MyAnimeList added HTTPS support

Issue #116 resolved

Gustavo Rodrigues created an issue 2016-08-24

Seems it broke API. I tried to check if it was a local problem or in the API code, but as https://api.atarashiiapp.com is user agent locked I couldn't.

Anyway, I used a sniffer to check what's happening: the HTTPS connection ends too early. Because that I thought GuzzleHttp isn't accepting MyAnimeList certificates. After adding $requestOptions['verify'] = false; to Communicator.php seems the problem was solved.

I don't know how to debug Atarashii, so I can't find the exact error, but it gives a idea of the problem and how to solve.

A question: as now that MyAnimeList is secure and there isn't the need to MITM it to protect users from attacks in the local network, turns that the (only?) function of Atarashii API is just to provide a real API for MyAnimeList. Can now Atarashii application use the current MyAnimeList API on cases which don't depend on HTML parsing? Or even better, use the MAL API in all cases that need authentication?

Comments (17)

Gustavo Rodrigues reporter
- edited description
- 2016-08-24T14:45:03+00:00
Ratan Dhawtal
The code you mentioned above is unsafe since it skips the verification which makes HTTPS pointless.
- 2016-08-24T16:04:32+00:00
Toco Toucan
I'm not sure that HTTPS is the reason(since atarashii android app works ok), but my API instance stopped working. It returns {"error":{"code":500,"message":"Internal Server Error"}} for animelist and profile requests.
- 2016-08-24T16:45:01+00:00
Ratan Dhawtal
The cache is probably acting right now on some places. We will try to fix this ASAP.
- 2016-08-24T16:48:55+00:00
Ratan Dhawtal
The URLs that you gave are working fine locally with a certificate fix so they aren't broken.
- /2.1/animelist/ratan12
- /2.1/profile/ratan12
I managed to get it working locally with:
```
[curl]
curl.cainfo="[php folder path]\cacert.pem"
openssl.cafile="[php folder path]\cacert.pem"
```
I downloaded the cacert.pem from https://curl.haxx.se/ca/cacert.pem and put in the same folder as php.ini
- 2016-08-24T17:32:27+00:00
Gustavo Rodrigues reporter
@ratan12 answering "is unsafe": I know. when I said "it gives a idea", is because it gives a idea of "if changing it solves the problem, so it is in this part of the code" but not "it's the right solution". I imagined the problem could be this - PHP or GuzzleHttp don't accepting the CA. As I needed to fix it ASAP (because one of my scripts depends on this API) I just disabled the check (which isn't too insecure, as before HTTPS we're using HTTP anyway). I will update my instance making it use cacert.pem then removing that line which disables checks.
- 2016-08-24T18:41:03+00:00
Michael Johnson
I've been working on fixes for our internal server. As of right now, the master branch is currently broken. I haven't had a chance to review the changes needed for old Guzzle (v3) to work properly. If you can stand the requirements changes, develop is easier to fix. All notes are based on changes for the develop branch.
- Edit the Resources/config/services.yml file and change the base URL to use https. Some of our code (search/browse for example) rely on detecting a redirect for single-entry results. The forced https redirect was breaking the logic. This may fix the master branch as well, I haven't tried yet.
- Assuming you're running a proper server, you shouldn't need to configure a CA file as the system one should include the proper GeoTrust root already.
- Unit tests are currently broken because many URLs, like that of the CDN, changed.
As for directly using the MAL API in our related Android application, that would be a lot of effort for only about four actions. The official API isn't exactly full-featured (or even featured). We could move list updates (add/update/delete) and that's about it. Fitering searches or even getting more data than title won't be possible. Title details aren't in the official API, etc. We'd then also have to add support for XML parsing for just those actions. Further discussion should be on that project, not here.
- 2016-08-24T18:45:17+00:00
Gustavo Rodrigues reporter
- changed status to resolved
Solution: just configure curl.cainfo and openssl.cafile in php.ini.
- 2016-08-24T18:54:46+00:00
Gustavo Rodrigues reporter
@motokochan Understood. It thought it was a simple question, and you explained well why this project, here, is still important for Atarashii application (and other applications which use this API). Details and further discussion, of course, should be there.
- 2016-08-24T18:59:48+00:00
James
Since I have Atarashii-api on a shared host, obviously this solution will not work. Is there any alternatives?
- 2016-08-24T20:26:23+00:00
Michael Johnson
I just pushed a bunch of updates to fix the breakages from MAL. Try grabbing the updates and if it's still not working, report back with what branch/release you're on and I'll work with you to find the problem.
- 2016-08-25T01:25:21+00:00
Michael Johnson
- changed status to open
Re-opening for the time being until all report back if it's resolved for them.
- 2016-08-25T01:26:35+00:00
Toco Toucan
Commit 0c0cb73 - still does not work. :(

If it is important, I use Azure Websites(free tier). So, "copy cacert.pem" is not an option.
- 2016-08-25T07:13:58+00:00
Ratan Dhawtal
They have some info in their docs: http://guzzle.readthedocs.io/en/latest/request-options.html#verify-option They also mention a code here: https://github.com/guzzle/guzzle/issues/394
```
$guzzle->setDefaultOption('verify', '/path/to/cacert.pem');
```
Translated into our methods it will be this:
```
 $requestOptions['verify'] = '/path/to/cacert.pem';
```
You can put that in the \src\Atarashii\APIBundle\Service\Communicator.php below the other $requestOptions around line 37. I confirmed that the code does work as an alternative but I do not recommend it.

@TocoToucan @chikorita157 Could you let me know if the code I mentioned works for now?

In the docs they mention this: When using the PHP stream wrapper on versions < 5.6, Guzzle tries to find your CA bundle in the following order:
1. Check if openssl.cafile is set in your php.ini file.
2. Check if curl.cainfo is set in your php.ini file.
3. Check if /etc/pki/tls/certs/ca-bundle.crt exists (Red Hat, CentOS, Fedora; provided by the ca-certificates package)
4. Check if /etc/ssl/certs/ca-certificates.crt exists (Ubuntu, Debian; provided by the ca-certificates package)
5. Check if /usr/local/share/certs/ca-root-nss.crt exists (FreeBSD; provided by the ca_root_nss package)
6. Check if /usr/local/etc/openssl/cert.pem (OS X; provided by homebrew)
7. Check if C:\windows\system32\curl-ca-bundle.crt exists (Windows)
8. Check if C:\windows\curl-ca-bundle.crt exists (Windows)
@qgustavor I meant is as a fast note for the other users. I might have be a bit too short because I was in the middle of coding. Anyway I am glad you got it working again.
- 2016-08-25T12:34:00+00:00
Toco Toucan
It looks like adding
```
$requestOptions['verify'] = '/path/to/cacert.pem';
```
helped. At least I can get my animelist and anime details. :)

Thanks for the help.
- 2016-08-25T12:48:31+00:00
Ratan Dhawtal
@TocoToucan Perfect! For now this should do it. I also highly recommend you to clear the cache! MAL changed the image urls and such.

No problem.
- 2016-08-25T13:48:54+00:00
Michael Johnson
- changed status to resolved
Closing issue as the issues seem to have been resolved.
- 2016-08-28T20:12:46+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: resolved

Milestone: –

Version: –

Votes: 0

Watchers: 1