I use Shaarli since ages to collect links, notes and bookmarks. I worked a little bit on that collection and started to share some as public lists .
On my mobile device I bought a license for Stakali , it fits perfectly into my workflows. I often search on my mobile and share the link through Stakali to my desktop. Stakali just needs the URL and the API Key of Shaarli, but I got errors. So I analyzed the source and app with:
Stakali has an option to disable SSL Key checking, so no need to use any more tools to intercept the traffic. On Android you normally have to disable SSL Pinning
. Here is a good start to learn how to do this .
Even with enabled API it didn’t work. First I used the default .htaccess
, but got Error 500 accessing the api.
.htaccess
# Disable directory listing
Options -Indexes
RewriteEngine On
# Prevent accessing subdirectories not managed by SCM
RewriteRule ^(.git|doxygen|vendor) - [F]
RewriteCond %{HTTP:Authorization} ^(.+)
RewriteRule ^(.*)$ $1 [E=HTTP_AUTHORIZATION:%1,PT]
# REST API
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ index.php [L]
...
- Add this line
With RewriteBase
the Error 500 accessing the API disappeared, but logon with mobile still wasn’t possible.
I enabled the debug mode and wrote a little php script to check the headers and environment variables:
shaarli/data/config.json.php
...
},
"dev": {
"debug": true
}
}
- Add a new element to the json to enable debugging
My hoster uses FastCGI with PHP and this strips the Authorization header, but the RewriteRule RewriteRule ^(.*)$ $1 [E=HTTP_AUTHORIZATION:%1,PT]
should add an environment variable HTTP_AUTHORIZATION
with the content of the Authorization header.
This does not work for me, but I found a workaround:
.htaccess
...
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
# RewriteCond %{HTTP:Authorization} ^(.+)
# RewriteRule ^(.*)$ $1 [E=HTTP_AUTHORIZATION:%1,PT]
...
add this line
comment out
comment out
I replaced the RewriteRule
with this SetEnvIf
directive. Now I found the used Bearer JWT Token when I debugged the access, but Shaarli didn’t accept the token, because the variable was renamed to REDIRECT_HTTP_AUTHORIZATION
and Shaarli is not aware of this.
I couldn’t find an easy way to get this working, so I changed the code directly and created a Pull Request . I added the comments to .htaccess
to make it easier (just comment out or in the rewrite rules) and application/api/ApiMiddleware.php
.
You can see all changes here . Not sure if this all is needed or good, but it works for me. I just added the new environment variable and the application doesn’t run into exceptions any more.