CloudFlare (Memberful) post requests from Java produce a 403 error

跟風遠走 提交于 2020-05-15 09:25:32

问题


I'm trying to authenticate users using Memberful from a Spring-Boot application. Per the Memberful documentation, the process is as follows:

  1. User logs in at the memberful URL (https://YOURSITE.memberful.com/oauth?client_id=APPLICATION_IDENTIFIER&response_type=code)
  2. User is redirected to my front end (Vue) with a code in the URL provided by Memberful.
  3. The code is passed to my back end server.
  4. Back end server sends a post request using RestTemplate.postForObject(...) from Spring to https://YOURSITE.memberful.com/oauth/token with all required parameters (See snippet below).

At this point an access token payload is expected, but instead a 403 Error is returned.

Here's the full method:

import org.springframework.http.*;
import org.springframework.util.MultiValueMap;

...


private JSONObject getMemberfulAccessToken(String strCode){
        String strTargetURL = "https://" + memberfulSubDomain + ".memberful.com/oauth/token";


        HttpHeaders headers = new HttpHeaders();
        headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);

        MultiValueMap<String, String> parameters = new LinkedMultiValueMap<>();

        parameters.add("client_id", memberfulApplicationIdentifier);
        parameters.add("client_secret", memberfulClientSecret);
        parameters.add("grant_type", "authorization_code");
        parameters.add("code", strCode);

        HttpEntity<MultiValueMap<String, String>> entity = new HttpEntity<>(parameters, headers);

        String strAccessToken = restTemplate.postForObject(strTargetURL, entity, String.class);

        return new JSONObject(strAccessToken);
    } 

And here's the response:

<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
<!--[if IE 7]>    <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->
<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->
<head>
<title>Access denied | [My Site].memberful.com used Cloudflare to restrict access</title>
<meta charset="UTF-8" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1" />
<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />
<!--[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->
<style type="text/css">body{margin:0;padding:0}</style>


<!--[if gte IE 10]><!--><script type="text/javascript" src="/cdn-cgi/scripts/zepto.min.js"></script><!--<![endif]-->
<!--[if gte IE 10]><!--><script type="text/javascript" src="/cdn-cgi/scripts/cf.common.js"></script><!--<![endif]-->



</head>
<body>
  <div id="cf-wrapper">
    <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div>
    <div id="cf-error-details" class="cf-error-details-wrapper">
      <div class="cf-wrapper cf-header cf-error-overview">
        <h1>
          <span class="cf-error-type" data-translate="error">Error</span>
          <span class="cf-error-code">1010</span>
          <small class="heading-ray-id">Ray ID: 515be6c26b80c514 &bull; 2019-09-13 17:39:35 UTC</small>
        </h1>
        <h2 class="cf-subheadline">Access denied</h2>
      </div><!-- /.header -->

      <section></section><!-- spacer -->

      <div class="cf-section cf-wrapper">
        <div class="cf-columns two">
          <div class="cf-column">
            <h2 data-translate="what_happened">What happened?</h2>
            <p>The owner of this website ([My Site].memberful.com) has banned your access based on your browser's signature (515be6c26b80c514-ua21).</p>
          </div>


        </div>
      </div><!-- /.section -->

      <div class="cf-error-footer cf-wrapper">
  <p>
    <span class="cf-footer-item">Cloudflare Ray ID: <strong>515be6c26b80c514</strong></span>
    <span class="cf-footer-separator">&bull;</span>
    <span class="cf-footer-item"><span>Your IP</span>: 207.200.220.146</span>
    <span class="cf-footer-separator">&bull;</span>
    <span class="cf-footer-item"><span>Performance &amp; security by</span> <a href="https://www.cloudflare.com/5xx-error-landing?utm_source=error_footer" id="brand_link" target="_blank">Cloudflare</a></span>

  </p>
</div><!-- /.error-footer -->


    </div><!-- /#cf-error-details -->
  </div><!-- /#cf-wrapper -->

  <script type="text/javascript">
  window._cf_translation = {};


</script>

</body>
</html>

回答1:


The fix: Add the JVM option -Dhttp.agent="[Anything you want as the user agent prefix]"

The issue: Cloudflare's Web Application Firewall prevents requests with the User-Agent header Java/1.8.0_172 from being received by Memberful.

Cloudflare's documentation indicates that if you get a 403 response that is not Cloudflare branded, it's the client's (in my case Memberful's) server that's returning the response. That being said, I'm not sure if the response I received in response to a POST request could be considered "Cloudflare branded", but at the time I'm writing this Memberful has told me they haven't applied any custom settings for their environment.

Of course there are other ways to set the User-Agent header value, but this is what I did.



来源:https://stackoverflow.com/questions/57928347/cloudflare-memberful-post-requests-from-java-produce-a-403-error

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!