Weblate: API Call does not get Authorized
Describe the bug
I tried to access the API, but im only getting back a 302 redirect to Login page
My guess is the token does not get passed to weblate/uwsgi or /api isnt even known.
If the token is not passed, a 401? Unauthorized should return.
Did i forget somthing to enable? I spend the whole day yesterday reading the docs and also django docs but could not find out what im missing.
To Reproduce
Steps to reproduce the behavior:
curl -H "Authorization: Token aUs1KFfoHCSG5s0...." https://weblate_url/api/ -v
What i tried:
I made sure the API Token is correct and also re-generated it.
I tried the above curl from a local debian machine and local from the server.
Also tried by PHP script.
I enabled DEBUG=True and set higher DEFAULT_THROTTLE_RATES in settings.py
I added some configs to the weblate nginx config file, i marked it with START/END added:
NGINX Config
Server configuration and status
list_versions
settings.py
manage.py check --deploy
System check identified some issues:
WARNINGS:
?: (security.W004) You have not set a value for the SECURE_HSTS_SECONDS setting. If your entire site is served only over SSL, you may want to consider setting a value and enabling HTTP Strict Transport Security. Be sure to read the documentation first; enabling HSTS carelessly can cause serious, irreversible problems.
?: (security.W018) You should not have DEBUG set to True in deployment.
INFOS:
?: (weblate.I021) Error collection is not configured, it is highly recommended for production use
HINT: https://docs.weblate.org/en/weblate-3.9.1/admin/install.html#collecting-errors
?: (weblate.I028) Backups are not configured, it is highly recommended for production use
HINT: https://docs.weblate.org/en/weblate-3.9.1/admin/backup.html
System check identified 4 issues (1 silenced).
Additional context
NGINX Config
CURL Response
list_versions
settings.py
reloxx13
All 8 comments
Exclude API from login required URLs in LOGIN_REQUIRED_URLS_EXCEPTIONS.
nijel
on 12 Dec 2019
Heya,
thank you, this works, BUT it also works without "Authorization" in header.
I tried this, too and forgot to write it down here :/
Cases
Authorization with valid token in header => works
Authorization with invalid token in header => 401
No Authorization in header => works...
(I reverted my changes for the cases)
It should not be public accessable without token.
Thats why disabled it in LOGIN_REQUIRED_URLS_EXCEPTIONS again.
Thought is has to be disabled to be not-public.
reloxx13
on 12 Dec 2019
It lists whatever projects anonymous user has access to. Limiting this user will remove all objects from the API.
nijel
on 12 Dec 2019
Ahhh thank you very much!
I will try it tomorrow 馃槄
reloxx13
on 12 Dec 2019
Heya,
okay that worked, i took all roles from anon.
The anon user was disabled, i think it would be right to check this and then dont allow anon api access or write it down in your documentation cause this could be a secruity issue. If the anon user is disabled, it should be handled like it is disabled and dont allow anything.
reloxx13
on 13 Dec 2019
The issue you have reported seems to be resolved now.
- In case you see similar problem, please open separate issue.
- If you are happy with the outcome, consider supporting Weblate by donating.
![github-actions[bot] picture](https://avatars.githubusercontent.com/in/15368?v=4&s=40)
github-actions[bot]
on 13 Dec 2019
I think the anonymous user is disabled by default, it's just used to get permissions whenever somebody is unauthenticated. Login required removes this from the web, but it stays on API, what is probably not expected. Maybe better approach in this case is to change REST Framework DEFAULT_PERMISSION_CLASSES.
nijel
on 13 Dec 2019
I've added it to example config, Docker and docs.
nijel
on 13 Dec 2019
Related issues
WTBenjamin
路
4Comments
nblock
路
3Comments
nijel
路
3Comments
BhaaLseN
路
5Comments
tariver
路
4Comments
Most helpful comment
I've added it to example config, Docker and docs.