PythonAnywhere Forums

401 unauthorised due to request http header order

Hi all, I've just deployed my application to pythonanywhere and it all seems to be running fine except for one blocking issue.

When my App makes an authenticated request, it does so with the following headers:

   "Authentication-Token": "XXXX",
   "Content-Type": "application/json"

When I make a request with the above header order, I get a '401 Unauthorized' - Now the issue seems to be the order of the headers - and I've replicated this with Postman - when the 'Content-Type' header is before 'Authentication-Token' then the request works as expected. i.e:

   "Content-Type": "application/json",
   "Authentication-Token": "XXXX"

Everywhere I've looked online, says that header order shouldn't matter. On the client side I'm using AngularJS and Ionic, and there doesn't appear to be any way to control the order - it comes through ordered alphabetically as far as I can tell due to it using hash-keys as the enumeration anchor.

When I develop locally, I don't have any issues - so it appears to be something that the web server or flask framework needs to be configured to handle.

Anyone have any ideas that don't require me to modify AngularJS (joking, obviously...)

Best -Danu

that certainly sounds weird- also agree that the order shouldn't matter.

maybe the auth token is diff/being overwritten?

A colleague managed to help find a work around this issue by setting the key for the auth token lookup to X-Authentication-Token (did this in Flask-security by setting app.config['SECURITY_TOKEN_AUTHENTICATION_KEY'].

We also found that my Flask-cache @cache decorations on my @route functions was causing issues occasionally with auth as well, so pushed the caching deeper (so that the request's were never cached, rather the data/db fetches inside those routes)

Hope this is helpful to someone in the future & thanks for the responses so far