Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aiohttp filtering out "Authorization" header #648

Closed
riccardocagnasso opened this issue Nov 28, 2015 · 5 comments · Fixed by #649
Closed

aiohttp filtering out "Authorization" header #648

riccardocagnasso opened this issue Nov 28, 2015 · 5 comments · Fixed by #649
Labels
outdated

Comments

@riccardocagnasso
Copy link

Apparently aiohttp is filtering out the "Authorization" header in aiohttp.wsgi:69 in create_wsgi_environ.

This bug was found while using aiopyramid + jwtauth, you can find more details (and an example project) on housleyjk/aiopyramid#14
@riccardocagnasso riccardocagnasso mentioned this issue Nov 28, 2015
Closed
@redixin
Copy link
Contributor

redixin commented Nov 28, 2015

It seems my bad. According to wsgi and cgi specs, AUTHORIZATION header should be removed, but.

In our case, server does no handle any basic auth stuff, so this headers may only be handled at application level, so aiohttp should not remove it.

@riccardocagnasso
Copy link
Author

Well it's very likely that the authorization is handled at application level in any case, i wonder what is the rationale behind that spec.

Anyway, thanks.

@redixin redixin mentioned this issue Nov 28, 2015
Merged
@redixin
Copy link
Contributor

redixin commented Nov 28, 2015

@riccardocagnasso it often handled by webserver (nginx auth_basic and auth_basic_user_file, apache AuthType and AuthUserFile). In this case webserver removes raw AUTHORIZATION header and may add own header, like HTTP_REMOTE_USER.

@riccardocagnasso
Copy link
Author

Yes, of course, but that's always optional because you can only go so far with basic authentication

@lock
Copy link

lock bot commented Oct 29, 2019

This thread has been automatically locked since there has not been
any recent activity after it was closed. Please open a new issue for
related bugs.

If you feel like there's important points made in this discussion,
please include those exceprts into that new issue.

@lock lock bot added the outdated label Oct 29, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Oct 29, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
outdated
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Do not remove AUTHORIZATION header redixin/aiohttp
2 participants
@redixin @riccardocagnasso