0026365: Missing Authorization header in REST API causing requests to fail - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0026365	mantisbt	api rest	public	2019-11-18 09:45	2025-05-29 05:42

Reporter	polzin	Assigned To	dregad
Priority	normal	Severity	major	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	2.22.1
Target Version	2.25.8	Fixed in Version	2.25.8

Summary	0026365: Missing Authorization header in REST API causing requests to fail
Description	On trying out the rest api, all requests were answered with "401 API token required", although the Authorization token was transmitted. Adding the line `SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0` in $MANTISROOT/api/rest/.htaccess, as suggested by https://devblog.cyotek.com/post/restoring-missing-authorization-header-when-using-php, fixed the issue. EDIT (dregad): fixed URL to blog article; markdown formatting.
Additional Information	`diff --git a/api/rest/.htaccess b/api/rest/.htaccess index 6b27d11..7b3007e 100644 --- a/api/rest/.htaccess +++ b/api/rest/.htaccess @@ -1,4 +1,5 @@ # Based on Slim Framework recommendation @ http://docs.slimframework.com/routing/rewrite/ +SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0 RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^ index.php [QSA,L]`
Tags	No tags attached.

dregad 2023-05-05 09:14 developer ~0067739	Could you please check if adding `CGIPassAuth On` [1] to your .htaccess or conf file instead of the SetEnvIf directive fixes the problem ?

dregad 2023-05-15 04:34 developer ~0067750	polzin, You did not provide any feedback; I am therefore resolving this issue as "no change required". Feel free to reopen the issue at a later time and provide the requested information.

polzin 2023-06-05 06:59 reporter ~0067825 Last edited: 2023-06-05 07:04	Sorry for the delay. My tests results: If either `CGIPassAuth On` or `SetEnvIf ...` is in .htaccess it works. Without any of them, as in the current master, it doesn´t work. `curl -v` results: `> Authorization: 8qpg8He_atuoIQH5uMH8wRtam5tInXXX > < HTTP/1.1 401 API token required` vs. `> Authorization: 8qpg8He_atuoIQH5uMH8wRtam5tInXXX > < HTTP/1.1 200 OK`

dregad 2023-06-06 03:26 developer ~0067829	Thanks for the feedback, I'll fix this in the next hotfix release.

richardmoss 2023-06-18 03:30 reporter ~0067848	Hello, Firstly, thanks for posting a notification on the original block article. I didn't think this was a bug with MantisBT itself so I never reported it here unlike some of the other issues I raised at the time. I tested this new way, but it didn't work for me - the logs showed `[core:alert] <path>/api/rest/.htaccess: Invalid command 'CGIPassAuth', perhaps misspelled or defined by a module not included in the server configuration` PHP version: 8.2.7 running under Plesk (Obsidian?) as a "Dedicated FPM application served by Apache" (I also tried ...served by nginx, same error) Apparently `CGIPassAuth` was added in Apache 2.4.13, which is appears to be from quite a few years back, and I can't see the Apache version I'm using being that old, but I can't tell the version and my SSH connection is closing as soon as I try to log in to check. I'll contact my host and see if they can tell me (as well as look into the SSH issue!). Regardless though, I guess it is an environment problem as opposed to something with MantisBT, but thought I'd follow up anyway. Regards; Richard Moss

dregad 2023-06-19 02:55 developer ~0067850	thanks for posting a notification You're welcome. It thought it would be a good idea since this Issue's OP came here after applying your workaround. PHP version: 8.2.7 Probably unrelated, but please note that we don't support PHP 8.2 (yet). I can't see the Apache version I'm using being that old, but I can't tell the version and my SSH connection is closing as soon as I try to log in to check Have you tried `curl --head http://your.server.com/` or uploading a file with `<?php phpinfo();` in it ? Keep us posted

polzin 2023-08-29 08:36 reporter ~0068042	I noticed in error logs alers. [Mon Aug 28 23:59:53.777128 2023] [core:alert] [pid 22624:tid 140187749291776] [client XXX:49002] /opt/httpd/XXX/html/mantis/api/rest/.htaccess: CGIPassAuth not allowed here Still the access works. That makes no sense. For me, I will fall back to the other solution.

dregad 2023-08-29 09:01 developer ~0068045	Weird. According to Apache documentation, CGIPassAuth Directive is allowed in .htaccess context. [Mon Aug 28 23:59:53.777128 2023] [core:alert] [pid 22624:tid 140187749291776] [client XXX:49002] /opt/httpd/XXX/html/mantis/api/rest/.htaccess: CGIPassAuth not allowed here If you can spare the time and effort, this may be worth reporting to Apache.

polzin 2023-08-29 09:28 reporter ~0068046	CGIPassAuth Directive is allowed in .htaccess context. I rechecked and found out: On some webservers both directives work and one of them is required. On other webservers, CGIPassAuth is forbidden in .htaccess, and thus only the other directive is allowed and required. So it seems to me, it´s a configuration issue and not an Apache issue.

MantisBT: master-2.25 edfc6d6c 2023-06-06 11:11 dregad Details Diff	REST API .htaccess pass on Authorization headers Avoids requests failing with HTTP 401 error caused by missing Authorization header. Fixes 0026365		Affected Issues 0026365
	mod - api/rest/.htaccess		Diff File
MantisBT: master 97aa8e50 2025-05-09 03:55 dregad Details Diff	Bump Apache minimum requirement to 2.4.13 - 2.2 is EOL since 2018. - 2.4.13 is required for CGIPassAuth (see issue 0026365)		Affected Issues 0026365
	mod - docbook/Admin_Guide/en-US/Installation.xml		Diff File