aiohttp filtering out "Authorization" header

[riccardocagnasso]

Apparently aiohttp is filtering out the "Authorization" header in aiohttp.wsgi:69 in create_wsgi_environ.

This bug was found while using aiopyramid + jwtauth, you can find more details (and an example project) on housleyjk/aiopyramid#14

[redixin]

It seems my bad. According to wsgi and cgi specs, AUTHORIZATION header should be removed, but.

In our case, server does no handle any basic auth stuff, so this headers may only be handled at application level, so aiohttp should not remove it.

[riccardocagnasso]

Well it's very likely that the authorization is handled at application level in any case, i wonder what is the rationale behind that spec.

Anyway, thanks.

[redixin]

@riccardocagnasso it often handled by webserver (nginx auth_basic and auth_basic_user_file, apache AuthType and AuthUserFile). In this case webserver removes raw AUTHORIZATION header and may add own header, like HTTP_REMOTE_USER.

[riccardocagnasso]

Yes, of course, but that's always optional because you can only go so far with basic authentication

[lock]

This thread has been automatically locked since there has not been
any recent activity after it was closed. Please open a new issue for
related bugs.

If you feel like there's important points made in this discussion,
please include those exceprts into that new issue.