Documentation and fix for REST headers

schlatterbeck · schlatterbeck · commit 5322210e3ace · 2024-12-04T10:45:26.000+01:00
issue2551372 - Better document necessary headers for REST and fix
logging to log missing Origin header.
diff --git a/CHANGES.txt b/CHANGES.txt
@@ -30,6 +30,9 @@ Fixed:
   to a red error msg. (Report by Ludwig Reiter; fix John Rouillard)
 - issue2550698 - added documentation on filtering using RPN property
   expressions. (John Rouillard)
+- issue2551372 - Better document necessary headers for REST and fix
+  logging to log missing Origin header (Ralf Schlatterbeck with
+  suggestions on documentation by John Rouillard)
 
 Features:
 
diff --git a/doc/rest.txt b/doc/rest.txt
@@ -68,7 +68,7 @@ explicitly set.)
 Preventing CSRF Attacks
 -----------------------
 
-Clients should set the header X-REQUESTED-WITH to any value and the
+Clients should set the header ``X-REQUESTED-WITH`` to any value and the
 tracker's config.ini should have ``csrf_enforce_header_x-requested-with
 = yes`` or ``required``.
 
@@ -77,6 +77,12 @@ that is not hosted at the same origin as Roundup, you must permit
 the origin using the ``allowed_api_origins`` setting in
 ``config.ini``.
 
+If you access the REST interface with a method other than ``GET``, you
+must also supply an origin header with a value that is either the
+default origin (the URL of the tracker without the path component set in
+the config file as ``web`` in section ``[tracker]``) or one that is
+permitted by ``allowed_api_origins``.
+
 Rate Limiting API Failed Logins
 -------------------------------
 
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
@@ -719,8 +719,10 @@ def handle_rest(self):
         if not self.is_origin_header_ok(api=True):
             if 'HTTP_ORIGIN' not in self.env:
                 msg = self._("Required Header Missing")
+                err = 'Origin header missing'
             else:
                 msg = self._("Client is not allowed to use Rest Interface.")
+                err = 'Unauthorized for REST request'
 
             # Use code 400. Codes 401 and 403 imply that authentication
             # is needed or authenticated person is not authorized.
@@ -730,6 +732,7 @@ def handle_rest(self):
             self.reject_request(output,
                                 message_type="application/json",
                                 status=400)
+            logger.error(err)
             return
 
         # Handle CORS preflight request. We know rest is enabled
