-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Respond with 401 for requests with bad credentials #4126
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested this PR locally, and it works well. There is, however the following warning:
[2024-04-16 10:02:40,469 - log_request_id.middleware - 55][INFO] [77950d359f2642a488e49639f60e7c19] method=GET path=/v1/ status=200
/api/api/views/audio_views.py: Warning [AudioViewSet]: could not resolve authenticator <class 'conf.oauth2_extensions.OAuth2Authentication'>. There was no OpenApiAuthenticationExtension registered for that class. Try creating one by subclassing it. Ignoring for now.
I'm not sure how this can be fixed, though.
Ah, I didn't notice that warning. I'll look into it, I've probably missed some configuration detail. |
Well, I got stuck trying to fix the documentation errors. I fixed some of them, and corrected the authentication classes and permissions on the token views to align with the authentication class... but now the Do you have any ideas @obulat ? |
You can see what This discussion suggests removing all "Authorization" headers from cases. I tried only removing the "Bearer \x1f", and almost all cases passed.
There seems to be only one undocumented case left with an invalid client:
|
api/api/docs/oauth2_docs.py
Outdated
@@ -57,7 +56,6 @@ | |||
request={"application/x-www-form-urlencoded": OAuth2TokenRequestSerializer}, | |||
res={ | |||
200: (OAuth2TokenSerializer, auth_token_200_example), | |||
401: (NotAuthenticated, None), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should probably be added back for the "invalid_client" error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for finding these solutions! I'll push them next week, drafting this for now.
Yes, but when I try to send that myself I can't reproduce the issue 🤔 I can't tell if it's a real problem though, does this open up a vulnerability for someone to overwhelm the service with bad authentication tokens and cause a bunch of errors? |
FYI, I am going to add a config option to Schemathesis so it is easier to tune what header values it should generate (schemathesis/schemathesis#2137), so you won’t have to manually adjust the headers |
I couldn't reproduce this locally either. I also couldn't reproduce this error in prod with |
Thanks, @Stranger6667! I've subscribed to the issue 🙂 Rebasing this PR now and will push the changes Olga suggested as a temporary workaround. Thanks again, Olga. |
40b6b58
to
a5dc5d3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🚀!
I don't feel too good about having to specify 401 for each authenticated endpoint individually but that's an extremely small nit and definitely should not shadow all the good things in this PR.
There's probably some way to get drf-spectacular to infer it based on the authentication classes on a view, but our current way of detaching docs/schema extensions from the views themselves made it hard to reason about, and I didn't spend much time on it. Feel free to open an issue for that, though, would be nice if we could make this a little less fiddly, configuration wise. |
Fixes
Fixes #3626 by @sarayourfriend
Fixes #4127 by @obulat
Description
Extends the oauth2 provider's DRF authentication class to raise the authentication error exception. Refer to DRF documentation for how these authentication classes are meant to work: https://www.django-rest-framework.org/api-guide/authentication/
Testing Instructions
Checkout the branch and run the API using
just api/up && just api/init
. Runjust logs web
in a separate console, and then follow the registration documentation in the API to create a registration token locally. You'll need the verification URL printed in the logs instead of sent in a real email after you register.Confirm you can send requests with tokens. Confirm you can send anonymous requests. Confirm requests with invalid tokens are rejected with 401.
Checklist
Update index.md
).main
) or a parent feature branch.Developer Certificate of Origin
Developer Certificate of Origin