-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make AuthenticationFailed more specific for bad headers/expired tokens #16
Make AuthenticationFailed more specific for bad headers/expired tokens #16
Conversation
@@ -97,7 +97,7 @@ def test_hawk_post_wrong_sig(self): | |||
method=method) | |||
|
|||
self.assertRaisesRegexp(AuthenticationFailed, | |||
'Hawk authentication failed', | |||
'^Hawk authentication failed$', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good idea!
Could you add some tests for the
These will serve two purposes: 1) they'll make sure we don't regress showing extra output in special cases and 2) they'll cover the else blocks in these cases so that no exceptions get raised by future refactoring. |
They should be easy to add. I'd suggest copying test_hawk_post_wrong_sig but use mock to patch Receiver() and give it a side_effect for each exception. Let me know if you get stuck. Because of how mock patching works you may need to edit the code to do |
Whilst many of the possible mohawk exception types should not be revealed directly in the AuthenticationFailed exception message (since they would give clues to attackers - eg let them determine valid client ids), there are some that are useful (and safe) to surface in the response to the client. Fixes #14.
PR updated with tests :-) I ended up not mocking |
Awesome, thanks! The added tests look great. |
Make AuthenticationFailed more specific for bad headers/expired tokens
Thank you :-) |
@kumar303 - would it be possible to make a new release for this at some point in the next week or two? :-) |
Whilst many of the possible mohawk exception types should not be revealed directly in the
AuthenticationFailed
exception message (since they would give clues to attackers - eg let them determine valid client ids), there are some that are useful (and safe) to surface in the response to the client.Fixes #14.
The existing tests for the "dangerous to reveal" cases have also been updated to ensure they exact-match against the string, since previously they were only checking for the substring (since
assertRaisesRegexp()
usesre.search()
).