Message7843
I was just bitten hard by the new behavior that not all header checks for REST can be turned off in the config.ini: I'm always getting::
{ "error": { "status": 400, "msg": "Required Header Missing" } }
Unfortunately I've not found anything about this in any of the upgrading docs.
Looks like the 'Origin' header check is hard-coded in roundup/cgi/client.py for the API, in handle_rest we have::
if not self.is_origin_header_ok(api=True):
if 'HTTP_ORIGIN' not in self.env:
msg = self._("Required Header Missing")
else:
msg = self._("Client is not allowed to use Rest Interface.")
# Use code 400. Codes 401 and 403 imply that authentication
# is needed or authenticated person is not authorized.
# Preflight doesn't do authentication.
output = s2b(
'{ "error": { "status": 400, "msg": "%s" } }' % msg)
self.reject_request(output,
message_type="application/json",
status=400)
return
So this does not use the csrf_enforce_header_origin in the config.
From the comments it looks like this might be intended to only be hit on a preflight check. But it is hit any time a POST is issued to the tracker. Even when authenticated. I'm using Kerberos Authentication behind an apache2 webserver.
Is this intentional?
I can see why one would enforce at least one header with REST but unfortunately I have a very important legacy app that I have no influence on. |
|
Date |
User |
Action |
Args |
2023-10-09 11:43:43 | schlatterbeck | set | recipients:
+ schlatterbeck, rouilj, Heiko |
2023-10-09 11:43:43 | schlatterbeck | set | messageid: <1696851823.07.0.447405379261.issue2551294@roundup.psfhosted.org> |
2023-10-09 11:43:43 | schlatterbeck | link | issue2551294 messages |
2023-10-09 11:43:42 | schlatterbeck | create | |
|