,“blacklisted”:false,“html_email”:true,“disabled”:false}” | jq .

And below is the script output:

Itializing session…
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 134 100 88 100 46 644 336 --:–:-- --:–:-- --:–:-- 647
{“expiry”:“2019-08-20T09:36:57+00:00”,“key”:“bb3bb3df05484aab008831853fe5e764”,“id”:174}
Got session key: bb3bb3df05484aab008831853fe5e764
Encoded credentials: YWRtaW46YmIzYmIzZGYwNTQ4NGFhYjAwODgzMTg1M2ZlNWU3NjQ=
Get list info where id=1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 128 100 128 0 0 903 0 --:–:-- --:–:-- --:–:-- 907
{
“name”: “test”,
“description”: “List for testing”,
“creation_date”: “2019-07-02T11:29:16+00:00”,
“public”: false,
“category”: “”,
“id”: 1
}
Get all subscribers where list id=1
./CURL_Tests.bash: line 41: unexpected EOF while looking for matching `"’
./CURL_Tests.bash: line 43: syntax error: unexpected end of file
leonid@leonid-ThinkPad-T520:~/Projects/Allegro/HoneyPOT/20190627_PHPListCcontainer/REST_API$ ./CURL_Tests.bash
Itializing session…
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 134 100 88 100 46 655 342 --:–:-- --:–:-- --:–:-- 656
{“expiry”:“2019-08-20T09:38:09+00:00”,“key”:“68f2b04d9641f0a9df096d1a83a4727d”,“id”:175}
Got session key: 68f2b04d9641f0a9df096d1a83a4727d
Encoded credentials: YWRtaW46NjhmMmIwNGQ5NjQxZjBhOWRmMDk2ZDFhODNhNDcyN2Q=
Get list info where id=1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 128 100 128 0 0 855 0 --:–:-- --:–:-- --:–:-- 853
{
“name”: “test”,
“description”: “List for testing”,
“creation_date”: “2019-07-02T11:29:16+00:00”,
“public”: false,
“category”: “”,
“id”: 1
}
Get all subscribers where list id=1
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 216 100 216 0 0 1468 0 --:–:-- --:–:-- --:–:-- 1479
[
{
“creation_date”: “2019-07-02T11:29:16+00:00”,
“email”: "leon@us.ibm.com",
“confirmed”: true,
“blacklisted”: false,
“bounce_count”: 0,
“unique_id”: “047355177e01fac11435bd3abda4b18f”,
“html_email”: true,
“disabled”: false,
“id”: 1
}
]
Add a new subscriber
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 339 100 235 100 104 1352 598 --:–:-- --:–:-- --:–:-- 1358
{
“creation_date”: “2019-08-20T08:38:09+00:00”,
“email”: "restapi7@example.com",
“confirmed”: true,
“blacklisted”: false,
“bounce_count”: 0,
“unique_id”: “7108f6352dec2c1d1d3bd6720fd8981f”,
“html_email”: true,
“disabled”: false,
“extra_data”: “”,
“id”: 9
}

}

2 Likes
18

@ltepl That’s fantastic - thanks for sharing! Happy it’s working for you, and that you enjoyed a good vacation.