Request made by the browser does not contain the "authorization" header

api-platform / api-platform

🕸️ Create REST and GraphQL APIs, scaffold Jamstack webapps, stream changes in real-time.

https://api-platform.com

MIT License

8.43k stars 953 forks source link

Request made by the browser does not contain the "authorization" header #2217

Closed JoDarma-lp closed 4 months ago

JoDarma-lp commented 2 years ago

I'm trying to use Vulcain on my API developed with api-platform created from the distribution made available in the api-platform doc.

My API is secured by two headers: "authorization" which contains a Bearer and "workspace" which contains an ID allowing the API to know on which workspace to retrieve the information.

I have a user object which contains a "defaultRoles" attribute which lists all the roles of the user. So I applied the#[ApiProperty(push:true)]annotation on this attribute. When the browser makes sub-requests to retrieve the "defaultRoles/:id" resources, the API returns a 401 because the requests generated by the browser do not contain the "authorization" and "workspace" headers.

I couldn't find any resources explaining how Vulcain works with a secure API.

How can I add the header in that request ?

dunglas commented 2 years ago

The push option isn't related to Vulcain (it's an older feature) and doesn't support authorization. We'll probably remove this option in favor or Vulcain in a future version.

To push a resource with vulcain you need to use the Preload header instead: https://Vulcain.rocks

JoDarma-lp commented 2 years ago

Thank you for your reply ! Indeed the doc specifies the use of this property: push. This is confusing

JoDarma-lp commented 2 years ago

To follow up on your answer, I used the Preload header or preload query params but I still get a 401 when resources are returned, because in the header of requests made by the browser I don't have the security headers mentioned above.

This function does not support authorization ?

dunglas commented 2 years ago

The request made by the browser must exactly match the pushed request (so it must include the Authorization header).

JoDarma-lp commented 2 years ago

In my case, I have a request that contains the header authorization: Bearer ...

/users/me?preload="/defaultRoles/*"

This request results in several requests made by the browser which do not contain an authorization header. Example of request made by the browser :

/roles/CONCEPTEUR_DE_MODELE

Is this behavior normal or is it due to a bad configuration? Or is it due to the /me route ?