http://www.perlmonks.org?node_id=11111384

perltastica has asked for the wisdom of the Perl Monks concerning the following question:

Hello Monks, Thought this would be easy after got it going with wget + jq, but in perl it always returns a 403 error The wget example below works fine, although I have removed the actual API key ;) -- but it works no problems at all, returns a correctly parsed json object. As you can see the API key must be passed in the header as 'hibp-api-key: <API KEY>'

# This works fine wget --quiet -O- 'https://haveibeenpwned.com/api/v3/breachedaccount/so +meemail@somewhere.com?truncateResponse=false' --header='hibp-api-key: + SAMPLEKEY' | jq -r '.[] | [.Name, .DataClasses[]] | @csv'

This perl code does NOT work, returns a 403 error.

#!/usr/bin/perl require LWP::UserAgent; require HTTP::Request; my $address = shift or die "Enter an email address to check\n"; my $APIKEY = 'SAMPLEKEY'; my $ua = LWP::UserAgent->new; my $url = 'https://haveibeenpwned.com/api/v3/breachedaccount/'; my $header = [ 'hibp-api-key' => $APIKEY ]; $request = HTTP::Request->new( 'GET', $url . $address . '?truncateResponse=false', $header ); print $request->as_string; my $resp = $ua->request($request); print $resp->as_string;

Output of that perl:

# ./checkpwn.pl someemail@somewhere.com GET https://haveibeenpwned.com/api/v3/breachedaccount/someemail@somewh +ere.com?truncateResponse=false Hibp-Api-Key: <SAMPLEKEY> HTTP/1.1 403 Forbidden Cache-Control: max-age=10 Connection: close Date: Tue, 14 Jan 2020 00:33:08 GMT Server: cloudflare Content-Type: text/plain; charset=UTF-8 Expires: Tue, 14 Jan 2020 00:33:18 GMT CF-RAY: 554b844d8c61f4b2-YVR Client-Date: Tue, 14 Jan 2020 00:33:08 GMT Client-Peer: 104.18.172.13:443 Client-Response-Num: 1 Client-SSL-Cert-Issuer: /C=GB/ST=Greater Manchester/L=Salford/O=COMODO + CA Limited/CN=COMODO ECC Domain Validation Secure Server CA 2 Client-SSL-Cert-Subject: /OU=Domain Control Validated/OU=PositiveSSL M +ulti-Domain/CN=ssl767795.cloudflaressl.com Client-SSL-Cipher: ECDHE-ECDSA-AES128-GCM-SHA256 Client-SSL-Socket-Class: IO::Socket::SSL Client-Transfer-Encoding: chunked Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.c +om/cdn-cgi/beacon/expect-ct" Set-Cookie: __cfduid=da914544ec647170750f29b53abed85cf1578961988; expi +res=Thu, 13-Feb-20 00:33:08 GMT; path=/; domain=.haveibeenpwned.com; +HttpOnly; SameSite=Lax Strict-Transport-Security: max-age=31536000; includeSubDomains; preloa +d X-Content-Type-Options: nosniff error code: 1010

Seems like the header is there as it should be in the output, so I have no idea why this wouldn't work... Please enlighten me monks! Thank-you JS