4

I'm running an Flask application, using apache with mod_wsgi, with my own ssl certificate (self-signed), i use also the Flask-HTTPAuth lib (https://flask-httpauth.readthedocs.org/en/latest/) and i do use BasicAuth

app.auth = HTTPBasicAuth()

I'm trying to test the api with curl but my flask app is not logging me in.

This is the curl line

/usr/bin/curl -H 'Accept: application/json' -H 'Content-type: application/json' -u 'user:mypasswd' --cacert path_to/rootCA.crt --key path_to/backend.key --cert path_to/backend.crt -X POST -d '{}' -vvv https://my_url:443/api/1.0/code/create

There is the answer from the server

* Hostname was NOT found in DNS cache
*   Trying ** ...
* Connected to ** (**) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: path_to/rootCA.crt
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*    subject: ***
*    start date: 2015-10-20 13:22:20 GMT
*    expire date: 2017-03-03 13:22:20 GMT
*    common name: *** (matched)
*    issuer: ***
*    SSL certificate verify ok.
* Server auth using Basic with user 'user'
> POST //api/1.0/code/create HTTP/1.1
> Authorization: Basic amFtZXM6TDMgbDFuZCEgQHYgczBsMyFM
> User-Agent: curl/7.35.0
> Host: ***
> Accept: application/json
> Content-type: application/json
> Content-Length: 83
>
* upload completely sent off: 83 out of 83 bytes
< HTTP/1.1 401 UNAUTHORIZED
< Date: Wed, 21 Oct 2015 12:29:17 GMT
* Server Apache/2.4.7 (Ubuntu) is not blacklisted
< Server: Apache/2.4.7 (Ubuntu)
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Authentication Required"
< Content-Length: 19
< Content-Type: text/html; charset=utf-8
<
* Connection #0 to host ***m left intact
Unauthorized Access

There is an Authorization header create by the -u option. but yet in my flask app there is no user or password given.

@app.auth.verify_password
def verify_password(username, passwd):
  print "USername [%s] [%s]" % (username, passwd)
  return False

The ouput given is:

USername [] []

So my question is how to give username and password for the verify_password decorator with curl ?

Thank you.

Improve this question
2
  • 1
    Are you using Apache with mod_wsgi? If so it may need to be configured to pass the Authorization headers to your flask app. See Deployment Considerations and WSGIPassAuthorization Commented Oct 26, 2015 at 17:18
  • Yes i am (going to add it to my post), thanks for this, i'm gonna have a look at it. Commented Oct 26, 2015 at 17:31

2 Answers 2

Reset to default
5
+50

You need to configure mod_wsgi to pass authorization headers to your flask application.

From the Flask-HTTPAuth docs:

Be aware that some web servers do not pass the Authorization headers to the WSGI application by default.

also, from the docs for verify_password:

If this callback is defined, it is also invoked when the request does not have the Authorization header with user credentials, and in this case both the username and password arguments are set to empty strings.

... this can explain the output you are seeing.

Since you are using Apache with mod_wsgi you should set the WSGIPassAuthorization directive to On (its default is Off) in your Apache configuration.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

When deployed as a regular CGI script with ScriptAlias in Apache one has to add the directive CGIPassAuth On.
1

Thanks @jeremy-allen it was that.

So if something like this blocks you (and that you're using mod_wsgi).

Follow the links: https://flask-httpauth.readthedocs.org/en/latest/#deployment-considerations and https://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIPassAuthorization

You probably miss the WSGIPassAuthorization variable in your apache configuration.

Thanks.

Improve this answer

2 Comments

You marked this as the answer after previously marking mine as the answer... after previously marking this as the answer. The correct thing to do would be to mark mine as the answer and delete this answer.
Right actually, after your comments, i found the solution so i posted my own answer, and then you posted it, reflex make me click on yours, but mine was already accepted. After what i clicked many time to understand that there could be only one answered. And as you just commented initially, i thought i should let my answer as accepted but i don't really care, i'm not running over reputation, if you need it i can do it, overwise i just let it like this.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.