Fixed crash when missing CSRF token cookie in SessionAuthentication

Fixes #1651
django-tastypie · Mar 21, 2023 · 51e30d2 · 51e30d2
1 parent 9f6bc63
commit 51e30d2
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/tastypie/authentication.py b/tastypie/authentication.py
@@ -312,7 +312,10 @@ def is_authenticated(self, request, **kwargs):
             return request.user.is_authenticated
         csrf_token = request.COOKIES.get(settings.CSRF_COOKIE_NAME, '')
 
-        csrf_token = check_token_format(csrf_token)
+        try:
+            csrf_token = check_token_format(csrf_token)
+        except InvalidTokenFormat:
+            return False
 
         if request.is_secure():
             referer = request.META.get('HTTP_REFERER')

diff --git a/tests/core/tests/authentication.py b/tests/core/tests/authentication.py
@@ -471,6 +471,8 @@ def test_apikey_and_authentication_enforce_user(self):
         self.assertEqual(session_auth.is_authenticated(request1), True)
         # api key auth should fail because of invalid api key
         self.assertEqual(isinstance(api_key_auth.is_authenticated(request2), HttpUnauthorized), True)
+        # multi auth should fail because there is no valid auth
+        self.assertEqual(isinstance(auth.is_authenticated(request2), HttpUnauthorized), True)
 
         # multi auth shouldn't change users if api key auth fails
         # multi auth passes since session auth is valid