Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HttpAuth middleware incorrectly handles Authorization header #32

Open
JamesFysh-alliance opened this issue Mar 20, 2024 · 1 comment
Open

HttpAuth middleware incorrectly handles Authorization header #32

JamesFysh-alliance opened this issue Mar 20, 2024 · 1 comment
Assignees
@micahklaz

Comments

@JamesFysh-alliance
Copy link

This line:

(method, authentication) = authorization.split(' ', 1)

in src/allianceutils/middleware/http_auth.py makes the assumption that the Authorization header will contain a space character. If it does not, a ValueError is raised, along the lines of ValueError: not enough values to unpack (expected 2, got 1).

The problem with this is that we wind up with a 500 server error response as the uncaught exception propagates. It might be better to detect this scenario and explicitly return a 401 (eg. call return self.__unauthorized()). Or maybe not, that could actually make it harder to debug.

I ran into this because I have a client application trying to make an API call, and that application uses the Authorization header itself, which causes a conflict when HTTP Basic Auth is also enabled.
@davecoates
Copy link
Contributor

I think returning a 401 is correct, but we could also log a warning that the authorization header is invalid if it doesn't contain a space to assist with debugging

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@micahklaz micahklaz

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@davecoates @JamesFysh-alliance @micahklaz