masq
/
halfapi
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[authMiddleware] UN-Breaking uses either the cookie or the header names "Authorization"

This commit is contained in:
Maxime Alves LIRMM 2023-02-03 12:43:16 +01:00
parent 064127dc16
commit a3fc6dc830
2 changed files with 32 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
halfapi/lib/jwt_middleware.py
View File

@ -62,8 +62,12 @@ class JWTAuthenticationBackend(AuthenticationBackend):
self, conn: HTTPConnection self, conn: HTTPConnection
) -> typing.Optional[typing.Tuple['AuthCredentials', 'BaseUser']]: ) -> typing.Optional[typing.Tuple['AuthCredentials', 'BaseUser']]:
# Standard way to authenticate via API
# https://datatracker.ietf.org/doc/html/rfc7235#section-4.2
token = conn.headers.get('Authorization')
token = cookies_from_scope(conn.scope).get('JWTToken') if not token:
token = cookies_from_scope(conn.scope).get('Authorization')
is_check_call = 'check' in conn.query_params is_check_call = 'check' in conn.query_params
is_fake_user_id = is_check_call and 'user_id' in conn.query_params is_fake_user_id = is_check_call and 'user_id' in conn.query_params

29
tests/test_jwt_middleware.py
View File

@ -50,6 +50,12 @@ def test_jwt_Token(dummy_app, token_builder):
dummy_app.add_route('/test', test_route) dummy_app.add_route('/test', test_route)
test_client = TestClient(dummy_app) test_client = TestClient(dummy_app)
resp = test_client.request('get', '/test',
cookies={
'Authorization': token_builder
})
assert resp.status_code == 200
resp = test_client.request('get', '/test', resp = test_client.request('get', '/test',
headers={ headers={
'Authorization': token_builder 'Authorization': token_builder
@ -57,6 +63,7 @@ def test_jwt_Token(dummy_app, token_builder):
assert resp.status_code == 200 assert resp.status_code == 200
def test_jwt_DebugFalse(dummy_app, token_debug_false_builder): def test_jwt_DebugFalse(dummy_app, token_debug_false_builder):
async def test_route(request): async def test_route(request):
assert isinstance(request.user, JWTUser) assert isinstance(request.user, JWTUser)
@ -65,6 +72,12 @@ def test_jwt_DebugFalse(dummy_app, token_debug_false_builder):
dummy_app.add_route('/test', test_route) dummy_app.add_route('/test', test_route)
test_client = TestClient(dummy_app) test_client = TestClient(dummy_app)
resp = test_client.request('get', '/test',
cookies={
'Authorization': token_debug_false_builder
})
assert resp.status_code == 200
resp = test_client.request('get', '/test', resp = test_client.request('get', '/test',
headers={ headers={
'Authorization': token_debug_false_builder 'Authorization': token_debug_false_builder
@ -82,6 +95,12 @@ def test_jwt_DebugTrue(dummy_app, token_debug_true_builder):
dummy_app.add_route('/test', test_route) dummy_app.add_route('/test', test_route)
test_client = TestClient(dummy_app) test_client = TestClient(dummy_app)
resp = test_client.request('get', '/test',
cookies={
'Authorization': token_debug_true_builder
})
assert resp.status_code == 400
resp = test_client.request('get', '/test', resp = test_client.request('get', '/test',
headers={ headers={
'Authorization': token_debug_true_builder 'Authorization': token_debug_true_builder
@ -101,7 +120,13 @@ def test_jwt_DebugTrue_DebugApp(dummy_debug_app, token_debug_true_builder):
test_client = TestClient(dummy_debug_app) test_client = TestClient(dummy_debug_app)
resp = test_client.request('get', '/test', resp = test_client.request('get', '/test',
headers={ cookies={
'Authorization': token_debug_true_builder 'Authorization': token_debug_true_builder
})
assert resp.status_code == 200
resp = test_client.request('get', '/test',
headers={
'Authorization': token_debug_true_builder
}) })
assert resp.status_code == 200 assert resp.status_code == 200