Skip to content

fix: Handle malformed auth header #122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Feb 9, 2023
Merged

fix: Handle malformed auth header #122

merged 5 commits into from
Feb 9, 2023

Conversation

@bgrant
Copy link
Collaborator

@bgrant bgrant commented Jan 26, 2023
edited
Loading

  • Handle "Malformed authorization header" ValueError that bubbles up from oauthlib the same way we handle other oauth errors

  • Fix a docstring typo

  • Update CHANGELOG.md

  • Update README.md (as needed)

  • New dependencies were added to pyproject.toml

  • pip install succeeds with a clean virtualenv

  • There are new or modified tests that cover changes

  • Test coverage is maintained or expanded

@bgrant bgrant requested a review from demianbrecht January 26, 2023 20:58
smholloway
smholloway previously approved these changes Jan 26, 2023
View reviewed changes
Copy link
Collaborator

@smholloway smholloway left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 Nice!

demianbrecht
demianbrecht requested changes Jan 26, 2023
View reviewed changes
django_declarative_apis/authentication/oauthlib/oauth1.py
)
)
try:
collected_request_parameters = dict(
Copy link
Member

@demianbrecht demianbrecht Jan 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this raise a different exception type? I'm thinking that we won't be able to differentiate between missing auth headers and malformed ones anymore, something that I'm pretty sure we'll still want.

Copy link
Collaborator Author

@bgrant bgrant Jan 27, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here's the path I went down here:

  1. A "Malformed authorization header" currently raises a ValueError from oauthlib which is not caught anywhere: oauthlib:parse_authorization_header
  2. DDA attempts to massage most OAuth errors into "those specified in the OAuth Problem Reporting proposal", here, which is what our service expects in the place this bubbles up
  3. Looking through that list of errors, I figured OAuthMissingParameterError was still the best fit in this case.

Do we currently detect a missing Authorization header intelligently?

Copy link
Collaborator Author

@bgrant bgrant Feb 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this case it's missing all the needed parameters, and so the error lists them all.

Copy link
Member

@demianbrecht demianbrecht Feb 3, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, so that would work in this case. However, if there's a case where we're getting an invalid auth header (anything that doesn't conform explicitly to OAuth as defined here), it'll get swallowed up as a missing error. I think those two cases should be distinguished from one another.

Optimally, I think that oauthlib would report oauth_parameters_rejected (defined in OAuth error reporting) rather than simply a ValueError but it wasn't implemented that way. I think that the best thing to do would be to add support for token_revoked in build_error and handle that case when we get a ValueError from collect_parameters. That way, the caller can clearly see the difference between missing and invalid parameters.

We can also add an explicit check for all parameters missing case you mentioned here too in order to catch that case.

Copy link
Collaborator Author

@bgrant bgrant Feb 7, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After discussion in Slack - I'm returning parameter_rejected

@bgrant bgrant merged commit 9104456 into main Feb 9, 2023
@bgrant bgrant deleted the fix/401-with-malformed-auth-header branch February 9, 2023 20:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@demianbrecht demianbrecht demianbrecht approved these changes

@smholloway smholloway Awaiting requested review from smholloway

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bgrant @smholloway @demianbrecht