I was recently looking into using our Mantis Bug Tracker instance to automatically generate product road-maps - now that we are actually starting to properly plan product updates and as keeping them up to date manually isn't really working.
I spent a fair amount of fruitless time sending requests to Mantis via Postman only for every single request to fail with
401 API Token required - despite the fact I'd created a limited access user and generated an API token associated with that.
In the end after looking at the Mantis source files, I resorted to editing
AuthMiddleware.php directly on the server to start spitting out output as a crude way of attempting to identify the issue. This showed that the
Authorization header just wasn't present - any other header I sent was there, just that one in particular was missing.
The documentation for
apache_request_headers doesn't mention anything about authorisation, nor does
$_SERVER on the other hand mentions that new values may be created based on the contents of the
Authorization header but it too doesn't state anything about the header being removed.
Fortunately, I found an answer in a user comment for the HTTP authentication with PHP documentation topic which is to alter your
.htaccess file to include the following line
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
I made this change to the
.htaccess file located in the Mantis REST API client folders (I didn't do it at the root level), and now the API is working. Baby steps...
Please note however that I'm not a PHP developer, and when it comes to hosting, I'm an IIS guy and have very little familiarity with Apache. So while this tweak works for me, I can't state for certain it is the correct approach or if it should have been handled another way. Nor do I know what the cause is - seems odd that if this was official PHP behaviour that it isn't documented anywhere that I could find. If you know of a better way please let me know!