Req_headers have wrong values in plug ("authorization")

Odd issue that I’m running into. I’ve written an authorization plug that I’m trying to use w/ Absinthe, but it seems like the “authorization” header is being overridden somewhere above in the pipeline. The value is correct when I use it in a regular controller, but it is literally changed to “test” when used w/ Absinthe.


  pipeline :api_v2 do
    plug Plugs.Api.OauthGraphql
    plug CORSPlug

  # This somehow sets req_headers["authorization"] = "test"
  scope "/api/v2" do
    pipe_through :api_v2
    forward "/", Absinthe.Plug, schema: Web.V2.Schema

  # This has the correct header ("Basic <jwt>")
  scope "/test", ProjectWeb.Api  do
    pipe_through :api_v2
    get "/", TestController, :index
    options "/", TestController, :options

I’m using the same plug for both:

  def call(conn, _params) do
    # result = "Basic <jwt>" if called from a controller
    # but result = "test" if called from absinthe
    with [result] <- conn |> get_req_header("authorization"),
         [_, token] <- String.split(result),
         {:ok, claims} <- Auth.Token.verify_and_validate(token),
         {:ok, parsed_claims} <- parse_auth0_claims(claims) do
      Absinthe.Plug.put_options(conn, context: %{claims: parsed_claims})
      {:error, :no_claims} ->
        conn |> send_resp(401, "Missing claims") |> halt()

      e ->
        conn |> send_resp(401, "Not Authorized") |> halt()

I inspected the requests in the browser, and both requests were sending the correct headers.

Any ideas what could be going on? This is one of the weirder issues I’ve encountered.

1 Like

I’d try to query GraphQL endpoint with curl. Also, try to grep your code base with word test

Figured it out! It had to do with cors, the browser was sending an OPTIONS request that I wasn’t handling and setting “authentication” to “test”.

After double checking, this was not the case.

Same issue w/ curl. “test” doesn’t show up anywhere when running grep -nri '"test"' lib

Perhaps it’s Absinthe (or its dependencies)?

This wasn’t even an elixir issue. Not sure why, but my Ngnix proxy configuration was overriding the authentication header to “test”, which I don’t ever remember doing. :man_facepalming: