Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How to change error handling of @require_oauth decorator? #93

Closed
trtg opened this issue Apr 13, 2014 · 4 comments

Comments

@trtg
Copy link

commented Apr 13, 2014

The way it is currently implemented the @require_oauth decorator uses abort to return a 403 status if anything about the incoming request is invalid. I'm integrating with a partner who requests that invalid access tokens be responded to with a 401, and otherwise invalid requests be responded to with a 400. What would be the best way to take control of how errors are handled in flask-oauthlib?

@widnyana

This comment has been minimized.

Copy link
Contributor

commented Apr 14, 2014

getting the same problem, waiting for advice :)

@lepture lepture added the question label Apr 14, 2014

@asteinlein

This comment has been minimized.

Copy link

commented Apr 30, 2014

My view is that the 403 status code, as used now, is simply the wrong status code. For invalid access tokens and otherwise unsuccessful authentication, 401 should be used. After all, the RFC for 403 says "Authorization will not help and the request SHOULD NOT be repeated. ", which is clearly not the case for invalid access tokens and similar, where authorization WILL help. 403 is good for cases where the user is authenticated, but something else forbids the request, such as rate limiting.

IMO 403 should be changed to 401 in Flask-Oauthlib itself. It's a one-character change. I'll send a PR.

lepture added a commit that referenced this issue Apr 30, 2014

@lepture

This comment has been minimized.

Copy link
Owner

commented Apr 30, 2014

It is changed to 401. This patch will be shipped in 0.5.0

@asteinlein

This comment has been minimized.

Copy link

commented Apr 30, 2014

Thanks @lepture! Looking forward to the release. :)

I was just looking into this, by the way. While this change to 401 i Flask-OAuthlib is good, there are also some circumstances where oauthlib itself should return 401 IMO. For all errors, including invalid client errors, they return the general 400 status code (which Flask-OAuthlib doesn't interfere with). IMO the correct status code would be 401 for invalid client authentication as well.

But I'll bring that up with oauthlib itself. Just wanted to make a note of it here since its related to this question.

lepture added a commit that referenced this issue Apr 30, 2014

@lepture lepture closed this May 13, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.