SimpleJWT integration doesn't take into account the settings AUTH_HEADER_NAME

[Smixi]

Hi, just figuring this out today because I had to use a custom header for simplejwt auth

Describe the bug
SimpleJwt can be configured by using a dict in the settings.py of a django project.
SIMPLE_JWT = { 'AUTH_HEADER_NAME' : "HTTP_X_TOKEN" # translate to X-token as header. }
But the current implementation doesn't take this settings into account :

`class SimpleJWTScheme(OpenApiAuthenticationExtension):
target_class = 'rest_framework_simplejwt.authentication.JWTAuthentication'
name = 'jwtAuth'

def get_security_definition(self, auto_schema):
    from rest_framework_simplejwt.settings import api_settings

    if len(api_settings.AUTH_HEADER_TYPES) > 1:
        warn(
            f'OpenAPI3 can only have one "bearerFormat". JWT Settings specify '
            f'{api_settings.AUTH_HEADER_TYPES}. Using the first one.'
        )
    return {
        'type': 'http',
        'scheme': 'bearer',
        'bearerFormat': api_settings.AUTH_HEADER_TYPES[0],
    }`

Where the return should become something I guess like
{'type':'apiKey', 'in': 'header', 'name': api_settings.SIMPLE_JWT['AUTH_HEADER_NAME']}

To Reproduce

Change simplejwt header setting.

Expected behavior

Authentication should scheme should follow simplejwt settings.

I may have time to make a PR if needed.

[tfranzel]

Hi, this should actually already be fixed in 0.17.3 i believe. i fixed that along with #467. can you confirm it is not working for the most recent version?

[Smixi]

Hi, this should actually already be fixed in 0.17.3 i believe. i fixed that along with #467. can you confirm it is not working for the most recent version?

I think it fixed only the type (JWT, Bearer), not the header name : While using a custom name :

But using this (custom class for my project):

 return {
            'type': 'apiKey',
            'in': 'header',
            'name': getattr(settings, 'SIMPLE_JWT')['AUTH_HEADER_NAME'],
        }
(using a higher priority)

Note that as its not the Authorization header, it cannot append Bearer, and client will need to do that manually.

[Smixi]

Hi, this should actually already be fixed in 0.17.3 i believe. i fixed that along with #467. can you confirm it is not working for the most recent version?

Wait, lemme check with the most updated version, I may an older one.

[tfranzel]

the code snippet you posted is not the current state of the code:

drf-spectacular/drf_spectacular/contrib/rest_framework_simplejwt.py

Line 64 in c04c585

header_name = getattr(api_settings, 'AUTH_HEADER_NAME', 'HTTP_AUTHORIZATION')

this was changed prior to 0.17.3 release

[Smixi]

It is half working for the last 0.17.3👍 . But I have an error with the same, my key is the following : HTTP_IOC_ACCESS_TOKEN, but it translates to :

Which give me an error when trying to pass the token (as the header is not recognized by simplejwt) :

[tfranzel]

Due to limitations in the OpenAPI 3.0.3 specification, you need to actually prefix the value with AUTH_HEADER_TYPES.

That means you need to put Bearer XYZTOKEN into that field. that is what that comment is trying to tell you. does it work then?

[Smixi]

I may need to check out but right know the header is not recognized (other way it would also say wrong credential), even with Bearer. I'll try out by changing the name

[tfranzel]

i suggest trying to construct a curl command that works and work back from there.

all i can think of at this point is maybe the casing of the header name, but that should in theory work as it does for HTTP_AUTHENTICATON and Authentication: ....

[Smixi]

The header is using underscore instead of dash, using :

it works, but using

it does not.

[Smixi]

Using Curl : ➜ ioc git:(develop) ✗ curl -X 'GET' \

'http://127.0.0.1:8000/ioc-manager/api/iocs/'
-H 'accept: application/json'
-H 'Ioc_access_token: Bearer toto'
-H 'X-CSRFToken: u0dGquwTML5cL3GRTUT6ZXZUqEtVzKLN81nrorTURgUAqYeWadFrWbPQt3EgEFTK'
{"detail":"Authentication credentials were not provided."}%
➜ ioc git:(develop) ✗ curl -X 'GET'
'http://127.0.0.1:8000/ioc-manager/api/iocs/'
-H 'accept: application/json'
-H 'Ioc-access-token: Bearer toto'
-H 'X-CSRFToken: u0dGquwTML5cL3GRTUT6ZXZUqEtVzKLN81nrorTURgUAqYeWadFrWbPQt3EgEFTK'
{"detail":"Given token not valid for any token type","code":"token_not_valid","messages":[{"tokenClass":"AccessToken","tokenType":"access","message":"Token is invalid or expired"}]}%

[tfranzel]

ok so this is a django/nginx gotcha:

https://github.com/django/django/blob/ca9872905559026af82000e46cde6f7dedc897b6/django/core/servers/basehttp.py#L181

headers containing underscores are discarded apparently. we would need to convert AUTH_HEADER_TYPES underscores to dashes in addition to the capitalize() call. django then convert dashes to underscores and everything should work

[Smixi]

Exactly (I was surpised by not being able to see the header in the meta field ^^'). !

[tfranzel]

that should do it. release will take circa 2 weeks as i like to collect a few issues per release. please test if the fix works as expected.

[Smixi]

Works fine for me with this code :).