1

I have a Django Server on an EC2 container and I use Firebase to authenticate my users. To authenticate the user I use an Authorization header with the Bearer Token on my API and get the Firebase UID in the URL (see image attached).

My authentication works great when using a Windows PC, Mac, or Android phone, but when I try to login my web application through iPhone on Safari or Chrome, I get a 500 Internal Server Error.

Going through Safari's debugger, I see that the initial request does have the Authorization token present, but then it goes through a 301 Redirect response and the Authorization Header is lost, and therefore I can't authenticate the users. This is what I believe is causing the issue, as my Django server is receiving the Authorization header as blank.

Safari Debugger Response

I tried writing middleware to maintain the headers but it did not work.

Also I tried changing my CORS settings to explicitly state my Methods and Allowed Headers, but it is still not working. Below are my current CORS settings on my Django server:

CSRF_TRUSTED_ORIGINS = ['https://api.xxxxxxxxx.com', 'https://www.xxxxxxxxx.com']

CORS_ALLOW_ALL_ORIGINS = True
CORS_ALLOW_CREDENTIALS = True
CORS_ALLOW_HEADERS = [
    'authorization',
    'content-type',
    'x-csrftoken',
    'accept',
    'origin',
    'user-agent',
    'sec-fetch-mode',
    'Accept','Origin','Content-Type','X-LS-CORS-Template','X-LS-Auth-Token','X-LS-Auth-User Token','Content-Type','X-LS-Sync-Result','X-LS-Sequence','token',
    'Authorization',
    'Bearer',
    'Authorization-Bearer',
    'Accept',
    'Origin',
    'Referer',
    'User-Agent',
    'Host',
    'Connection'
]

CORS_ALLOW_METHODS = ['POST', 'GET', 'OPTIONS', 'DELETE']

Lastly, my Nginx configurations is as follows:


server_name <api_host> <ip_address>;

        location / {

                proxy_pass http://localhost:8000;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header Authorization $http_authorization;
                proxy_set_header X-Original-Authorization $http_authorization;
                proxy_set_header X-Proxy-Authorization $http_authorization;

        }

    server {
        if ($host = <api_host>) {
            return 301 https://$host$request_uri;
        } # managed by Certbot
    
    
            listen 80;
            server_name <api_host> <ip_address>;
        return 404; # managed by Certbot
    
    
    } ```
Improve this question
Related questions
456
HTTP redirect: 301 (permanent) vs. 302 (temporary)
0
Access blocked by CORS policy: No 'Access-Control-Allow-Origin'
2
Cross-Origin Resource sharing error: Header Disallowed by preflight response
Load 4 more related questions Show fewer related questions

0

Reset to default