Jump to content

[Solved] HTTP Authorization header not forwarding to WSGI app

advaithm

By advaithm
in Escalated Requests

 Share

Recommended Posts

advaithm Rookie

advaithm

Posted
Posted

Username: advaithm

Server: Johnny

Main Domain: amsdc.helioho.st

---

The Authorization header is not getting forwarded to my Flask WSGI app.

Steps to reproduce:

  1. Follow these steps to create a Flask app. Note: username is now domain name.
  2. Replace the code in myapp.py with the following: 
    from flask import Flask, request
app = Flask(__name__)

@app.route("/head/test/", methods=["GET"])
def head_version():
	return str(request.headers)

if __name__ == "__main__":
  app.run()

     

  3. Execute the following request in curl:
    1. This will test HTTP Basic Auth: 
      $ curl.exe -u test:password -H "Another: header" -i https://<domain>.helioho.st/flask/head/test/

HTTP/1.1 200 OK
Server: nginx
Date: <THE DATE>
Content-Type: text/html; charset=utf-8
Content-Length: 176
Connection: keep-alive
X-Powered-By: PleskLin

Host: <username>.helioho.st
X-Real-Ip: <YOUR IP>
X-Accel-Internal: /internal-nginx-static-location
Connection: close
User-Agent: curl/8.0.1
Accept: */*
Another: header

      Note that the Another header passed through, but there is no Authorization: Basic header.

    2. The same example can be repeated with Authorization: Bearer for JWTs: 

      curl.exe -H "Another: header" -H "Authorization: Bearer 1234" -i https://<DOMAIN>.helioho.st/flask/head/test/

HTTP/1.1 200 OK
Server: nginx
Date: <TIME>
Content-Type: text/html; charset=utf-8
Content-Length: 176
Connection: keep-alive
X-Powered-By: PleskLin

Host: <DOMAIN>.helioho.st
X-Real-Ip: <YOUR IP>
X-Accel-Internal: /internal-nginx-static-location
Connection: close
User-Agent: curl/8.0.1
Accept: */*
Another: header

      The same result occurs i.e. Authorization header is filtered.

I request the disabling of filtering of the Authorization header as my web application will not work without its passing through.

Link to comment
Share on other sites
advaithm Rookie

advaithm

Posted
  • Author
Posted
6 hours ago, Krydos said:

Try putting this in your .htaccess 

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

 

So, I added it to the htaccess, but the output stays the same. Just sharing my whole .htaccess file for your reference:

flaskTEST/.htaccess 

RewriteEngine On
RewriteBase /
RewriteRule ^(flasktest\.wsgi/.*)$ - [L]
RewriteRule ^(.*)$ flaskTEST/flasktest.wsgi/$1 [QSA,PT,L]
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

The directory I use is flaskTEST and the WSGI file is flaskTEST.wsgi

An interesting thing I noted is that the .htaccess rule made the header reachable to a PHP script, but not the WSGI.

The PHP script is this: 

<?php
$headers = apache_request_headers();

echo '<!DOCTYPE html><html><head><meta charset="utf-8"><title>test headers</title></head><body><ul>';
echo "\n\n";
foreach ($headers as $header => $value) {
    echo "<li>$header: $value </li>\n";
}
echo "</ul>\n";
echo '</body></html>';

That script outputted the Authorization header: 

<!DOCTYPE html><html><head><meta charset="utf-8"><title>test headers</title></head><body><ul>

<li>Another: header </li>
<li>Accept: */* </li>
<li>User-Agent: curl/8.0.1 </li>
<li>Authorization: Basic c2FtcGxlOmhlYWRlcg== </li>
<li>Host: amsdc.helioho.st </li>
<li>Content-Length:  </li>
<li>Content-Type:  </li>
</ul>
</body></html>

 

Link to comment
Share on other sites
  • Krydos changed the title to [Solved] HTTP Authorization header not forwarding to WSGI app
  • Krydos locked this topic
Guest
This topic is now closed to further replies.
 Share
Go to topic listing
×
×
  • Create New...