ARTICLE AD BOX
I am building a simple REST API project using PHP and MySQL without any frameworks. The API uses JSON requests and responses and includes registration, login, user profile, and categories endpoints.
The registration endpoint hashes passwords using password_hash(), and the login endpoint verifies passwords using password_verify(). After successful login, a random token is generated using random_bytes() and stored in the database. Protected routes use Bearer Token authentication.
I can successfully register and log in users, and the token is stored correctly in the database. However, when I try to access protected routes such as /user.php, the API returns:
{ "message": "Authorization header not found" }I am testing the API in Postman using the Authorization → Bearer Token option.
Here are the main API files used in the project:
// login.php <?php require "../db.php"; require "../functions.php"; $d=input(); $user=one( "SELECT * FROM users WHERE email=? OR phone=?", [$d["login"],$d["login"]] ); if( !$user || !password_verify($d["password"],$user["password"]) ){ json(["message"=>"Invalid login or password"],401); } $token=bin2hex(random_bytes(32)); run( "UPDATE users SET token=? WHERE id=?", [$token,$user["id"]] ); json([ "message"=>"login good", "token"=>$token, "user"=>$user ]); // register.php <?php require "../db.php"; require "../functions.php"; $d=input(); $hash=password_hash( $d["password"], PASSWORD_DEFAULT ); run( "INSERT INTO users(name,phone,email,password,role) VALUES(?,?,?,?, 'user')", [ $d["name"] ?? null, $d["phone"], $d["email"], $hash ] ); json(["message"=>"tyrkeldi"],201); // user.php <?php require "../db.php"; require "../functions.php"; $m=$_SERVER["REQUEST_METHOD"]; $user=auth(); if($m=="GET" && empty($_GET["adverts"])){ json([ "id"=>$user["id"], "name"=>$user["name"], "phone"=>$user["phone"], "email"=>$user["email"], "role"=>$user["role"] ]); } if($m=="PATCH"){ $d=input(); run( "UPDATE users SET name=?, phone=?, email=? WHERE id=?", [ $d["name"], $d["phone"], $d["email"], $user["id"] ] ); json(["message"=>"updated"]); } if($m=="GET" && !empty($_GET["adverts"])){ $sql=" SELECT * FROM adverts WHERE user_id=? "; $p=[$user["id"]]; if(!empty($_GET["status"])){ $sql.=" AND status=?"; $p[]=$_GET["status"]; } $sql.=" ORDER BY id DESC"; json(all($sql,$p)); } json(["message"=>"not found"],404); //functions.php <?php function input(){return json_decode(file_get_contents("php://input"),true);} function json($d,$c=200){ http_response_code($c); echo json_encode($d,JSON_UNESCAPED_UNICODE); exit; } function all($q,$p=[]){ global $pdo; $s=$pdo->prepare($q); $s->execute($p); return $s->fetchAll(PDO::FETCH_ASSOC); } function one($q,$p=[]){return all($q,$p)[0]??null;} function run($q,$p=[]){ global $pdo; return $pdo->prepare($q)->execute($p); } function auth($r=true){ $t=str_replace("Bearer ","",getallheaders()["Authorization"]??""); if(!$t && !$r) return null; if(!$t) json(["message"=>"Unauthorized"],401); $u=one("SELECT * FROM users WHERE token=?",[$t]); if(!$u && !$r) return null; if(!$u) json(["message"=>"Invalid token"],401); return $u; } // categories.php <?php require "../db.php"; require "../functions.php"; json(all("SELECT * FROM categories ORDER BY id DESC"));What is the correct and reliable way to read Authorization Bearer headers in PHP when building a REST API with Apache and Postman?
