python - Missing Authorization Header in production only
问题描述
I have the following work flow:
I have a api/token [POST] that takes form-data (email and password) and returns and access token and a refresh token.
Then I have another endpoint api/users/info [GET] (with Headers 'Authorization': 'Bearer ...) that returns user information. When testing locally both endpoints work.
When testing to my deployed server only the token fetching one works.
Here is the code for the api/users/info:
@API_BP.route('/users/info', methods=['GET'])
@fresh_jwt_required
def users_info():
user_identity = get_jwt_identity()
curr_user = (SDB.session.query(User)
.filter_by(email=user_identity).one_or_none())
return jsonify({
'greeting': 'Hello, World!',
'foo': 'bar',
})
Moreover, here are my configs:
JWT_TOKEN_LOCATION = ['cookies', 'headers']
JWT_COOKIE_CSRF_PROTECT = True
JWT_COOKIE_SECURE = True
JWT_ACCESS_COOKIE_NAME = "my_access_cookie"
JWT_REFRESH_COOKIE_NAME = "my_refresh_cookie"
JWT_ACCESS_CSRF_COOKIE_NAME = "my_csrf_access_token"
JWT_REFRESH_CSRF_COOKIE_NAME = "my_csrf_refresh_token"
JWT_ACCESS_CSRF_HEADER_NAME = "X-MY-TOKEN"
The error I am getting is:
{
"msg": "Missing JWT in cookies or headers (Missing cookie \"my_access_cookie\"; Missing Authorization Header)"
}
I'm using Postman to hit these endpoints. I have the Token received by api/token set under authorization. Here is what that looks like in python:
import requests
url = "http://my_url.com/api/users/info"
payload = {}
headers = {
'Authorization': 'Bearer eyJ0eXAiOiJKV1QiLCJhrtyuzI1NiJ9.eyJpYXQiOjE2MjU5MTg0MTEsIm5iZiI6MTYyNTkxODQxMSwianRpfghZi00YTcyLWIxZTYtZGMxYTRjNDhkOThhIiwiZXhwIjoxNjI1OTE5NjExLCJpZGVudGl0eSI6ImFsZnJlZG9Adml2ZWJlbmVmaXRzLmNvbSIsImZyZXNoIjp0cnVlLCsdfghXBlIjoiYWNjZXNzIiwiY3NyZiI6ImQyNTQ0NjY0LTFlOGUtNDY5NS1hY2I4LTE2MzIxMDZlNDY0MiJ9.WT-EWlMtZZKoNyiXYxa3xdfghjg7r7ys'
}
response = requests.request("GET", url, headers=headers, data = payload)
print(response.text.encode('utf8'))
What can I do to ensure the second request GET works in prod?
解决方案
如果您在生产中使用 modwsgi,您可能需要确保WSGIPAssAuthorization On启用了配置选项。根据您在 prod (Apache/nginx/uwsgi/unicorn/etc) 中运行烧瓶应用程序所使用的软件,可能会有类似的选项。
推荐阅读
- python - 通过不确定性使用权重进行特征选择
- prisma - 使用 Prisma 检查对象所有权
- java - 在 MongoDB java 驱动程序中,如果可选的 `ClientSession` 为空,方法会产生错误吗?
- c# - 在单击事件中选中复选框的问题
- java - 无法通过将 args 传递给 main 方法来调试 Java 应用程序
- android - 为什么不通过惰性应用在片段中?
- r - R - 如何根据评分键更改数据框的值?
- javascript - 当通过下拉列表更新mysql中的表时,所有行也更新了
- java - Spring 的 @Lazy 在应用于 FactoryBean 时是否有效?
- javascript - 为什么我的 ref 总是 null 即使我将它设置为一个组件