[OJS 3.4] Document CGIPassAuth setting for API Authorization

[kswro]

Describe the bug
I am unable to authenticate to the REST API via the Authorization Header as in the page https://docs.pkp.sfu.ca/dev/api/ojs/3.4#tag/Authentication (403 Forbidden).

> GET /journal/api/v1/issues?count=4 HTTP/1.1
> Host: ojs.dvl.to
> User-Agent: insomnia/2023.2.0
> Cookie: OJSSID=1669db1b3b95485e42542709da720e2f
> Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.ImNkMGQ1M2QxMmM3ZDY1YTA0YmE4Yzk1YjdlZGM3MWNiOTcwY2MxNzUi.XzQKQmNOdUdjvtSKa30yjQaEh6Cj9AmSYIGLJwyUMYk
> Accept: */*

* Mark bundle as not supporting multiuse

< HTTP/1.1 403 Forbidden
< Date: Mon, 25 Sep 2023 06:13:43 GMT
< Server: Apache/2.4.54 (Unix) OpenSSL/3.0.7
< X-Powered-By: PHP/8.2.1
< Via: 1.1 (null) (apache/2.4.54)
< Transfer-Encoding: chunked
< Content-Type: application/json

But, if authentication uses the apiToken parameter query, the connection to the REST API can be established (200 OK).

> GET /journal/api/v1/issues?count=4&apiToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.ImNkMGQ1M2QxMmM3ZDY1YTA0YmE4Yzk1YjdlZGM3MWNiOTcwY2MxNzUi.XzQKQmNOdUdjvtSKa30yjQaEh6Cj9AmSYIGLJwyUMYk HTTP/1.1
> Host: ojs.dvl.to
> User-Agent: insomnia/2023.2.0
> Cookie: OJSSID=1669db1b3b95485e42542709da720e2f
> Accept: */*

* Mark bundle as not supporting multiuse

< HTTP/1.1 200 OK
< Date: Mon, 25 Sep 2023 06:19:03 GMT
< Server: Apache/2.4.54 (Unix) OpenSSL/3.0.7
< X-Powered-By: PHP/8.2.1
< Access-Control-Allow-Origin: *
< Via: 1.1 (null) (apache/2.4.54)
< Content-Length: 25
< Content-Type: application/json

To Reproduce
Steps to reproduce the behavior:

1. Fresh Install
2. Set api_secret_key (config.inc.php)
3. Add API Token from user profile
4. Add the API Token in an Authorization header with every request made to the API

What application are you using?
OJS 3.4.0-3

Additional information
Tested on production server and new (fresh) local installation.

[touhidurabir]

Unable to produce the issue in the latest stable 3.4.0-3 for local testing . Both the Authorization header and apiToken query param works fine .

@kswro I see that you are using insomnia api client app for testing and same for me . see the screenshot below

do you see any error in the error log file ?

[kswro]

Hello @touhidurabir

Thank you for your reply. I didn't find any error logs on PHP and Apache.

However, I have found a solution to this problem. From this page I learned that various Apache modules will strip the Authorization header, usually for "security reasons".

So, based on the same source, I added the line below to the .htaccess file in my OJS public folder and now I can connect to the REST API via authorization header:
CGIPassAuth on

Apart from the above lines, I also tried using other alternatives as below which also solved the problem.

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

Based on what I experienced (and many others), do you think the above problems and solutions can be added to the documentation?

FYI, I'm using Apache >2.4.54 and PHP 8.2 (FPM) in this test.

[touhidurabir]

@kswro I will discuss with other dev team members to see if it is possible to add few details regarding this in the doc .

[orcalator]

You should really add this note because i also experienced the same problem. If i didn't find this post i'd be spending a lot of time investigating what's going on. GG @kswro.

[kaitlinnewson]

PRs for review:

• OJS 3.4: pkp/pkp-lib#9320 document API authorization header issue ojs#4481
• OJS main: pkp/pkp-lib#9320 document API authorization header issue ojs#4482

@ewhanson are you the best person to review/merge this change to the API docs? I can also make the PR to the docs hub once approved.

Here's a screenshot of the change in my IDE's preview tool for easier review, where I've added the "Connection Issues" section: