python - Missing Authorization Header in production only
问题描述
I have the following work flow:
I have a api/token
[POST] that takes form-data (email and password) and returns and access token and a refresh token.
Then I have another endpoint api/users/info
[GET] (with Headers 'Authorization': 'Bearer ...
) that returns user information. When testing locally both endpoints work.
When testing to my deployed server only the token fetching one works.
Here is the code for the api/users/info
:
@API_BP.route('/users/info', methods=['GET'])
@fresh_jwt_required
def users_info():
user_identity = get_jwt_identity()
curr_user = (SDB.session.query(User)
.filter_by(email=user_identity).one_or_none())
return jsonify({
'greeting': 'Hello, World!',
'foo': 'bar',
})
Moreover, here are my configs:
JWT_TOKEN_LOCATION = ['cookies', 'headers']
JWT_COOKIE_CSRF_PROTECT = True
JWT_COOKIE_SECURE = True
JWT_ACCESS_COOKIE_NAME = "my_access_cookie"
JWT_REFRESH_COOKIE_NAME = "my_refresh_cookie"
JWT_ACCESS_CSRF_COOKIE_NAME = "my_csrf_access_token"
JWT_REFRESH_CSRF_COOKIE_NAME = "my_csrf_refresh_token"
JWT_ACCESS_CSRF_HEADER_NAME = "X-MY-TOKEN"
The error I am getting is:
{
"msg": "Missing JWT in cookies or headers (Missing cookie \"my_access_cookie\"; Missing Authorization Header)"
}
I'm using Postman to hit these endpoints. I have the Token received by api/token
set under authorization. Here is what that looks like in python:
import requests
url = "http://my_url.com/api/users/info"
payload = {}
headers = {
'Authorization': 'Bearer eyJ0eXAiOiJKV1QiLCJhrtyuzI1NiJ9.eyJpYXQiOjE2MjU5MTg0MTEsIm5iZiI6MTYyNTkxODQxMSwianRpfghZi00YTcyLWIxZTYtZGMxYTRjNDhkOThhIiwiZXhwIjoxNjI1OTE5NjExLCJpZGVudGl0eSI6ImFsZnJlZG9Adml2ZWJlbmVmaXRzLmNvbSIsImZyZXNoIjp0cnVlLCsdfghXBlIjoiYWNjZXNzIiwiY3NyZiI6ImQyNTQ0NjY0LTFlOGUtNDY5NS1hY2I4LTE2MzIxMDZlNDY0MiJ9.WT-EWlMtZZKoNyiXYxa3xdfghjg7r7ys'
}
response = requests.request("GET", url, headers=headers, data = payload)
print(response.text.encode('utf8'))
What can I do to ensure the second request GET
works in prod?
解决方案
如果您在生产中使用 modwsgi,您可能需要确保WSGIPAssAuthorization On
启用了配置选项。根据您在 prod (Apache/nginx/uwsgi/unicorn/etc) 中运行烧瓶应用程序所使用的软件,可能会有类似的选项。
推荐阅读
- python - 通过不确定性使用权重进行特征选择
- prisma - 使用 Prisma 检查对象所有权
- java - 在 MongoDB java 驱动程序中,如果可选的 `ClientSession` 为空,方法会产生错误吗?
- c# - 在单击事件中选中复选框的问题
- java - 无法通过将 args 传递给 main 方法来调试 Java 应用程序
- android - 为什么不通过惰性应用在片段中?
- r - R - 如何根据评分键更改数据框的值?
- javascript - 当通过下拉列表更新mysql中的表时,所有行也更新了
- java - Spring 的 @Lazy 在应用于 FactoryBean 时是否有效?
- javascript - 为什么我的 ref 总是 null 即使我将它设置为一个组件