1

I have a Symfony 2.8 API, which serve data to react webapp, everything was working perfectly before. I am using LexikJWTAuthenticationBundle + Guard to authenticate /api.

The auth headers are missing in my request only in production. On local everything is working fine. I am using postman for testing.

Production Request headers:

object(Symfony\Component\HttpFoundation\HeaderBag)#10 (2) {
  ["headers":protected]=>
  array(9) {
    ["cache-control"]=>
    array(1) {
      [0]=>
      string(8) "no-cache"
    }
    ["postman-token"]=>
    array(1) {
      [0]=>
      string(36) "9ad903a8-9f35-4ecf-8da3-dddb1f8ff2ca"
    }
    ["user-agent"]=>
    array(1) {
      [0]=>
      string(20) "PostmanRuntime/6.2.5"
    }
    ["accept"]=>
    array(1) {
      [0]=>
      string(3) "*/*"
    }
    ["host"]=>
    array(1) {
      [0]=>
      string(16) "pro.musehall.com"
    }
    ["cookie"]=>
    array(1) {
      [0]=>
      string(36) "PHPSESSID=6ca4iil63v2fiadfdpfnb6vlq4"
    }
    ["accept-encoding"]=>
    array(1) {
      [0]=>
      string(13) "gzip, deflate"
    }
    ["connection"]=>
    array(1) {
      [0]=>
      string(10) "keep-alive"
    }
    ["x-php-ob-level"]=>
    array(1) {
      [0]=>
      int(1)
    }
  }

Local Request headers:

object(Symfony\Component\HttpFoundation\HeaderBag)#10 (2) {
  ["headers":protected]=>
  array(10) {
    ["authorization"]=>
    array(1) {
      [0]=>
      string(938) ""Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXUyJ9.eyJlbWFpbCI6Im5pY29sYXNAYXB4LWRldi5jb20iLCJpZCI6OTExMTExNDExLCJhcGlLZXkiOiJhNGExZjM3NjQwZDkzM2UwYjRlYzg4ZDBiY2VjMjgyODNkYTRjNzU1IiwiZmlyc3RuYW1lIjoiTmljb2xhcyIsImxhc3RuYW1lIjoiQXB4IiwiaWF0IjoiMTUwMzk1NzYyNSJ9.j1hLlRoVNSkS5UotPGuV1PsVgePGb9BQSxceBrE2oxilpXNJUApfwHJ4iGjhvjtAugBO5LTd9EF4_cTSlh9NxGy_oTRalH8EeM8BNE2tK6WTvxiC-B0hxRl9ifmKfIVdNZm4_l6NFZaYGdE7isQozPj8stwjfWkitUg5cRSLCztKmXAc8fU4DttFzLMUi7G2cB1JxeWxYpXSmy_DNrVeDzvEt86MmE7xCuO79kk6MBDC4P848NOOZLTy8hMKpXFwqHV0A8voJTVNGJZZWIrX2GiUBQZxZBquJyqRgO3C2bboHQChPF_ETZ1Wj7OvCMwIsqAFPIasPZqcK3eBMmAde9CAWQ_a7-_izk5iBD6wbSrCVMd_NDpATsKK5uqI23Kvm5PY8A__TpYMI7DmIKd6NZe2WaBIA9nIkPLNWgomy_OUISsR1DfTUgpX9R_lT5odqDxLfHU17pEhrXnwMoghYQFN2oZuqtC6wwht05qDVvCvNMpM3VLqySus7j7lUogjEMawW-WvmUhVqnCJ079ZkpqU-CDTKOwt2rS63Y3ojGKCc3_faFNlB1T_Arm1M91ukfzSZS3uctkm9Sfcfwt8KMizWvmLpYbs7Mj6QsAhseNbW9MZ2kger_BvRSCOc0rhWWVylZ_n0ra5wz5yJbgoKo252YxMWhqW5YGPDAH6xZE""
    }
    ["cache-control"]=>
    array(1) {
      [0]=>
      string(8) "no-cache"
    }
    ["postman-token"]=>
    array(1) {
      [0]=>
      string(36) "144afa4f-c482-4a30-8369-2a4b2f6e1a29"
    }
    ["user-agent"]=>
    array(1) {
      [0]=>
      string(20) "PostmanRuntime/6.2.5"
    }
    ["accept"]=>
    array(1) {
      [0]=>
      string(3) "*/*"
    }
    ["host"]=>
    array(1) {
      [0]=>
      string(12) "musehall.dev"
    }
    ["cookie"]=>
    array(1) {
      [0]=>
      string(36) "PHPSESSID=22v5la94j3m97mr54c31um67g2"
    }
    ["accept-encoding"]=>
    array(1) {
      [0]=>
      string(13) "gzip, deflate"
    }
    ["connection"]=>
    array(1) {
      [0]=>
      string(10) "keep-alive"
    }
    ["x-php-ob-level"]=>
    array(1) {
      [0]=>
      int(1)
    }
  }
  ["cacheControl":protected]=>
  array(1) {
    ["no-cache"]=>
    bool(true)
  }
}

As you can see the token is missing on production server.

The only thing that I changed lately is that I renewed my certbot certificate.

Lexi config:

# json web token bundle
lexik_jwt_authentication:
    private_key_path: "%jwt_private_key_path%"
    public_key_path:  "%jwt_public_key_path%"
    pass_phrase:      "%jwt_key_pass_phrase%"
    token_ttl:        "%jwt_token_ttl%"

Any Idea?

4

1 回答 1

0

Probably due to apache stripping Authorization headers. See "Important note for apache users" in the bundle's documentation.

Apache server will strip any Authorization header not in a valid HTTP BASIC AUTH format.

If you intend to use the authorization header mode of this bundle (and you should), please add those rules to your VirtualHost configuration :

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

于 2017-09-03T13:47:30.397 回答