Post by taggsladder » Wed Jan 15, 2020 9:23 pm

Hello

Searched alot on this and noticed many having issues related to this but not my actual problem.

I have an Opencart 2.3.0.2 on Apache 2.4 / PHP 7.2 server with TLS enabled and forced.

The key here is that the installation have been working flawlessly for over a year with no modifications at all during this time.

But recently I get the dredded "Warning: You do not have permission to access the API!" in different places related to adding/modifying orders in admin section.

This is not related to my IP not added to api, I know how this work.

The thing is that if I spam the browsers refresh button it eventually works, like the error comes roughly 1 out of 3 refresh, but it differs.

I have located the line in different files in "catalog/controller/api" that couses the problem and it is:

Code: Select all

if (!isset($this->session->data['api_id'])) {
	$json['error'] = $this->language->get('error_permission');

If I change it to the below the error goes away, but obviously I don't want to do that.

Code: Select all

if (false) {
	$json['error'] = $this->language->get('error_permission');

Since the problem comes and goes my conslusion is that this must be a server side error, but I am not in full charge of the servers.
No information from the host provider has noticed me of any server change and the apache/php versions have been the same all time.

Any thoughts on how to troubleshoot this?

Newbie

Posts

Joined
Tue Sep 30, 2014 10:20 pm

Post by opencartmart » Thu Jan 16, 2020 3:47 pm

You may get the same error if the API token is expired. Since it is not IP related, it appears to be a token expiration thing.
By default, the lifetime of a token is 1 hour, if you want to extend it, you can modify the value in the controller/startup/session.php file. The query you have to modify:

Code: Select all

$this->db->query("DELETE FROM `" . DB_PREFIX . "api_session` WHERE TIMESTAMPADD(HOUR, 1, date_modified) < NOW()");
Look at the number just after `HOUR`

XForm - Opencart Form Builder
Xshippingpro - An advanced Shipping Module
Need Professional support? Skype: opencartmart


Active Member
Online

Posts

Joined
Wed Oct 02, 2013 3:59 am

Post by taggsladder » Thu Jan 16, 2020 6:09 pm

opencartmart wrote:
Thu Jan 16, 2020 3:47 pm
You may get the same error if the API token is expired. Since it is not IP related, it appears to be a token expiration thing.
By default, the lifetime of a token is 1 hour, if you want to extend it, you can modify the value in the controller/startup/session.php file. The query you have to modify:

Code: Select all

$this->db->query("DELETE FROM `" . DB_PREFIX . "api_session` WHERE TIMESTAMPADD(HOUR, 1, date_modified) < NOW()");
Look at the number just after `HOUR`
I don't think this is it since the problem occurs immediately after login.

Newbie

Posts

Joined
Tue Sep 30, 2014 10:20 pm

Post by opencartmart » Thu Jan 16, 2020 8:37 pm

taggsladder wrote:
Thu Jan 16, 2020 6:09 pm
I don't think this is it since the problem occurs immediately after login.
Then, what could be the reason? Don't forget to enlighten us if you ever find it.

By the way, it is worth a try removing that query.

XForm - Opencart Form Builder
Xshippingpro - An advanced Shipping Module
Need Professional support? Skype: opencartmart


Active Member
Online

Posts

Joined
Wed Oct 02, 2013 3:59 am

Post by taggsladder » Thu Jan 16, 2020 10:26 pm

opencartmart wrote:
Thu Jan 16, 2020 8:37 pm
taggsladder wrote:
Thu Jan 16, 2020 6:09 pm
I don't think this is it since the problem occurs immediately after login.
Then, what could be the reason? Don't forget to enlighten us if you ever find it.

By the way, it is worth a try removing that query.
I am trying to figure that out. Yes I will do that.

Commenting out that line did not fix the issue.

---

I don't have any real understand how the sessions work. Are they stored in cookie?

Thought it was a cookie problem first but tried 3 different computers running different OS and browsers.

---

I have found some kind of pattern now to get the error to not come up. Tried this over 20 times with same result no deviation.

If I wait > 35 seconds (approx) between refreshing this page the error never comes!
Sales > Orders > Add new (top right corner)

But If I refresh the page sooner the error may come or may not come. Usually comes more often than not.
i. e. if I just refresh the page every second sometimes error comes sometimes not, seems random to me.


For clarity regarding the example page above "Add order", when the error shows the "currency" dropdown list is marked red.

---

Just playing around now:

In admin panel I go and delete all sessions.
System > Users > API > Default > Session tab

Logout and login again.

Go directly to session list again. It is still empty.
System > Users > API > Default > Session tab

When I goto page below new entry is added in sessions tab every time I refresh the page. New entry both on error appearing and not.
Sales > Orders > Add new (top right corner)

This is correct behavior?

Newbie

Posts

Joined
Tue Sep 30, 2014 10:20 pm

Post by opencartmart » Fri Jan 17, 2020 1:13 am

taggsladder wrote:
Thu Jan 16, 2020 10:26 pm
When I goto page below new entry is added in sessions tab every time I refresh the page.
This is correct behavior?
Yes it is correct behavior in OC 2.3.x
taggsladder wrote:
Thu Jan 16, 2020 10:26 pm
New entry both on error appearing and not.
Sales > Orders > Add new (top right corner)
This is correct behavior?
Nope, it should not show any error unless your IP address changes too frequently.

By the way, controller/startup/session.php is the file where API session is generated. So you can debug that file and it is a small file, fortunately.

XForm - Opencart Form Builder
Xshippingpro - An advanced Shipping Module
Need Professional support? Skype: opencartmart


Active Member
Online

Posts

Joined
Wed Oct 02, 2013 3:59 am

Post by thekrotek » Fri Jan 17, 2020 5:10 am

OC 2.3 is well know for its broken API connections. You can either disable API checks completely with Disable API Checks extension or downgrade to OC 2.2, which doesn't have such issues. Actually, any other OC version doesn't have such issues. At least on the regular basis.

Professional OpenCart extensions, support and custom work.
Contact me via email or Skype by support@thekrotek.com


User avatar
Expert Member

Posts

Joined
Sun Jul 03, 2016 12:24 am


Post by pcanka2019 » Mon Jan 20, 2020 6:10 pm

Have the same problem - it has worked fine until appr. 1 month ago when the server host upgraded from php 7.1 to 7.2 (maybe they have done something else as well...). I have to refresh the module changer several times to get it to work (update the order and API message gone) . This will only work with IE not Chrome nor Firefox.

I don´t understand the suggestion to install the "Disable API Checks" when it states "By removing API security checks you can make your OpenCart API vulnerable!"

Newbie

Posts

Joined
Wed Feb 27, 2019 11:59 pm

Post by taggsladder » Mon Jan 20, 2020 7:12 pm

pcanka2019 wrote:
Mon Jan 20, 2020 6:10 pm
Have the same problem - it has worked fine until appr. 1 month ago when the server host upgraded from php 7.1 to 7.2 (maybe they have done something else as well...). I have to refresh the module changer several times to get it to work (update the order and API message gone) . This will only work with IE not Chrome nor Firefox.

I don´t understand the suggestion to install the "Disable API Checks" when it states "By removing API security checks you can make your OpenCart API vulnerable!"
OK, I have run it on PHP 7.2 over a year without a problem. Only issue with PHP 7.2 and OC 2.3.0.2 is mcrypt depriciated in PHP 7.2 I replaced it with openssl but this should not be relevant to this problem though.

For me I can refresh and get rid of the error in both Chrome and Safari on Mac OS. Not tried IE or Firefox. Seems unrelated to browser.

No I am not keen on that hack either.


Funny I choose the latest release of OC 2 thinking it should be the most stable and refined...

Newbie

Posts

Joined
Tue Sep 30, 2014 10:20 pm

Post by straightlight » Mon Jan 20, 2020 9:56 pm

taggsladder wrote:
Mon Jan 20, 2020 7:12 pm
pcanka2019 wrote:
Mon Jan 20, 2020 6:10 pm
Have the same problem - it has worked fine until appr. 1 month ago when the server host upgraded from php 7.1 to 7.2 (maybe they have done something else as well...). I have to refresh the module changer several times to get it to work (update the order and API message gone) . This will only work with IE not Chrome nor Firefox.

I don´t understand the suggestion to install the "Disable API Checks" when it states "By removing API security checks you can make your OpenCart API vulnerable!"
OK, I have run it on PHP 7.2 over a year without a problem. Only issue with PHP 7.2 and OC 2.3.0.2 is mcrypt depriciated in PHP 7.2 I replaced it with openssl but this should not be relevant to this problem though.

For me I can refresh and get rid of the error in both Chrome and Safari on Mac OS. Not tried IE or Firefox. Seems unrelated to browser.

No I am not keen on that hack either.


Funny I choose the latest release of OC 2 thinking it should be the most stable and refined...
Unbelievable, not a single post from supporters about requesting the OP to post the error / server access logs. Just a bunch of guess response without gathering the facts from a server whenever it comes to technical issues being reported.

@taggslader: Can you please post your error / server access logs as per the forum rules?

As for the OpenSSL, there has been updated solutions regarding the system/library/encryption.php file since v2.3.0.2's release. The internal API's backward compatibility does rely on sessions where sessions also relies on SSL functions to operate properly. Which is why, it is recommended to use SSL with Opencart.

Also take note that v2.3.0.2 contains some bugs regarding the order fraud extensions which may require for you to patch by using the official release.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON

Post by taggsladder » Tue Jan 21, 2020 1:45 am

straightlight wrote:
Mon Jan 20, 2020 9:56 pm
Unbelievable, not a single post from supporters about requesting the OP to post the error / server access logs. Just a bunch of guess response without gathering the facts from a server whenever it comes to technical issues being reported.

@taggslader: Can you please post your error / server access logs as per the forum rules?
Apache error log did not contain anything related to this. First thing I checked.

To be sure.
1. Deleted old error log.
2. Went into admin panel and made sure this API error got displayed a couple of times.
3. Looked into error log = empty.
4. Forced a PHP error by writing random bad code.
5. Looked into error log again, above forced error was logged.

I set "php_value error_reporting -1" in .htaccess, from my understanding this should log all types of errors.

My conclusion = Error logging works but this problem does not seem to log an error in error.log.

Regarding access.log I have not permission by the hosting provider to look at this. I have e-mailed them and asked about this. Will let you know.


straightlight wrote:
Mon Jan 20, 2020 9:56 pm
As for the OpenSSL, there has been updated solutions regarding the system/library/encryption.php file since v2.3.0.2's release. The internal API's backward compatibility does rely on sessions where sessions also relies on SSL functions to operate properly.
When I mentioned openssl I meant I just replaced the deprecated mcrypt_encrypt with openssl_encrypt function in system/library/encryption.php.

In other words:
Replaced this line:

Code: Select all

return strtr(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, hash('sha256', $this->key, true), $value, MCRYPT_MODE_ECB)), '+/=', '-_,');
With this line:

Code: Select all

return base64_encode(openssl_encrypt($value, 'AES-256-CBC', hash('sha256', $this->key, true), 0, substr(hash('sha256', $this->key, true), 16, 16)));
Which I bieleve should do the job equally.


straightlight wrote:
Mon Jan 20, 2020 9:56 pm
Which is why, it is recommended to use SSL with Opencart.
As I wrote in my first post "I have an Opencart 2.3.0.2 on Apache 2.4 / PHP 7.2 server with TLS enabled and forced.".

What I meant by this is that TLS (SSL) is enabled on hosting provider and "forced" in my hosting providers settings page to redirect all http trafic to https.

Also in OC config.php both "define('HTTP_SERVER'" and "define('HTTPS_SERVER'" has the https domain.

And of course in OC admin panel System > Settings > Server I have selected "yes" in "Use SSL" option.

straightlight wrote:
Mon Jan 20, 2020 9:56 pm
Also take note that v2.3.0.2 contains some bugs regarding the order fraud extensions which may require for you to patch by using the official release.
I do not use this extension but thank you.

Newbie

Posts

Joined
Tue Sep 30, 2014 10:20 pm

Post by straightlight » Tue Jan 21, 2020 7:00 am

taggsladder wrote:
Tue Jan 21, 2020 1:45 am
straightlight wrote:
Mon Jan 20, 2020 9:56 pm
Unbelievable, not a single post from supporters about requesting the OP to post the error / server access logs. Just a bunch of guess response without gathering the facts from a server whenever it comes to technical issues being reported.

@taggslader: Can you please post your error / server access logs as per the forum rules?
Apache error log did not contain anything related to this. First thing I checked.

To be sure.
1. Deleted old error log.
2. Went into admin panel and made sure this API error got displayed a couple of times.
3. Looked into error log = empty.
4. Forced a PHP error by writing random bad code.
5. Looked into error log again, above forced error was logged.

I set "php_value error_reporting -1" in .htaccess, from my understanding this should log all types of errors.

My conclusion = Error logging works but this problem does not seem to log an error in error.log.

Regarding access.log I have not permission by the hosting provider to look at this. I have e-mailed them and asked about this. Will let you know.


straightlight wrote:
Mon Jan 20, 2020 9:56 pm
As for the OpenSSL, there has been updated solutions regarding the system/library/encryption.php file since v2.3.0.2's release. The internal API's backward compatibility does rely on sessions where sessions also relies on SSL functions to operate properly.
When I mentioned openssl I meant I just replaced the deprecated mcrypt_encrypt with openssl_encrypt function in system/library/encryption.php.

In other words:
Replaced this line:

Code: Select all

return strtr(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, hash('sha256', $this->key, true), $value, MCRYPT_MODE_ECB)), '+/=', '-_,');
With this line:

Code: Select all

return base64_encode(openssl_encrypt($value, 'AES-256-CBC', hash('sha256', $this->key, true), 0, substr(hash('sha256', $this->key, true), 16, 16)));
Which I bieleve should do the job equally.


straightlight wrote:
Mon Jan 20, 2020 9:56 pm
Which is why, it is recommended to use SSL with Opencart.
As I wrote in my first post "I have an Opencart 2.3.0.2 on Apache 2.4 / PHP 7.2 server with TLS enabled and forced.".

What I meant by this is that TLS (SSL) is enabled on hosting provider and "forced" in my hosting providers settings page to redirect all http trafic to https.

Also in OC config.php both "define('HTTP_SERVER'" and "define('HTTPS_SERVER'" has the https domain.

And of course in OC admin panel System > Settings > Server I have selected "yes" in "Use SSL" option.

straightlight wrote:
Mon Jan 20, 2020 9:56 pm
Also take note that v2.3.0.2 contains some bugs regarding the order fraud extensions which may require for you to patch by using the official release.
I do not use this extension but thank you.
php_value error_reporting -1
Then your conclusion based on this analysis remains incomplete since your host restricts you of access to view your domain error logs aside from the set_error_handler reported errors from PHP. Contacting your host would be the right initiative.

The most generated errors being found on Opencart forum originates from contributed programming. The increased post counters are caused by redundancies of the same solutions that were already provided prior.


Regards,
Straightlight
Opencart.com Administrator / Quality Assurance Analyst / Programmer


Legendary Member

Posts

Joined
Mon Nov 14, 2011 11:38 pm
Location - Canada, ON
Who is online

Users browsing this forum: No registered users and 7 guests