Fixed authentication to be case-insensitive, per the RFCs. Thanks to …

…rbarlow for the report!
glencoates · Jan 23, 2012 · 9ff0ddd · 9ff0ddd
1 parent 6053743
commit 9ff0ddd
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 4 deletions.
diff --git a/tastypie/authentication.py b/tastypie/authentication.py
@@ -94,7 +94,7 @@ def is_authenticated(self, request, **kwargs):
 
         try:
             (auth_type, data) = request.META['HTTP_AUTHORIZATION'].split()
-            if auth_type != 'Basic':
+            if auth_type.lower() != 'basic':
                 return self._unauthorized()
             user_pass = base64.b64decode(data)
         except:
@@ -137,10 +137,10 @@ def _unauthorized(self):
         return HttpUnauthorized()
 
     def extract_credentials(self, request):
-        if request.META.get('HTTP_AUTHORIZATION') and request.META['HTTP_AUTHORIZATION'].startswith('ApiKey '):
+        if request.META.get('HTTP_AUTHORIZATION') and request.META['HTTP_AUTHORIZATION'].lower().startswith('apikey '):
             (auth_type, data) = request.META['HTTP_AUTHORIZATION'].split()
 
-            if auth_type != 'ApiKey':
+            if auth_type.lower() != 'apikey':
                 raise ValueError("Incorrect authorization header.")
 
             username, api_key = data.split(':', 1)
@@ -243,7 +243,7 @@ def is_authenticated(self, request, **kwargs):
         try:
             (auth_type, data) = request.META['HTTP_AUTHORIZATION'].split(' ', 1)
 
-            if auth_type != 'Digest':
+            if auth_type.lower() != 'digest':
                 return self._unauthorized()
         except:
             return self._unauthorized()

diff --git a/tests/core/tests/authentication.py b/tests/core/tests/authentication.py
@@ -78,6 +78,13 @@ def test_is_authenticated(self):
         request.META['HTTP_AUTHORIZATION'] = 'Basic %s' % base64.b64encode('johndoe:pass:word')
         self.assertEqual(auth.is_authenticated(request), True)
 
+        # Capitalization shouldn't matter.
+        john_doe = User.objects.get(username='johndoe')
+        john_doe.set_password('pass:word')
+        john_doe.save()
+        request.META['HTTP_AUTHORIZATION'] = 'bAsIc %s' % base64.b64encode('johndoe:pass:word')
+        self.assertEqual(auth.is_authenticated(request), True)
+
 
 class ApiKeyAuthenticationTestCase(TestCase):
     fixtures = ['note_testdata.json']
@@ -144,6 +151,11 @@ def test_is_authenticated_header(self):
         request.META['HTTP_AUTHORIZATION'] = 'ApiKey johndoe:%s' % john_doe.api_key.key
         self.assertEqual(auth.is_authenticated(request), True)
 
+        # Capitalization shouldn't matter.
+        john_doe = User.objects.get(username='johndoe')
+        request.META['HTTP_AUTHORIZATION'] = 'aPiKeY johndoe:%s' % john_doe.api_key.key
+        self.assertEqual(auth.is_authenticated(request), True)
+
 
 class DigestAuthenticationTestCase(TestCase):
     fixtures = ['note_testdata.json']