[not a bug] API 403 Bug?

[Tikuf]

So I've spent A LONG time trying to figure out what was going wrong.

 

From what I can tell there MAY be a bug (unless I'm doing something wrong) with the api.php file.

 

Example (https://www.whmcs.com/members/includes/api.php)

If you access the file via Internet Explorer you will get a error 403 Access Denied error.

However you access with ANYTHING else, php's cURL, Google Chrome, Firefox it all works. (200 Response)

 

Normally you would say who cares, but anyone who codes in C# will know that all of C#'s web communication is based on internet explorer or it's base code and will result in the same 403 error, making it impossible for me to connect my app to WHMCS (the only reason I bought WHMCS)

 

Legit bug or am I stupid?

[Tikuf]

Update: I submitted a bug report, and it is confirmed.

 

I did notice this is isolated to the newest version of WHMCS, as reverting back to older version of the api.php solves the 403 error.

[WHMCS Nate]

Hello,

 

I am not showing what you report and think you might be confused. Lets start with what I get when I connect to the API script via curl, when I connect via curl to that API page by default I get a 403 w/an error message:

 

nate$ curl -v https://www.whmcs.com/members/includes/api.php
* Adding handle: conn: 0x7fcdf9004000
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7fcdf9004000) send_pipe: 1, recv_pipe: 0
* About to connect() to www.whmcs.com port 443 (#0)
* Trying 104.20.21.8...
* Connected to www.whmcs.com (104.20.21. port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* Server certificate: *.whmcs.com
* Server certificate: Go Daddy Secure Certificate Authority - G2
* Server certificate: Go Daddy Root Certificate Authority - G2
* Server certificate: Go Daddy Class 2 Certification Authority
> GET /members/includes/api.php HTTP/1.1
> User-Agent: curl/7.30.0
> Host: www.whmcs.com
> Accept: */*
>
< HTTP/1.1 403 Forbidden
* Server cloudflare-nginx is not blacklisted
< Server: cloudflare-nginx
< Date: Tue, 13 Jan 2015 16:32:31 GMT
< Content-Type: text/html; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=db922ed33f4f986c412780627d201d53714211667 51; expires=Wed, 13-Jan-16 16:32:31 GMT; path=/; domain=.whmcs.com; HttpOnly
< Set-Cookie: WHMCSXbAkzYLZLCZ4=f5bu2ci7t8jupgbq7vl7ff77j6; path=/; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< Vary: Accept-Encoding
< CF-RAY: 1a82fd83f45e0956-DFW
<
* Connection #0 to host www.whmcs.com left intact
result=error;message=Authentication Failed;

 

IE and Chrome display 403 errors differently. When IE gets a 403 header, it sometimes ignores what is in the body and shows its own error screen. Chrome displays the body. The fact that chrome displayed a body error message w/details does not mean it returned a 200 error.

 

This is discussed on stack overflow here:

 

http://stackoverflow.com/questions/16741062/what-rules-does-ie-use-to-determine-whether-to-show-the-entity-body

 

We have a windows mobile app that uses the same IE codebase, if what you claim is true I would expect that none of them could talk to any WHMCS 5.3.x install. I had that tested and it works against 5.3.11 right now.

 

If your code is not working when running against 5.3.11, we need to look at the body of the reply not the header so we can see what is wrong. I recommend working with our support team to do that. Because our code was returning the same reply to all the browsers that did the same request, we closed the bug report as by-design.

 

Have a great day,

 

Nate C

[Tikuf]

Wow, you provided the most information so far, I would of honestly loved that before. However I did just get an refund issued to me as my other tickets were just telling me it's a permission issue on my server. So I'm unable to test anymore. I do thank you for taking the time to give me a solid answer or at least some insight. Over this weekend, I might download a trail copy (if I'm still allowed) just to give it one more shot, I really would of preferred using WHMCS.

Edited January 13, 2015 by Tikuf

[Tikuf]

Yup, I feel sorry for the billing department.

 

I've repurchased everything (won't be asking for a refund again)

 

I didn't know that Microsft doesn't show the 403 body, some quick google searches showed me how to get the body and get the API working and responding, so I'm very happy now.

 

Thank you.

[WHMCS Nate]

Hello,

 

I am glad to hear you have repurchased the software. I have mentioned your ticket to our support managers, so we can look for ways to communicate better. I am going to close this thread.

 

Have a great day,

 

Nate C