Missing Authorization Header in production only

Question

I have the following work flow:

I have a api/token [POST] that takes form-data (email and password) and returns and access token and a refresh token.

Then I have another endpoint api/users/info [GET] (with Headers 'Authorization': 'Bearer ...) that returns user information. When testing locally both endpoints work.

When testing to my deployed server only the token fetching one works.

Here is the code for the api/users/info:

@API_BP.route('/users/info', methods=['GET'])
@fresh_jwt_required
def users_info():

    user_identity = get_jwt_identity()
    curr_user = (SDB.session.query(User)
                 .filter_by(email=user_identity).one_or_none())
    return jsonify({
        'greeting': 'Hello, World!',
        'foo': 'bar',

    })

Moreover, here are my configs:

JWT_TOKEN_LOCATION = ['cookies', 'headers']
JWT_COOKIE_CSRF_PROTECT = True
JWT_COOKIE_SECURE = True 
JWT_ACCESS_COOKIE_NAME = "my_access_cookie"
JWT_REFRESH_COOKIE_NAME = "my_refresh_cookie"
JWT_ACCESS_CSRF_COOKIE_NAME = "my_csrf_access_token"
JWT_REFRESH_CSRF_COOKIE_NAME = "my_csrf_refresh_token"
JWT_ACCESS_CSRF_HEADER_NAME = "X-MY-TOKEN"

The error I am getting is:

{
    "msg": "Missing JWT in cookies or headers (Missing cookie \"my_access_cookie\"; Missing Authorization Header)"
}

I'm using Postman to hit these endpoints. I have the Token received by api/token set under authorization. Here is what that looks like in python:

import requests

url = "http://my_url.com/api/users/info"

payload = {}
headers = {
  'Authorization': 'Bearer eyJ0eXAiOiJKV1QiLCJhrtyuzI1NiJ9.eyJpYXQiOjE2MjU5MTg0MTEsIm5iZiI6MTYyNTkxODQxMSwianRpfghZi00YTcyLWIxZTYtZGMxYTRjNDhkOThhIiwiZXhwIjoxNjI1OTE5NjExLCJpZGVudGl0eSI6ImFsZnJlZG9Adml2ZWJlbmVmaXRzLmNvbSIsImZyZXNoIjp0cnVlLCsdfghXBlIjoiYWNjZXNzIiwiY3NyZiI6ImQyNTQ0NjY0LTFlOGUtNDY5NS1hY2I4LTE2MzIxMDZlNDY0MiJ9.WT-EWlMtZZKoNyiXYxa3xdfghjg7r7ys'
}

response = requests.request("GET", url, headers=headers, data = payload)

print(response.text.encode('utf8'))

What can I do to ensure the second request GET works in prod?

Answer 1

The issue is that verify_jwt_in_request() would look for the header Authorization instead of X-Forwarded-Authorization.

Locally, the header would be Authorization but in production, because we are using docker/nginx, the header changes to X-Forwarded-Authorization. The way I fixed this was to set the config JWT_HEADER_NAME = "X-Forwarded-Authorization"

Answer 2

If you’re using modwsgi in production you will probably need to make sure you have the WSGIPAssAuthorization On configuration option enabled. There might be similar options depending on what software you are using to run the flask app in prod (Apache/nginx/uwsgi/unicorn/etc).