Authorization token missing in the API on rc3

[kushaldas]

Description

If we make API calls to the rc3 production vms, the journalist application is not getting the Authorization header field.

Steps to Reproduce

Make sure you have Tor service in your host and also added the hidservauth token in the torrc file to access the journalist interface. Also run the create-dev-data.py in the server to add some test data and the journalist account.

To execute the following script, create a python3 virtualenv, and then install the following 3 packages

pip install requests[socks] requests pyotp pysocks

Then add and execute the following script, after adding the right onion address for the server.

import requests
import pyotp
import json


def main():
    proxies = {"http": "socks5h://127.0.0.1:9050", "https": "socks5h://127.0.0.1:9050"}
    totp = pyotp.TOTP("JHCOGO7VCER3EJ4L")
    user_data = {
        "username": "journalist",
        "passphrase": "correct horse battery staple profanity oil chewy",
        "one_time_code": str(totp.now()),
    }

    r = requests.post(
        "http://SERVER.onion/api/v1/token",
        data=json.dumps(user_data),
        proxies=proxies,
    )

    token = r.json()
    print(token)
    a = {
        "Authorization": "token " + token["token"],
        "Content-Type": "application/json",
        "Accept": "application/json",
    }
    r = requests.get("http://SERVER.onion/api/v1/sources", headers=a, proxies=proxies)
    print(r.text)


if __name__ == "__main__":
    main()

Expected Behavior

We should be able to access any of the authenticated API call, and in this example we should get a list of sources.

Actual Behavior

The server returns the following error message.

{"error":"Forbidden","message":"API token not found in Authorization header."}

Comments

Suggestions to fix, any other relevant information.

[kushaldas]

The apache is somehow dropping the Authorization header field in the production server.

[kushaldas]

When I tried to view the available headers in the server:

[Mon Sep 03 07:41:21.024633 2018] [:error] [pid 4535:tid 4061699364608]User-Agent: python-requests/2.19.1\r
[Mon Sep 03 07:41:21.024683 2018] [:error] [pid 4535:tid 4061699364608] Connection: keep-alive\r
[Mon Sep 03 07:41:21.024691 2018] [:error] [pid 4535:tid 4061699364608] Host: SEVER.onion\r
[Mon Sep 03 07:41:21.024696 2018] [:error] [pid 4535:tid 4061699364608] Accept: application/json\r
[Mon Sep 03 07:41:21.024700 2018] [:error] [pid 4535:tid 4061699364608] Content-Type: application/json\r
[Mon Sep 03 07:41:21.024705 2018] [:error] [pid 4535:tid 4061699364608] Accept-Encoding: gzip, deflate\r
[Mon Sep 03 07:41:21.024710 2018] [:error] [pid 4535:tid 4061699364608] \r

[kushaldas]

If I create a dev environment using make dev and then create a onion server to localhost:8081 and then try to execute the same script against that server, it works fine as expected.

[kushaldas]

The cause behind this bug is mentioned at http://www.django-rest-framework.org/api-guide/authentication/#apache-mod_wsgi-specific-configuration

Note that if deploying to Apache using mod_wsgi, the authorization header is not passed through to a WSGI application by default, as it is assumed that authentication will be handled by Apache, rather than at an application level.

I will now submit a PR.