From ededdc512b2260edfb0b5bc08291ed81f0d0c788 Mon Sep 17 00:00:00 2001 From: Tim Abbott Date: Wed, 14 Nov 2018 14:58:15 -0800 Subject: [PATCH] nginx: Fix missing API authentication configuration. This fixes a bug where our API routes for uploaded files (where we need to use a consistent URL between session auth and API auth) were not properly configured to pass through the API authentication headers (and otherwise provide REST endpoint settings). In particular, this prevented the Zulip mobile apps from being able to access authenticated image files using these URLs. --- .../files/nginx/zulip-include-frontend/app | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/puppet/zulip/files/nginx/zulip-include-frontend/app b/puppet/zulip/files/nginx/zulip-include-frontend/app index e0cb156b64..09adf20930 100644 --- a/puppet/zulip/files/nginx/zulip-include-frontend/app +++ b/puppet/zulip/files/nginx/zulip-include-frontend/app @@ -60,14 +60,28 @@ location / { uwsgi_pass django; } +# Certain Django routes not under /api are shared between mobile and +# web and thus need API headers added. We don't collapse this with the +# above block for /events, because regular expressions take priority over +# paths in nginx's order-of-operations, and we don't want to override the +# tornado stuff. +location ~ ^/(user_uploads|avatar|thumbnail)/ { + add_header Access-Control-Allow-Origin *; + add_header Access-Control-Allow-Headers Authorization; + add_header Access-Control-Allow-Methods 'GET, POST, DELETE, PUT, PATCH, HEAD'; + + include uwsgi_params; + uwsgi_pass django; +} + +# Send all API routes not covered above to Django via uWSGI location /api/ { add_header Access-Control-Allow-Origin *; add_header Access-Control-Allow-Headers Authorization; add_header Access-Control-Allow-Methods 'GET, POST, DELETE, PUT, PATCH, HEAD'; include uwsgi_params; - uwsgi_pass django; - + uwsgi_pass django; } include /etc/nginx/zulip-include/app.d/*.conf;