Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apache is removing ETag headers #3877

Closed
redshiftzero opened this issue Oct 15, 2018 · 6 comments
Closed

Apache is removing ETag headers #3877

redshiftzero opened this issue Oct 15, 2018 · 6 comments
Labels
bug
Milestone
Long Term Product...

Comments

@redshiftzero
Copy link
Contributor

Description

We send ETags in responses from a couple of journalist API endpoints (reference), but Apache is stripping them off via Header unset Etag

Steps to Reproduce

  1. Provision staging servers
  2. Add a test source, a test submission, and a test journalist user
  3. Authenticate to the API via submitting your credentials to /api/v1/token as described here
  4. Try to download a response via a GET request to /api/v1/sources/<source_uuid>/submissions/<submission_uuid>/download where source_uuid and submission_uuid are valid

Expected Behavior

response has ETag header

Actual Behavior

response does not have ETag header

Comments

This is similar to #3772 so a similar fix will do here (modifying Apache configs in postinst of securedrop-app-code package). In terms of priority, this is not a showstopping bug (users can still download files via the API without issue), so 0.11.0 or a bugfix release after 0.10.0 is fine.
@redshiftzero redshiftzero added this to the 0.11.0 milestone Oct 15, 2018
@redshiftzero
Copy link
Contributor Author

When this bug is addressed, we can revert freedomofpress/securedrop-sdk@6170a33 in the SDK

@redshiftzero redshiftzero mentioned this issue Oct 15, 2018
Merged
@heartsucker
Copy link
Contributor

From that ticket:

ETags are being stripped from staging/production servers due to an Apache misconfiguration.

I am rather sure this was intentional and was done as part of the no-cache headers to prevent anything from being left on a source's computer.

@heartsucker
Copy link
Contributor

Though I guess it is a a misconfiguration in the sense that it shouldn't be in the journalist config. Anyway just woke up, ignore me.

@redshiftzero
Copy link
Contributor Author

No you're right @heartsucker, we should only modify the journalist Apache config

@redshiftzero redshiftzero mentioned this issue Dec 6, 2018
Closed
This was referenced Jan 12, 2019
Merged
Open
@emkll
Copy link
Contributor

emkll commented Jan 14, 2019
edited
Loading

Recapping discussion in gitter with @heartsucker @redshiftzero
To close this item ticket, we should simply remove Header unset Etag directive from the Journalist interface config, which should allow for the values that are set in the Application/API to be sent to the client and not stripped by Apache.
This configuration change should be sufficient to report download resumption as well (due to Range RequestHeader not being unset).

@redshiftzero
Copy link
Contributor Author

This was closed by #4023

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
Long Term Product Backlog
Development

No branches or pull requests
4 participants
@eloquence @heartsucker @redshiftzero @emkll