Join 34,000+ subscribers and receive articles from our
blog about software quality, testing, QA and security.

API HTTP 401 ("Authentication failed: invalid or missing user/password or session cookie.")


#1

Situation: we created our own testrail server (in trial version still), using LDAP/AD. Everything works as expected including the Jira integration, except the API. No matter what we try we cannot authenticate. HTTP 401 (“Authentication failed: invalid or missing user/password or session cookie.”)

I tried the following via CURL (CLI), PHP, Postman, VisualJSON and some other tools all with the same result:

username: [email address]
password: [API key]

I created several API keys and made sure they are indeed saved. I disabled AD authentication and still same error. I tried without AD authentication and e-mail address and my normal password still nothing.

I also made sure that under Site settings API is enabled (also enabled the session authentication for API), removed it and saved it again all but to no avail.

I’ve asked colleagues to the same and they had the same issue. I searched everywhere via google, this forum and all the answers people got are not working for us. The most common one is that people forget to use their e-mail address when using an API key as drop-in-replacement for the password. This was not my issue.

Below an example from the system log:

[AuthException] Authentication failed: invalid or missing user/password or session cookie.

Details:
File: /var/www/testrail/html/sys/helpers/ex.php
Line: 25
Status Code: 500
Host: testrail.addcomm.nl
Uri: /index.php?/api/v2/get_users (GET)

Browser:
PHP: 5.6.20
Server: Linux 2.6.32-573.12.1.el6.x86_64 #1 SMP Tue Dec 15 21:19:08 UTC 2015 x86_64

Trace:
at ex::raise (ex.php:77)
at ex::raiset (v2.php:143)
at V2_controller->_check_user (v2.php:19)
at V2_controller->_init (gizmo.php:106)
at require_once (index.php:106)


Testrail External Auth (LDAP) + API fails
#2

Hi Mark,

Thanks for your posting! TestRail/the API expects an Authorization header for the authentication and some web server configurations remove this header under certain circumstances. For example, if you use Apache and mod_rewrite, the Authorization header is usually stripped from the request and TestRail would be unable to authenticate the request and returns a 401.

You can use the following PHP script to check if this might be the issue in your case:

<?php

echo "<pre>";
var_dump($_SERVER);
echo "</pre>";

Please save this to TestRail’s installation directory (e.g. as info.php) and then call this with curl as follows:

curl -u"test@example:12345" http:///info.php

If you don’t see a HTTP_AUTHORIZATION entry as part of the response, it’s likely this issue.

Cheers,
Tobias


#3

Hi Tobias,

Thank you for your quick response. I’ve checked the _SERVER result but it does indeed not contain HTTP\_AUTHORIZATION however it does contain _SERVER[‘Authorization’] = Basic …

I’ve tried everything in the .htaccess file to set the value of $_SERVER[Authorization] to HTTP_AUTHORIZATION but to no avail. (stuff like SetEnvIf Authorization “(.*)” HTTP_AUTHORIZATION=$1 and RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L] )

We are running centos 6.7 Apache 2.2 and php-fpm.

Hope you can help.

Many thanks!
Mark


#4

Hi Mark,

Thanks for the update. Do you have the option to run PHP as standard module (mod_php) instead of FPM? This looks to be an issue with FPM. There are a few tricks you can try (some you already mentioned):

http://stackoverflow.com/questions/3663520/php-auth-user-not-set
http://stackoverflow.com/questions/17018586/apache-2-4-php-fpm-and-authorization-headers?lq=1

Is using mod_php an option for you?

Cheers,
Tobias


#5

Thank you for your reply. I guess there is nothing else we can do. So I will install mod_php. It would be nice if you could check for the Authorization variable in your PHP code so it will also work for other configurations like mine.


#6

Hi Mark,

We do check the Authorization header and the issue is that Apache removes this with your current FPM configuration. I believe there are workarounds for this also with the FPM setup, but I’m not sure if the workarounds (see links above) apply to every Apache version. It’s certainly easier to use the PHP module instead (+prefork, for example) and the API works out of the box with this standard setup (even with mod_rewrite with the appropriate rules).

I hope this helps!

Cheers,
Tobias


#8

Hi tgurock,

I also meet this issue, I deployed testrail on IIS.
Here is the system logs:

[AuthException] Authentication failed: invalid or missing user/password or session cookie.

Details:
File: C:\inetpub\wwwroot\testrail\sys\helpers\ex.php
Line: 25
Status Code: 500
Uri: /testrail/index.php?/api/v2/get_projects/38 (GET)

Browser:
PHP: 5.6.30
Server: Windows NT 6.3 build 9600 (Windows Server 2012 R2 Standard Edition) i586

Trace:
at ex::raise (ex.php:77)
at ex::raiset (v2.php:143)
at V2_controller->_check_user (v2.php:19)
at V2_controller->_init (gizmo.php:106)
at require_once (index.php:106)