From 51e30d26cd093dada1f4d3447c2d6eca322c4658 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Dupayrat?= Date: Tue, 21 Mar 2023 11:47:54 +0100 Subject: [PATCH] Fixed crash when missing CSRF token cookie in SessionAuthentication Fixes #1651 --- tastypie/authentication.py | 5 ++++- tests/core/tests/authentication.py | 2 ++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/tastypie/authentication.py b/tastypie/authentication.py index 6112fb8ca..61769dead 100644 --- a/tastypie/authentication.py +++ b/tastypie/authentication.py @@ -312,7 +312,10 @@ def is_authenticated(self, request, **kwargs): return request.user.is_authenticated csrf_token = request.COOKIES.get(settings.CSRF_COOKIE_NAME, '') - csrf_token = check_token_format(csrf_token) + try: + csrf_token = check_token_format(csrf_token) + except InvalidTokenFormat: + return False if request.is_secure(): referer = request.META.get('HTTP_REFERER') diff --git a/tests/core/tests/authentication.py b/tests/core/tests/authentication.py index c0afb1e0f..b85a2d9ec 100644 --- a/tests/core/tests/authentication.py +++ b/tests/core/tests/authentication.py @@ -471,6 +471,8 @@ def test_apikey_and_authentication_enforce_user(self): self.assertEqual(session_auth.is_authenticated(request1), True) # api key auth should fail because of invalid api key self.assertEqual(isinstance(api_key_auth.is_authenticated(request2), HttpUnauthorized), True) + # multi auth should fail because there is no valid auth + self.assertEqual(isinstance(auth.is_authenticated(request2), HttpUnauthorized), True) # multi auth shouldn't change users if api key auth fails # multi auth passes since session auth is valid