Setting `authorization` header with token on POST/PATCH requests to federated servers
Related to https://git.startinblox.com/applications/sib-app/issues/324
The issue
- I login to a user on
test2.startinblox.com
- I click "Join Circle" on a federated circle from
api.test1.startinblox.com
. I don't have a backlinked account withtest1
- I receive a 403
The theory The request headers are as follows:
POST /circles/1/members/ HTTP/1.1
Host: api.test1.startinblox.com
Connection: keep-alive
Content-Length: 749
Sec-Fetch-Dest: empty
User-Agent:
content-type: application/ld+json
Accept: */*
Origin: https://test2.startinblox.com
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Referer: https://test2.startinblox.com/admin
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: csrftoken=t6ALe0NAiZUumgHZ9fGUeo4JKq7W9n7w8RrApEPnoRcJvNrL5Y1vjjIfKC20w34f; sessionid=ajgwpskjjtybage3xh72p2yak9l60vri
Note that HTTP authorization
header is missing, which should contain the token
The backend is written to
- decode this token https://git.startinblox.com/djangoldp-packages/djangoldp-account/blob/master/djangoldp_account/auth/backends.py#L29
- authenticates basically that the decoded issuer is the same as the user's webid
- creates a backlinked user or gets existing one https://git.startinblox.com/djangoldp-packages/djangoldp-account/blob/master/djangoldp_account/auth/backends.py#L50
Do you know why this token is missing from the request, and can we attach it?