Just a quick one, you’ve been coding up your REST api, and are trying to use a Bearer authorization token (as obtained from an OAuth2 handshake), and it’s just not working.

If you send your access token as a GET or POST value things work fine however.

You point your head at httpbin.org and to see what your client is sending, and low and behold, the bearer token is present and correct.

You scratch your head and dump the contents of $_SERVER to a log, and to your surprise, nothing. No Authorization header is present!

To save you many a frustrating hour, here’s the answer. Turns out that Apache will strip any authorisation header it doesn’t recognise, which is basically anything that’s not basic auth.

So, you need to put it back in yourself. Do so by putting the following into your .htaccess

As part of (one of) my day jobs, I have had to yet again bash together a set of REST APIs. This is so we can start wiring up some proper micro services AWS style scalable architecture into the monolithic beast that is the current incarnation of the software I’m working on.

Anyway, here are a few gotchas for this if you intend to start using proper REST style HTTP verbs (PUT/PATCH/DELETE), rather than doing everything via GET and POST like most everyone.

No easy way to access variables

If you’re familiar with the standard $_POST mechanism to access passed variables, you’ll be disappointed that PHP doesn’t by default provide a nice way of access these for PUT and PATCH.

So, you’re going to have to extract them yourself. Not overly tricky, but irritating:

So, for example:

Requests not coming through

If you find that your APIs work fine on your local machine but break when deployed, you might want to check your server configuration.

It is quite common for web servers (especially on shared hosts) to block access to HTTP verbs other than most common GET and POST. Modsecurity’s default config definitely blocks these methods.

You should also check that any proxies or load balancers that you have in front of your REST endpoint. These may need some configuration tweaks as well.

Hopefully this will save you some time and frustration!

The Known Open Collective, which was set up last year, is continuing to grow.

This is fantastic, and I’m ever grateful for those who use Known, contribute to the community in whatever way, and especially to those who vote for Known with their hard earned dollars!

The collective has built up a reasonable war chest now, and I’m keen to start using it to really start pushing the project forward and increase momentum.

Right now I’m thinking of maybe suggesting we use some of the money to fund tactically useful developments focussed on really knocking out blockers for people picking up the project.

Off the top of my head I’m thinking things like paying for development of installers for various hosting platforms, and maybe Known – Known import/export.

I’d be curious to hear your thoughts!