Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for "Authorization: Bearer KEY" to follow the RFC 6750 #1830

Closed
wants to merge 1 commit into from

Conversation

yarikoptic
Copy link
Member

@yarikoptic yarikoptic commented Jan 25, 2024

ATM non-authenticated request is receiving 401 response with "Bearer" as the auth-scheme:

❯ curl --verbose -J -L -X 'GET' 'http://localhost:8000/api/assets/ac212d93-525a-4454-afdd-85b90aad6143/download/' 2>&1 | grep WW-A
< WWW-Authenticate: Bearer realm="api"

But according to the
https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#authentication_schemes and in particular https://datatracker.ietf.org/doc/html/rfc6750 for such request client should provide "Authorization: Bearer KEY" not "Authorization: token KEY".

This commit adds support for both so we could follow the standard and retain support of already implemented client solutions. It would also allow for clients which (try to) follow the standard (e.g. DataLad) to support such requests without implementing some ad-hoc "token handling". Such approach is also taken by GitHub API:
https://docs.github.com/en/rest/authentication/authenticating-to-the-rest-api?apiVersion=2022-11-28

Verification of functionality:

❯ curl -J -L -X 'GET' 'http://localhost:8000/api/assets/ac212d93-525a-4454-afdd-85b90aad6143/download/'
{"detail":"Authentication credentials were not provided."}%                                                                                                                                                                                                        ❯ curl -J -L -X 'GET' 'http://localhost:8000/api/assets/ac212d93-525a-4454-afdd-85b90aad6143/download/?content_disposition=attachment' -H 'Authorization: Bearer 21a587dff19ec6956364443b97414d8bb4331b09'
MYDATA
❯ curl -J -L -X 'GET' 'http://localhost:8000/api/assets/ac212d93-525a-4454-afdd-85b90aad6143/download/?content_disposition=attachment' -H 'Authorization: token 21a587dff19ec6956364443b97414d8bb4331b09'
MYDATA
❯ curl -J -L -X 'GET' 'http://localhost:8000/api/assets/ac212d93-525a-4454-afdd-85b90aad6143/download/?content_disposition=attachment' -H 'Authorization: Token 21a587dff19ec6956364443b97414d8bb4331b09'
MYDATA
    ❯ curl -J -L -X 'GET' 'http://localhost:8000/api/assets/ac212d93-525a-4454-afdd-85b90aad6143/download/?content_disposition=attachment' -H 'Authorization: Bearer 21a587dff19ec6956364443b97414d8bb4331b09'
    MYDATA
❯ curl -J -L -X 'GET' 'http://localhost:8000/api/assets/ac212d93-525a-4454-afdd-85b90aad6143/download/?content_disposition=attachment' -H 'Authorization: dragon 21a587dff19ec6956364443b97414d8bb4331b09'
{"detail":"Authentication credentials were not provided."}

Closes #1825

@yarikoptic yarikoptic requested a review from waxlamp January 25, 2024 01:59
@@ -0,0 +1,14 @@
from rest_framework.authentication import TokenAuthentication
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note that this is a new file. If you would like to see it somewhere else -- let me know , but it could not go under dandi.api.views.auth due to then circular import.

ATM non-authenticated request is receiving 401 response with "Bearer" as the
auth-scheme:

    ❯ curl --verbose -J -L -X 'GET' 'http://localhost:8000/api/assets/ac212d93-525a-4454-afdd-85b90aad6143/download/' 2>&1 | grep WW-A
    < WWW-Authenticate: Bearer realm="api"

But according to the
https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication#authentication_schemes
and in particular https://datatracker.ietf.org/doc/html/rfc6750 for such
request client should provide "Authorization: Bearer KEY" not "Authorization:
token KEY".

This commit adds support for both so we could follow the standard and retain
support of already implemented client solutions. Such approach is also taken by
GitHub API:
https://docs.github.com/en/rest/authentication/authenticating-to-the-rest-api?apiVersion=2022-11-28

Verification of functionality:

	❯ curl -J -L -X 'GET' 'http://localhost:8000/api/assets/ac212d93-525a-4454-afdd-85b90aad6143/download/'
	{"detail":"Authentication credentials were not provided."}%                                                                                                                                                                                                        ❯ curl -J -L -X 'GET' 'http://localhost:8000/api/assets/ac212d93-525a-4454-afdd-85b90aad6143/download/?content_disposition=attachment' -H 'Authorization: Bearer 21a587dff19ec6956364443b97414d8bb4331b09'
	MYDATA
	❯ curl -J -L -X 'GET' 'http://localhost:8000/api/assets/ac212d93-525a-4454-afdd-85b90aad6143/download/?content_disposition=attachment' -H 'Authorization: token 21a587dff19ec6956364443b97414d8bb4331b09'
	MYDATA
	❯ curl -J -L -X 'GET' 'http://localhost:8000/api/assets/ac212d93-525a-4454-afdd-85b90aad6143/download/?content_disposition=attachment' -H 'Authorization: Token 21a587dff19ec6956364443b97414d8bb4331b09'
	MYDATA
	❯ curl -J -L -X 'GET' 'http://localhost:8000/api/assets/ac212d93-525a-4454-afdd-85b90aad6143/download/?content_disposition=attachment' -H 'Authorization: dragon 21a587dff19ec6956364443b97414d8bb4331b09'
	{"detail":"Authentication credentials were not provided."}

Closes #1825
@waxlamp waxlamp marked this pull request as draft January 25, 2024 02:51
@yarikoptic yarikoptic marked this pull request as ready for review January 25, 2024 03:03
yarikoptic added a commit to yarikoptic/datalad that referenced this pull request Jan 25, 2024
It is pretty much the "Bearer TOKEN" method but which uses different keyword
"Token".  It is e.g. the one provided by Django REST Framework.
GitHub allows for both 'Bearer' and 'Token' keywords:
https://docs.github.com/en/rest/authentication/authenticating-to-the-rest-api?apiVersion=2022-11-28

In our case of DANDI we ran into it only now that we decided to add handling of
embargoed datasets, for which we need to authenticate to access the files.  We
are using Django REST Framework and insofar decision was made to retain current
approach (and fix WWW-Authentication header response), instead of an
alternative to allow for both  'Bearer' and 'Token' as was suggested in
dandi/dandi-archive#1830

As it is ad-hoc (nothing AFAIK in W3C standard) Authentication response I do
not think some automation would ever be created based on WWW-Authentication but
we will be able to support such providers.
@waxlamp
Copy link
Member

waxlamp commented Jan 30, 2024

RFC 6750 does not apply to DRF's token authentication scheme, since DRF is not an OAuth 2.0 service. Together with the discussion in #1825, that means we should close this PR.

@waxlamp waxlamp closed this Jan 30, 2024
@waxlamp waxlamp deleted the enh-bearer branch January 30, 2024 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

REST endpoints send incomplete WWW-Authenticate header on 401
2 participants