Authorization Header

I am attempting to communicate between a desktop app and a Xojo Cloud app. The desktop app is using xojo.net.httpsocket. When the desktop app connects to the web app we send a login request and if I send back a 401 with the WWW-Authenticate header the desktop socket the AuthenticationRequired event fires and I pass the username and password.

In the HandleSpecialURL event I’m dealing with it this way:

[code]dim authHeader as string = request.GetRequestHeader(“Authorization”)

if authHeader = “” then
Request.status = 401
Request.Header(“WWW-Authenticate”) = “Basic realm=”“Test”""
return true
end
[/code]

My problem is that when I’m debugging locally this works. But since I’ve moved it to Xojo Cloud is fails. It appears that the Authorization header is stripped or something. I know that I’m dealign with the event. It appears to be Xojo Cloud issue.

Thoughts?

Update on this. I tried this on a second server and I have the same issue. On both servers the Authorization header is blank. How odd. It works locally.

Well, time to do go to plan B.

I don’t know Xojo Cloud but maybe you can rule things out using httpscoop? (https://www.tuffcode.com/)

[quote=229670:@Bob Keeney]Update on this. I tried this on a second server and I have the same issue. On both servers the Authorization header is blank. How odd. It works locally.

Well, time to do go to plan B.[/quote]
file a bug report. I don’t think we purposely strip any headers.

Was this ever resolved? I am experiencing similar issue with the Authorization Header

Submitted bug report 43557 - Authorization Header blank on XojoCloud

The information is somewhere else now. Here’s the last snippet I have. This has not been run in a long time so buyer beware:

[code] dim sAuthorization as string
dim d as double = XojoVersion

if XojoVersion > 2014.02 then
//Try new way
sAuthorization = GetAuthorization(Request) //Request is WebRequest
if sAuthorization = “” then
//Found nothing. Try the old way
sAuthorization = Request.GetParameter(“Authorization”)
end if
else
//Try the old way
sAuthorization = Request.GetParameter(“Authorization”)
end

if sAuthorization<>"" then
//do something here with it
end
[/code]

[code]Private Function GetAuthorization(oRequest as WebRequest) As String
dim sAuthorization as string

dim iStart as integer = oRequest.Entity.InStr("&")
if iStart = 0 then return “” //didn’t find it

dim sStart as string = oRequest.Entity.left(iStart-1)

dim ars() as string = sStart.split("=")
if ars.Ubound < 1 then return “”

if ars(0) <> “Authorization” then return “”
sAuthorization = ars(1)

'Some Authorizations have ‘=’ in them
for i as integer = 2 to ars.Ubound
if ars(i) = “” then
sAuthorization = sAuthorization + “=”
else
sAuthorization = sAuthorization + ars(i)
end if
next
return sAuthorization
End Function
[/code]

Thanks Bob for sharing, but that does not appear to fix the issue on the Cloud

We are slamming into this also. Anybody know the Bug report number. Cant find it in Bugbase/ Feedback.

Is it possible that something else - such as a proxy server - is stripping or rewriting certain request headers?

This looks like case 45108 - added for 2016r4.

There is definitely a problem with the net.httpsocket see feedback://showreport?report_id=44886 where although a 401 error is returned the content is not.

Actually it’s not. There were two problems… first, Apache no longer passes Authorization headers by default. It’s thought to be a security risk because the transmission of the credentials from Apache to the cgi script is in the clear regardless of the security of the browser connection. As Xojo Cloud are single tenant VMs, this is not an issue for us. Second, the Xojo web framework was only transferring a select few of the available headers, and Authorization was not one of them. A fix has been submitted.

Unfortunately I also see the issue for 400 errors where the server gives me the most detailed reasons why I have failed - only not using net.httpsocket. 401 errors are simple - you fucked up.

What does this have to do with missing Authorization headers?

it seems to me that I am in a similar situation.

in app.HandleSpecialURL:

// only answer to request with right Authorization header

Dim Authorization As String = Request.GetRequestHeader("Authorization") If Authorization.Trim <> "MyAPIKey" Then Request.Print "Unauthorized" + " " + Authorization Return True End If

if I build as standalone, all works fine.

if I build as CGI, always returns Unauthorized, because Authorization = “”".

I don’t understand if the problem was solved.
if was, how?

can you help me?

In cgi, the Authorization header is probably being handled & stripped by the web server. You would have to solve this in the config files for the server itself.