authentication problems with restapi when using http authentication

[achimgaedke]

When using the django application with uwsgi and an nginx 'frontend' web server configured to use http authentication, the '/api' calls are no longer working.

Setup in detail:

• using uwsgi to serve the django with the ˋuwsgi_merlin.iniˋ file and (as specified in there) the ˋsettings-docker.pyˋ settings file, which imports all settings from ˋsettings.pyˋ and adds to them.
• nginx serves merlin using a SSL configuration and the uwsgi protocol to connect to the django application (see below).

server {
   listen 443 ssl;
   ssl_certificate_key /etc/nginx/ssl-certs/private/merlin.key;
   ssl_certificate /etc/nginx/ssl-certs/cert/merlin.crt;

   location / {
       auth_basic 'merlin';
       auth_basic_user_file /etc/nginx/access_pwd;
       include uwsgi_params;
       uwsgi_pass merlin-api.:8081;
   }
}

Using this deployment (as it would be used to make a development version available worldwide) e.g. on merlin-3l.cloudapp.net or later using cardhu:

It has the following flaw:

Calling https://merlin-3l.cloudapp.net/api/simulations/1/ results in an HTTP 403 error with:

HTTP 403 Forbidden
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "detail": "Invalid username/password."
}

So, the login mechanism of nginx seems to have repercussions in the django user management, which is not (fully) configured or filled with user data sets. In contrast to that the static files seem to be served fine.

A first try to get things right, I've (configured and) used the admin site to add users. Logging in such a (super)user helps to read (GET) data, but not modify (e.g. set coordinates).

[achimgaedke]

This issue should be at low priority:

• The use of this basic authentication system from nginx is just a quick fix, a more elaborate system would use ember and django components.
• It does not block the development process, but (only) the deployment.
• I will focus on using python-merlin only (thanks for fixing https://github.com/lemonadelabs/python-merlin/issues/4 )

[achimgaedke]

Using uwsgi_pass_request_headers off fixes the issue, but probably does some other harm...

   location / {
       auth_basic 'merlin';
       auth_basic_user_file /etc/nginx/access_pwd;
       include uwsgi_params;
       uwsgi_pass_request_headers off;
       uwsgi_pass merlin-api.:8081;
   }

[achimgaedke]

More elegant quick-fix/dirty hack: modify django-merlin/merlin/wsgi.py to get rid of the 'Authorization' header, which seems to confuse django and the undead Authentication/Authorization system.

application1 = get_wsgi_application()

def application(environ, start_response):
    try:
        del environ['HTTP_AUTHORIZATION']
    except KeyError:
        pass

    return application1(environ, start_response)

(that allows the django middleware to choose encoding and so on...)