View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0026365||mantisbt||api rest||public||2019-11-18 09:45||2023-08-29 09:28|
|Priority||normal||Severity||major||Reproducibility||have not tried|
|Target Version||2.25.8||Fixed in Version||2.25.8|
|Summary||0026365: Missing Authorization header in REST API causing requests to fail|
On trying out the rest api, all requests were answered with "401 API token required", although the Authorization token was transmitted.
in $MANTISROOT/api/rest/.htaccess, as suggested by https://devblog.cyotek.com/post/restoring-missing-authorization-header-when-using-php, fixed the issue.
EDIT (dregad): fixed URL to blog article; markdown formatting.
|Tags||No tags attached.|
Could you please check if adding
You did not provide any feedback; I am therefore resolving this issue as "no change required".
Feel free to reopen the issue at a later time and provide the requested information.
Thanks for the feedback, I'll fix this in the next hotfix release.
Firstly, thanks for posting a notification on the original block article. I didn't think this was a bug with MantisBT itself so I never reported it here unlike some of the other issues I raised at the time.
I tested this new way, but it didn't work for me - the logs showed
PHP version: 8.2.7 running under Plesk (Obsidian?) as a "Dedicated FPM application served by Apache" (I also tried ...served by nginx, same error)
Regardless though, I guess it is an environment problem as opposed to something with MantisBT, but thought I'd follow up anyway.
You're welcome. It thought it would be a good idea since this Issue's OP came here after applying your workaround.
Probably unrelated, but please note that we don't support PHP 8.2 (yet).
Have you tried
Keep us posted
I noticed in error logs alers.
[Mon Aug 28 23:59:53.777128 2023] [core:alert] [pid 22624:tid 140187749291776] [client XXX:49002] /opt/httpd/XXX/html/mantis/api/rest/.htaccess: CGIPassAuth not allowed here
Still the access works. That makes no sense. For me, I will fall back to the other solution.
Weird. According to Apache documentation, CGIPassAuth Directive is allowed in .htaccess context.
If you can spare the time and effort, this may be worth reporting to Apache.
I rechecked and found out:
On other webservers, CGIPassAuth is forbidden in .htaccess, and thus only the other directive is allowed and required.
So it seems to me, it´s a configuration issue and not an Apache issue.