Problem with api: 403 forbidden

Hi!!
I’m new user with phplist. I have installed software successfully, but I can’t use api interface. I have installed in a server phplist, but I need create and delete subscribers from another server with api interface. In the another server I execute the example “RESTAPIphpListClient.php”, I obtain the session key, but the next call, fails:

Session key is: 609a16b3db746568add450589adf10a8

Fatal error : Uncaught exception ‘GuzzleHttp\Exception\ClientException’ with message 'Client error: GET http://tiendaperu.es/lists/api/v2/lists/3 resulted in a 403 Forbidden response: {“code”:403,“message”:“Forbidden”} ’ in /home/perustocks/public_html/test_phplist/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php:113 Stack trace: #0 /home/perustocks/public_html/test_phplist/vendor/guzzlehttp/guzzle/src/Middleware.php(66): GuzzleHttp\Exception\RequestException::create(Object(GuzzleHttp\Psr7\Request), Object(GuzzleHttp\Psr7\Response)) #1 /home/perustocks/public_html/test_phplist/vendor/guzzlehttp/promises/src/Promise.php(203): GuzzleHttp\Middleware::GuzzleHttp{closure}(Object(GuzzleHttp\Psr7\Response)) #2 /home/perustocks/public_html/test_phplist/vendor/guzzlehttp/promises/src/Promise.php(156): GuzzleHttp\Promise\Promise::callHandler(1, Object(GuzzleHttp\Psr7\Response), Array) #3 /home/perustocks/public_html/test_phplist/vendor/guzzlehttp/promises/src/TaskQueue.php(47): GuzzleHttp\Promise\Promise::GuzzleHttp\ in /home/perustocks/public_html/test_phplist/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php on line 113

What can happen?? If the key is generated, the credentials are ok, right?

Thanks for all! =)

Best regards,
Albert

@akrsoft From what I can see a 403 return happens in only one place, in file base/vendor/phplist/core/src/Core/Bootstrap.php

public function ensureDevelopmentOrTestingEnvironment()
{
    $usesProxy = isset($_SERVER['HTTP_CLIENT_IP']) || isset($_SERVER['HTTP_X_FORWARDED_FOR']);
    $isOnCli = PHP_SAPI === 'cli' || PHP_SAPI === 'cli-server';
    $isLocalRequest = isset($_SERVER['REMOTE_ADDR'])
        && in_array($_SERVER['REMOTE_ADDR'], ['127.0.0.1', '::1'], true);
    if ($usesProxy || (!$isOnCli && !$isLocalRequest)) {
        header('HTTP/1.0 403 Forbidden');
        exit('You are not allowed to access this file.');
    }

    return $this;
}

Does this shed any light on the problem? I have tried the REST API client and it works without this problem.

Thanks for youy reply, duncanc!! =)

Really my system is fpm-fcgi, but to test, I add in “$isOnCli = PHP_SAPI === ‘cli’ || PHP_SAPI === ‘cli-server’;” also "|| PHP_SAP === ’ fpm-fcgi’, for $isOnCli be true, and finally “($usesProxy || (!$isOnCli && !$isLocalRequest))” false to not exit, but I get the same error … =(

Fatal error : Uncaught exception ‘GuzzleHttp\Exception\ClientException’ with message 'Client error: GET http://tiendaperu.es/lists/api/v2/lists/3 resulted in a 403 Forbidden response: {“code”:403,“message”:“Forbidden”} ’ in /home/perustocks/public_html/test_phplist/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php:113 Stack trace: #0 /home/perustocks/public_html/test_phplist/vendor/guzzlehttp/guzzle/src/Middleware.php(66): GuzzleHttp\Exception\RequestException::create(Object(GuzzleHttp\Psr7\Request), Object(GuzzleHttp\Psr7\Response)) #1 /home/perustocks/public_html/test_phplist/vendor/guzzlehttp/promises/src/Promise.php(203): GuzzleHttp\Middleware::GuzzleHttp{closure}(Object(GuzzleHttp\Psr7\Response)) #2 /home/perustocks/public_html/test_phplist/vendor/guzzlehttp/promises/src/Promise.php(156): GuzzleHttp\Promise\Promise::callHandler(1, Object(GuzzleHttp\Psr7\Response), Array) #3 /home/perustocks/public_html/test_phplist/vendor/guzzlehttp/promises/src/TaskQueue.php(47): GuzzleHttp\Promise\Promise::GuzzleHttp\ in /home/perustocks/public_html/test_phplist/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php on line 113

@xheni Xheni, do you have any idea what is causing this problem?

I am also having similar issue using the facility. I have tried to resolve this issue, but I have not succeeded yet! Any help will be appreciated.

@Thoma1s You can check the phplist_admintoken table that will have been created. There should be a row for each time that you ran the client. Does the timestamp look correct?

Thanks for addressing this topic. I was looking for the information regarding the same. Keep sharing the info, kudos!

I’m having the same problem, and would really appreciate some help with this.
I successfully get a session key from https://www.mydomain.com/lists/api/v2/sessions, but as soon as I try to call anything else (e.g. to get list info, subscribers, etc) I get something similar to the following message:

Caught Exception: Client error: GET https://www.mydomain.com/lists/api/v2/lists/2 resulted in a 403 Forbidden response: {“code”:403,“message”:“Forbidden”}

I’m not aware of any permissions problems with my server. I don’t see relevant messages in the server logs to help diagnose the problem. Is this happening somewhere in the bowels of phpList?

Thanks for any help!
Ben

1 Like

Hi,

I’m having the same issue. Retrieving the session works fine but any other requests are failing with 403 forbidden.

I’m using the example provided in the documentation (https://github.com/phpList/RestAPIclientSimpleExample)

Does anybody have any ideas on how to fix?

1 Like

@Precisely @Xero I am having that exact same issue, have you figured it out yet or just given up?

Ok, so after a LOT of digging and debugging, I finally figured out the issue (for me at least). I inspected the request being received by phpList, and the Authorization header was never appearing, everything else was.

Was able to fix this through the .htaccess file by adding the following line: SetEnvIf Authorization “(.*)” HTTP_AUTHORIZATION=$1

I hope this can help someone else avoid this issue!

@SirJohnPeters Appears that the problem might be caused by apache stripping some http headers, see http - Apache 2.4 + PHP-FPM and Authorization headers - Stack Overflow