Rest calls in DEV Env everytime response a 401 Unauthorized, PROD works fine

Question

I use a rest api. In production all calls are working. In dev environment it fails everytime with 401. There is a custom user api provider and it checks if user has api access. Login is http_basic with user credentials.

I tried several things to find out what the problem is. But nothing works.

I made a debug output in UserApiProvider, but i wont be called.

security.yaml

providers:
        user_provider:
            id: dashboard.user_provider.email
        api_provider:
            id: dashboard.user_provider.api
        internal_provider:
            id: dashboard.user_provider.internal

    firewalls:
        dev:
            pattern:  ^/(_(profiler|wdt)|css|images|js)/
            security: false

        internal_status:
            pattern: ^/internal/status$
            stateless: true
            http_basic:
                provider: internal_provider

        api:
            pattern: ^/api/
            stateless: true
            http_basic:
                provider: api_provider

        main:
            pattern: ^/
            form_login:
                provider: user_provider
                failure_handler: security.login_failure_handler
                success_handler: security.login_success_handler
                csrf_provider: security.csrf.token_manager
            logout:
                csrf_provider: security.csrf.token_manager
                success_handler: security.custom_logout_success_handler
            anonymous: true
            switch_user: true

ApiUserProvider

class ApiUserProvider extends UserProvider
{
    /**
     * {@inheritDoc}
     */
    protected function findUser($username)
    {
        /** @var User $user */
        $user = $this->userManager->findUserByEmail($username);

        if ($user && !$user->hasApiAccess()) {
            return null;
        }

        return $user;
    }
}

Error will be:

{"error":{"code":401,"message":"Unauthorized","exception":[{"message":"You are not authenticated","class":"Symfony\Component\HttpKernel\Exception\HttpException","trace":[{"namespace":"","short_class":"","class":"","type":"","function":"","file":"/dashboard/lib/vendor/friendsofsymfony/rest-bundle/FOS/RestBundle/EventListener/AccessDeniedListener.php","line":77,"args":[]},{"namespace":"FOS\RestBundle\EventListener","short_class":"AccessDeniedListener","class":"FOS\RestBundle\EventListener\AccessDeniedListener","type":"->","function":"onKernelException","file":"/dashboard/lib/vendor/symfony/symfony/src/Symfony/Component/EventDispatcher/Debug/WrappedListener.php","line":61,"args":[["object","Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent"],["string","kernel.exception"],["object","Symfony\Component\HttpKernel\Debug\TraceableEventDispatcher"]]}

...

From dev.log

[request ERROR] Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\HttpException: "You are not authenticated" at /dashboard/lib/vendor/friendsofsymfony/rest-bundle/FOS/RestBundle/EventListener/AccessDeniedListener.php line 77 {"exception":"[object] (Symfony\\Component\\HttpKernel\\Exception\\HttpException(code: 0): You are not authenticated at /dashboard/lib/vendor/friendsofsymfony/rest-bundle/FOS/RestBundle/EventListener/AccessDeniedListener.php:77, Symfony\\Component\\Security\\Core\\Exception\\AuthenticationCredentialsNotFoundException(code: 0): A Token was not found in the TokenStorage. at /dashboard/lib/vendor/symfony/symfony/src/Symfony/Component/Security/Http/Firewall/AccessListener.php:51)"}

Does anyone have some ideas?

Kind regards, Kai

Answer 1

Of course, I thought it was an problem with the application.

Problem was the missing authentication header for php-cgi. on my prod engine are mod_php and local cgi :/

Workaround for missing Authorization header under CGI/FastCGI Apache:
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0