Forums

Rest Framework HTTP 403 Forbidden only in production

I'm unable to access my API root in production for some reason. I've even removed all permissions and added the below default permission classes in my settings.py

REST_FRAMEWORK = {
'DEFAULT_PERMISSION_CLASSES': (
    'rest_framework.permissions.AllowAny',
) }

Event after removing permissions I get a HTTP 403 response

{ "detail": "Invalid username/password." }

It works fine on my local environment. Am I missing something?

Did you re-create the same users on production?

I didn't. Different superuser and different test user.

That's weird. Did you restart your webapp after making the changes?

To follow up. I did restart the app. I redeployed with the default permissions_classes in my production settings. Sadly get the same 403 error in the access log. Strange but it works locally, just not live. Thinking of deleting migrations and recreating the database next.

Thanks!

I just noticed that it works when I try to access it from mobile.....but not on my laptop

Oh- it looks like you have password protection set for your webapp. That's possibly why? If you had logged in previously on your mobile so it remembers but you haven't done so on your laptop.

Ah I think it might be a caching issue? I can access the API in a new browser or in an incognito window.

Also one last issue! I'm trying to set environment variables in bash but I don't see a postactivate script in my virtualenv/bin/ directory.

Oh I see. I think you can just create a postactivate script/file and write into it.

So I can echo $SECRET_KEY and I get the correct secret key but when I try to run migrations I get

"django.core.exceptions.ImproperlyConfigured: The SECRET_KEY setting must not be empty"

So we believe $SECRET_KEY is in the environment. Do you also take it from the environment and assign it in django settings.py?

I have SECRET_KEY = os.environ['SECRET_KEY'] in my settings/production.py.

Do I need to assign it in bash?

Hmm could it be that you are running manage.py without using production settings? And instead using say settings/base etc?

I think i'm using the right command

./manage.py makemigrations --settings=myapp.settings.production

weird. What happens if you just set SECRET_KEY = 'abcde' or something?

Hmmm. I set SECRET_KEY to 'abcde' in production.py and I was able to run the below command successfully.

./manage.py makemigrations --settings=myapp.settings.production

ok. so sounds like your postactivate script hasn't been run yet. are you sure you can echo $SECRET_KEY in the same console that you are trying to make migrations? after you changed postactivate, you need to workon the virtualenv again to get the env variables injected. And what happens if you try python manage.py instead of ./manage.py?

I have no idea what happened but after switching the secret key back it worked! I'm fairly new but I've always used "source virtualenvname/bin/activate". Is "workon" different?

Thanks for all of your help.

As far as I can tell, workon is just a bash function that invokes activate with some other cleanup so that if you're already in a virtualenv, it can deactivate the old one first.