View Issue Details

IDProjectCategoryView StatusLast Update
0026365mantisbtapi restpublic2023-10-14 12:28
Reporterpolzin Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version2.22.1 
Target Version2.25.8Fixed in Version2.25.8 
Summary0026365: Missing Authorization header in REST API causing requests to fail
Description

On trying out the rest api, all requests were answered with "401 API token required", although the Authorization token was transmitted.
Adding the line

SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0

in $MANTISROOT/api/rest/.htaccess, as suggested by https://devblog.cyotek.com/post/restoring-missing-authorization-header-when-using-php, fixed the issue.

EDIT (dregad): fixed URL to blog article; markdown formatting.

Additional Information
diff --git a/api/rest/.htaccess b/api/rest/.htaccess
index 6b27d11..7b3007e 100644
--- a/api/rest/.htaccess
+++ b/api/rest/.htaccess
@@ -1,4 +1,5 @@
 # Based on Slim Framework recommendation @ http://docs.slimframework.com/routing/rewrite/
+SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
 RewriteEngine On
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteRule ^ index.php [QSA,L]
TagsNo tags attached.

Activities

dregad

dregad

2023-05-05 09:14

developer   ~0067739

Could you please check if adding CGIPassAuth On [1] to your .htaccess or conf file instead of the SetEnvIf directive fixes the problem ?

dregad

dregad

2023-05-15 04:34

developer   ~0067750

polzin,

You did not provide any feedback; I am therefore resolving this issue as "no change required".

Feel free to reopen the issue at a later time and provide the requested information.

polzin

polzin

2023-06-05 06:59

reporter   ~0067825

Last edited: 2023-06-05 07:04

Sorry for the delay.
My tests results:
If either CGIPassAuth On or SetEnvIf ... is in .htaccess it works.
Without any of them, as in the current master, it doesn´t work.

curl -v results:

    > Authorization: 8qpg8He_atuoIQH5uMH8wRtam5tInXXX
    >
    < HTTP/1.1 401 API token required

vs.

    > Authorization: 8qpg8He_atuoIQH5uMH8wRtam5tInXXX
    >
   < HTTP/1.1 200 OK
dregad

dregad

2023-06-06 03:26

developer   ~0067829

Thanks for the feedback, I'll fix this in the next hotfix release.

richardmoss

richardmoss

2023-06-18 03:30

reporter   ~0067848

Hello,

Firstly, thanks for posting a notification on the original block article. I didn't think this was a bug with MantisBT itself so I never reported it here unlike some of the other issues I raised at the time.

I tested this new way, but it didn't work for me - the logs showed

    [core:alert] <path>/api/rest/.htaccess: Invalid command 'CGIPassAuth', perhaps misspelled or defined by a module not included in the server configuration

PHP version: 8.2.7 running under Plesk (Obsidian?) as a "Dedicated FPM application served by Apache" (I also tried ...served by nginx, same error)

Apparently CGIPassAuth was added in Apache 2.4.13, which is appears to be from quite a few years back, and I can't see the Apache version I'm using being that old, but I can't tell the version and my SSH connection is closing as soon as I try to log in to check. I'll contact my host and see if they can tell me (as well as look into the SSH issue!).

Regardless though, I guess it is an environment problem as opposed to something with MantisBT, but thought I'd follow up anyway.

Regards;
Richard Moss

dregad

dregad

2023-06-19 02:55

developer   ~0067850

thanks for posting a notification

You're welcome. It thought it would be a good idea since this Issue's OP came here after applying your workaround.

PHP version: 8.2.7

Probably unrelated, but please note that we don't support PHP 8.2 (yet).

I can't see the Apache version I'm using being that old, but I can't tell the version and my SSH connection is closing as soon as I try to log in to check

Have you tried curl --head http://your.server.com/ or uploading a file with <?php phpinfo(); in it ?

Keep us posted

polzin

polzin

2023-08-29 08:36

reporter   ~0068042

I noticed in error logs alers.

[Mon Aug 28 23:59:53.777128 2023] [core:alert] [pid 22624:tid 140187749291776] [client XXX:49002] /opt/httpd/XXX/html/mantis/api/rest/.htaccess: CGIPassAuth not allowed here

Still the access works. That makes no sense. For me, I will fall back to the other solution.

dregad

dregad

2023-08-29 09:01

developer   ~0068045

Weird. According to Apache documentation, CGIPassAuth Directive is allowed in .htaccess context.

[Mon Aug 28 23:59:53.777128 2023] [core:alert] [pid 22624:tid 140187749291776] [client XXX:49002] /opt/httpd/XXX/html/mantis/api/rest/.htaccess: CGIPassAuth not allowed here

If you can spare the time and effort, this may be worth reporting to Apache.

polzin

polzin

2023-08-29 09:28

reporter   ~0068046

CGIPassAuth Directive is allowed in .htaccess context.

I rechecked and found out:
On some webservers both directives work and one of them is required.

On other webservers, CGIPassAuth is forbidden in .htaccess, and thus only the other directive is allowed and required.

So it seems to me, it´s a configuration issue and not an Apache issue.

Related Changesets

MantisBT: master-2.25 edfc6d6c

2023-06-06 11:11

dregad


Details Diff
REST API .htaccess pass on Authorization headers

Avoids requests failing with HTTP 401 error caused by missing
Authorization header.

Fixes 0026365
Affected Issues
0026365
mod - api/rest/.htaccess Diff File