I am attempting to communicate between a desktop app and a Xojo Cloud app. The desktop app is using xojo.net.httpsocket. When the desktop app connects to the web app we send a login request and if I send back a 401 with the WWW-Authenticate header the desktop socket the AuthenticationRequired event fires and I pass the username and password.
In the HandleSpecialURL event I’m dealing with it this way:
[code]dim authHeader as string = request.GetRequestHeader(“Authorization”)
if authHeader = “” then
Request.status = 401
Request.Header(“WWW-Authenticate”) = “Basic realm=”“Test”""
return true
end
[/code]
My problem is that when I’m debugging locally this works. But since I’ve moved it to Xojo Cloud is fails. It appears that the Authorization header is stripped or something. I know that I’m dealign with the event. It appears to be Xojo Cloud issue.
Update on this. I tried this on a second server and I have the same issue. On both servers the Authorization header is blank. How odd. It works locally.
[quote=229670:@Bob Keeney]Update on this. I tried this on a second server and I have the same issue. On both servers the Authorization header is blank. How odd. It works locally.
Well, time to do go to plan B.[/quote]
file a bug report. I don’t think we purposely strip any headers.
The information is somewhere else now. Here’s the last snippet I have. This has not been run in a long time so buyer beware:
[code] dim sAuthorization as string
dim d as double = XojoVersion
if XojoVersion > 2014.02 then
//Try new way
sAuthorization = GetAuthorization(Request) //Request is WebRequest
if sAuthorization = “” then
//Found nothing. Try the old way
sAuthorization = Request.GetParameter(“Authorization”)
end if
else
//Try the old way
sAuthorization = Request.GetParameter(“Authorization”)
end
if sAuthorization<>"" then
//do something here with it
end
[/code]
[code]Private Function GetAuthorization(oRequest as WebRequest) As String
dim sAuthorization as string
dim iStart as integer = oRequest.Entity.InStr("&")
if iStart = 0 then return “” //didn’t find it
dim sStart as string = oRequest.Entity.left(iStart-1)
dim ars() as string = sStart.split("=")
if ars.Ubound < 1 then return “”
if ars(0) <> “Authorization” then return “”
sAuthorization = ars(1)
'Some Authorizations have ‘=’ in them
for i as integer = 2 to ars.Ubound
if ars(i) = “” then
sAuthorization = sAuthorization + “=”
else
sAuthorization = sAuthorization + ars(i)
end if
next
return sAuthorization
End Function
[/code]
Actually it’s not. There were two problems… first, Apache no longer passes Authorization headers by default. It’s thought to be a security risk because the transmission of the credentials from Apache to the cgi script is in the clear regardless of the security of the browser connection. As Xojo Cloud are single tenant VMs, this is not an issue for us. Second, the Xojo web framework was only transferring a select few of the available headers, and Authorization was not one of them. A fix has been submitted.
Unfortunately I also see the issue for 400 errors where the server gives me the most detailed reasons why I have failed - only not using net.httpsocket. 401 errors are simple - you fucked up.
// only answer to request with right Authorization header
Dim Authorization As String = Request.GetRequestHeader("Authorization")
If Authorization.Trim <> "MyAPIKey" Then
Request.Print "Unauthorized" + " " + Authorization
Return True
End If
if I build as standalone, all works fine.
if I build as CGI, always returns Unauthorized, because Authorization = “”".
I don’t understand if the problem was solved.
if was, how?
In cgi, the Authorization header is probably being handled & stripped by the web server. You would have to solve this in the config files for the server itself.