Flask not using curl auth

Question

I'm running an Flask application, using apache with mod_wsgi, with my own ssl certificate (self-signed), i use also the Flask-HTTPAuth lib (https://flask-httpauth.readthedocs.org/en/latest/) and i do use BasicAuth

app.auth = HTTPBasicAuth()

I'm trying to test the api with curl but my flask app is not logging me in.

This is the curl line

/usr/bin/curl -H 'Accept: application/json' -H 'Content-type: application/json' -u 'user:mypasswd' --cacert path_to/rootCA.crt --key path_to/backend.key --cert path_to/backend.crt -X POST -d '{}' -vvv https://my_url:443/api/1.0/code/create

There is the answer from the server

* Hostname was NOT found in DNS cache
*   Trying ** ...
* Connected to ** (**) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: path_to/rootCA.crt
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using ECDHE-RSA-AES256-GCM-SHA384
* Server certificate:
*    subject: ***
*    start date: 2015-10-20 13:22:20 GMT
*    expire date: 2017-03-03 13:22:20 GMT
*    common name: *** (matched)
*    issuer: ***
*    SSL certificate verify ok.
* Server auth using Basic with user 'user'
> POST //api/1.0/code/create HTTP/1.1
> Authorization: Basic amFtZXM6TDMgbDFuZCEgQHYgczBsMyFM
> User-Agent: curl/7.35.0
> Host: ***
> Accept: application/json
> Content-type: application/json
> Content-Length: 83
>
* upload completely sent off: 83 out of 83 bytes
< HTTP/1.1 401 UNAUTHORIZED
< Date: Wed, 21 Oct 2015 12:29:17 GMT
* Server Apache/2.4.7 (Ubuntu) is not blacklisted
< Server: Apache/2.4.7 (Ubuntu)
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="Authentication Required"
< Content-Length: 19
< Content-Type: text/html; charset=utf-8
<
* Connection #0 to host ***m left intact
Unauthorized Access

There is an Authorization header create by the -u option. but yet in my flask app there is no user or password given.

@app.auth.verify_password
def verify_password(username, passwd):
  print "USername [%s] [%s]" % (username, passwd)
  return False

The ouput given is:

USername [] []

So my question is how to give username and password for the verify_password decorator with curl ?

Thank you.

Answer 1

You need to configure mod_wsgi to pass authorization headers to your flask application.

From the Flask-HTTPAuth docs:

Be aware that some web servers do not pass the Authorization headers to the WSGI application by default.

also, from the docs for verify_password:

If this callback is defined, it is also invoked when the request does not have the Authorization header with user credentials, and in this case both the username and password arguments are set to empty strings.

... this can explain the output you are seeing.

Since you are using Apache with mod_wsgi you should set the WSGIPassAuthorization directive to On (its default is Off) in your Apache configuration.

Answer 2

Thanks @jeremy-allen it was that.

So if something like this blocks you (and that you're using mod_wsgi).

Follow the links: https://flask-httpauth.readthedocs.org/en/latest/#deployment-considerations and https://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIPassAuthorization

You probably miss the WSGIPassAuthorization variable in your apache configuration.

Thanks.