New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security issue when using an empty token with the authorization header #143

Closed
cipriantarta opened this Issue Dec 3, 2018 · 1 comment

Comments

Projects
None yet
2 participants
@cipriantarta
Copy link
Contributor

cipriantarta commented Dec 3, 2018

If the authentication header is provided with no value for the actual token, the /verify endpoint for example returns a valid response:

curl http://localhost:8000/auth/verify -H "Authorization: Bearer "
results in:

{"valid":true}

@ahopkins

This comment has been minimized.

Copy link
Owner

ahopkins commented Dec 3, 2018

Wow. 😳

Nice find, and thanks for the quick PR. I am pulling it in and will prepare a new release to PyPI today.

@ahopkins ahopkins closed this Dec 3, 2018

ahopkins added a commit that referenced this issue Dec 4, 2018

Merge pull request #144 from cipriantarta/issue_143
#143 ensures that the token can not be empty
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment