[authMiddleware] UN-Breaking uses either the cookie or the header names "Authorization"

2023-02-03 12:43:16 +01:00 · 2023-02-03 12:43:16 +01:00 · a3fc6dc830
parent 064127dc16
commit a3fc6dc830
2 changed files with 32 additions and 3 deletions
--- a/halfapi/lib/jwt_middleware.py
+++ b/halfapi/lib/jwt_middleware.py
@ -62,8 +62,12 @@ class JWTAuthenticationBackend(AuthenticationBackend):
        self, conn: HTTPConnection
    ) -> typing.Optional[typing.Tuple['AuthCredentials', 'BaseUser']]:

+        # Standard way to authenticate via API
+        # https://datatracker.ietf.org/doc/html/rfc7235#section-4.2
+        token = conn.headers.get('Authorization')

-        token = cookies_from_scope(conn.scope).get('JWTToken')
+        if not token:
+            token = cookies_from_scope(conn.scope).get('Authorization')

        is_check_call = 'check' in conn.query_params
        is_fake_user_id = is_check_call and 'user_id' in conn.query_params
--- a/tests/test_jwt_middleware.py
+++ b/tests/test_jwt_middleware.py
@ -50,6 +50,12 @@ def test_jwt_Token(dummy_app, token_builder):
    dummy_app.add_route('/test', test_route)
    test_client = TestClient(dummy_app)

+    resp = test_client.request('get', '/test',
+        cookies={
+            'Authorization': token_builder
+        })
+    assert resp.status_code == 200
+
    resp = test_client.request('get', '/test',
        headers={
            'Authorization': token_builder
@ -57,6 +63,7 @@ def test_jwt_Token(dummy_app, token_builder):
    assert resp.status_code == 200


+
 def test_jwt_DebugFalse(dummy_app, token_debug_false_builder):
    async def test_route(request):
        assert isinstance(request.user, JWTUser)
@ -65,6 +72,12 @@ def test_jwt_DebugFalse(dummy_app, token_debug_false_builder):
    dummy_app.add_route('/test', test_route)
    test_client = TestClient(dummy_app)

+    resp = test_client.request('get', '/test',
+        cookies={
+            'Authorization': token_debug_false_builder
+        })
+    assert resp.status_code == 200
+
    resp = test_client.request('get', '/test',
        headers={
            'Authorization': token_debug_false_builder
@ -82,6 +95,12 @@ def test_jwt_DebugTrue(dummy_app, token_debug_true_builder):
    dummy_app.add_route('/test', test_route)
    test_client = TestClient(dummy_app)

+    resp = test_client.request('get', '/test',
+        cookies={
+            'Authorization': token_debug_true_builder
+        })
+    assert resp.status_code == 400
+
    resp = test_client.request('get', '/test',
        headers={
            'Authorization': token_debug_true_builder
@ -101,7 +120,13 @@ def test_jwt_DebugTrue_DebugApp(dummy_debug_app, token_debug_true_builder):
    test_client = TestClient(dummy_debug_app)

    resp = test_client.request('get', '/test',
-        headers={
-            'Authorization': token_debug_true_builder
+        cookies={
+              'Authorization': token_debug_true_builder
+        })
+    assert resp.status_code == 200
+
+    resp = test_client.request('get', '/test',
+        headers={
+              'Authorization': token_debug_true_builder
        })
    assert resp.status_code == 200