API Call does not get Authorized

[reloxx13]

Describe the bug I tried to access the API, but im only getting back a 302 redirect to Login page My guess is the token does not get passed to weblate/uwsgi or /api isnt even known. If the token is not passed, a 401? Unauthorized should return.

Did i forget somthing to enable? I spend the whole day yesterday reading the docs and also django docs but could not find out what im missing.

To Reproduce Steps to reproduce the behavior: curl -H "Authorization: Token aUs1KFfoHCSG5s0...." https://weblate_url/api/ -v

CURL Response

What i tried: I made sure the API Token is correct and also re-generated it.
I tried the above curl from a local debian machine and local from the server.
Also tried by PHP script.
I enabled DEBUG=True and set higher DEFAULT_THROTTLE_RATES in settings.py
I added some configs to the weblate nginx config file, i marked it with START/END added:
NGINX Config

Server configuration and status list_versions settings.py

manage.py check --deploy
System check identified some issues:

WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
?: (security.W018) You should not have DEBUG set to True in deployment.

INFOS:
?: (weblate.I021) Error collection is not configured, it is highly recommended for production use
    HINT: https://docs.weblate.org/en/weblate-3.9.1/admin/install.html#collecting-errors
?: (weblate.I028) Backups are not configured, it is highly recommended for production use
    HINT: https://docs.weblate.org/en/weblate-3.9.1/admin/backup.html

System check identified 4 issues (1 silenced).

Additional context NGINX Config CURL Response list_versions settings.py

[nijel]

Exclude API from login required URLs in LOGIN_REQUIRED_URLS_EXCEPTIONS.

[reloxx13]

Heya,

thank you, this works, BUT it also works without "Authorization" in header. I tried this, too and forgot to write it down here :/

Cases Authorization with valid token in header => works Authorization with invalid token in header => 401 No Authorization in header => works...

(I reverted my changes for the cases)

It should not be public accessable without token. Thats why disabled it in LOGIN_REQUIRED_URLS_EXCEPTIONS again. Thought is has to be disabled to be not-public.

[nijel]

It lists whatever projects anonymous user has access to. Limiting this user will remove all objects from the API.

[reloxx13]

Ahhh thank you very much! I will try it tomorrow 😅

[reloxx13]

Heya,

okay that worked, i took all roles from anon.

The anon user was disabled, i think it would be right to check this and then dont allow anon api access or write it down in your documentation cause this could be a secruity issue. If the anon user is disabled, it should be handled like it is disabled and dont allow anything.

[github-actions[bot]]

The issue you have reported seems to be resolved now.

• In case you see similar problem, please open separate issue.
• If you are happy with the outcome, consider supporting Weblate by donating.

[nijel]

I think the anonymous user is disabled by default, it's just used to get permissions whenever somebody is unauthenticated. Login required removes this from the web, but it stays on API, what is probably not expected. Maybe better approach in this case is to change REST Framework DEFAULT_PERMISSION_CLASSES.

[nijel]

I've added it to example config, Docker and docs.