View Issue Details

IDProjectCategoryView StatusLast Update
0025362mantisbtapi restpublic2024-03-14 12:41
Reporterpgiraud Assigned Tocommunity  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
PlatformPCOSDebianOS Version9
Target Version2.22.0Fixed in Version2.22.0 
Summary0025362: REST API support for multiple authorization headers
Description

In my company we use Mantis along with other applications. Our testing infrastructure is behind a ngning proxy with Basic Authentication.

I recently tried to use the Rest API in Mantis. While it works well on our production server, I get rejected with an unauthorized error on the testing instance.

After some digging in the code, it looks like the fact that Mantis relies on the "Authorization" header key is a problem. It conflicts with basic authentification which relies on this key as well. The same header key can't be used twice.

As a temporary workaround, I patched api/rest/restcore/AuthMiddleware.php and replaced HEADER_AUTHORIZATION by 'HTTP_APITOKEN' and I'm requesting the API with --header 'APITOKEN:xxxxxxx'.

I would suggest the following changes in the code :

  • look for an 'HTTP_APITOKEN' header,
  • if not empty, compare with available tokens,
  • if empty, look for an 'HTTP_AUTHORIZATION' header,
  • if empty or starts with 'Basic', don't take into account,
  • else compare with available tokens (in order not to break existing apps).

If it sounds good I can provide a PR.

Steps To Reproduce

If you run apache, I think this can easily be reproduced using apache and an .htaccess file.

TagsNo tags attached.

Activities

l2m

l2m

2019-07-03 11:28

reporter   ~0062350

Last edited: 2019-07-04 20:31

Hi,
I had the same problem because we needed to send two Authentication headers (one for the http server and the token for Mantis).
In api/rest/restcore/AuthMiddleware.php, the getHeaderLine($name) method is used. The documentation page states that "You may also fetch a comma-separated string with all values for a given header" (see http://www.slimframework.com/docs/v3/objects/request.html).
I've tested a workaround by splitting the value and it seems to work.
The getHeader($name) method could be used and we could test each value of the returned array to see if it matches a token.
Code example :

$t_authorization_header_array = $request->getHeader( HEADER_AUTHORIZATION );
foreach ($t_authorization_header_array as $value) {
    $t_user_id = api_token_get_user($value);
    if( $t_user_id === false ) {
        //continue;
    } else {
        $t_authorization_header =  $value
        break;
    }
}

if( $t_user_id === false ) {
        return $response->withStatus( HTTP_STATUS_FORBIDDEN, 'API token not found' );
}
vboctor

vboctor

2019-07-04 20:35

manager   ~0062358

I'm leaning towards handling multiple authorization headers with same name if that works for @pgiraud

PRs are welcome.

dregad

dregad

2024-03-14 12:39

developer   ~0068657

Last edited: 2024-03-14 12:41

Multiple authorization headers are not allowed by the RFC 7235 standard
https://datatracker.ietf.org/doc/html/rfc7235#appendix-C

Authorization = credentials
credentials = auth-scheme [ 1*SP ( token68 / [ ( "," / auth-param ) *( OWS "," [ OWS auth-param ] ) ] ) ]

So this implementation (see PR https://github.com/mantisbt/mantisbt/pull/1528) is in fact not valid.

Related Changesets

MantisBT: master 8e84c922

2019-08-03 13:28

l2m

Committer: vboctor


Details Diff
Support multiple authorization header for REST API

Fixes 0025362
Affected Issues
0025362
mod - api/rest/restcore/AuthMiddleware.php Diff File