1

I have a Django Server on an EC2 container and I use Firebase to authenticate my users. To authenticate the user I use an Authorization header with the Bearer Token on my API and get the Firebase UID in the URL (see image attached).

My authentication works great when using a Windows PC, Mac, or Android phone, but when I try to login my web application through iPhone on Safari or Chrome, I get a 500 Internal Server Error.

Going through Safari's debugger, I see that the initial request does have the Authorization token present, but then it goes through a 301 Redirect response and the Authorization Header is lost, and therefore I can't authenticate the users. This is what I believe is causing the issue, as my Django server is receiving the Authorization header as blank.

Safari Debugger Response

I tried writing middleware to maintain the headers but it did not work.

Also I tried changing my CORS settings to explicitly state my Methods and Allowed Headers, but it is still not working. Below are my current CORS settings on my Django server:

CSRF_TRUSTED_ORIGINS = ['https://api.xxxxxxxxx.com', 'https://www.xxxxxxxxx.com']
CORS_ALLOW_ALL_ORIGINS = True
CORS_ALLOW_CREDENTIALS = True
CORS_ALLOW_HEADERS = [
 'authorization',
 'content-type',
 'x-csrftoken',
 'accept',
 'origin',
 'user-agent',
 'sec-fetch-mode',
 'Accept','Origin','Content-Type','X-LS-CORS-Template','X-LS-Auth-Token','X-LS-Auth-User Token','Content-Type','X-LS-Sync-Result','X-LS-Sequence','token',
 'Authorization',
 'Bearer',
 'Authorization-Bearer',
 'Accept',
 'Origin',
 'Referer',
 'User-Agent',
 'Host',
 'Connection'
]
CORS_ALLOW_METHODS = ['POST', 'GET', 'OPTIONS', 'DELETE']

Lastly, my Nginx configurations is as follows:


server_name <api_host> <ip_address>;
 location / {
 proxy_pass http://localhost:8000;
 proxy_set_header Host $host;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_set_header Authorization $http_authorization;
 proxy_set_header X-Original-Authorization $http_authorization;
 proxy_set_header X-Proxy-Authorization $http_authorization;
 }
 server {
 if ($host = <api_host>) {
 return 301 https://$host$request_uri;
 } # managed by Certbot
 
 
 listen 80;
 server_name <api_host> <ip_address>;
 return 404; # managed by Certbot
 
 
 } ```

0

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.