I was recently looking into using our Mantis Bug Tracker instance to automatically generate product road-maps - now that we are actually starting to properly plan product updates and as keeping them up to date manually isn't really working.
I spent a fair amount of fruitless time sending requests to
Mantis via Postman only for every single request to fail
401 API Token required - despite the fact I'd created a
limited access user and generated an API token associated with
In the end after looking at the Mantis source files, I resorted
AuthMiddleware.php directly on the server to start
spitting out output as a crude way of attempting to identify the
issue. This showed that the
Authorization header just wasn't
present - any other header I sent was there, just that one in
particular was missing.
The documentation for
mention anything about authorisation, nor does
$_SERVER on the other hand mentions
that new values may be created based on the contents of the
Authorization header but it too doesn't state anything about
the header being removed.
Fortunately, I found an answer in a user comment for the HTTP
authentication with PHP documentation topic which is to
.htaccess file to include the following line
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
I made this change to the
.htaccess file located in the Mantis
REST API client folders (I didn't do it at the root level), and
now the API is working. Baby steps...
Please note however that I'm not a PHP developer, and when it comes to hosting, I'm an IIS guy and have very little familiarity with Apache. So while this tweak works for me, I can't state for certain it is the correct approach or if it should have been handled another way. Nor do I know what the cause is - seems odd that if this was official PHP behaviour that it isn't documented anywhere that I could find. If you know of a better way please let me know!
- 2017-07-06 - First published
- 2020-11-22 - Updated formatting