New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check that the Bearer header is properly formatted #491
Check that the Bearer header is properly formatted #491
Conversation
tests/oauth2/rfc6749/test_tokens.py
Outdated
@@ -59,9 +61,17 @@ class TokenTest(TestCase): | |||
bearer_headers = { | |||
'Authorization': 'Bearer vF9dft4qmT' | |||
} | |||
fake_bearer_headers = { | |||
'Authorization': 'Beaver vF9dft4qmT' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add some further odd tokens? Such as
BearerNoSpace
Bearer Multi Space
BeaverNoSpace
Beaver Multi Space
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can do
@skion I finally added those tests, it seems tho that travis is disabled for the repo now? |
@skion thanks, I'll implement the check also for JWT |
@skion I think the case |
sorry for the noise, the |
FWIW: The Bearer token header is described like this:
So multiple spaces after the |
@skion updated my PR, everything should be ok now, let me know in case |
oauthlib/oauth2/rfc6749/tokens.py
Outdated
return self.request_validator.validate_jwt_bearer_token( | ||
token, request.scopes, request) | ||
|
||
def estimate_type(self, request): | ||
token = request.headers.get('Authorization', '')[7:] | ||
if token.startswith('ey') and token.count('.') in (2, 4): | ||
token_type, token, *_ = request.headers.get('Authorization', '').split(' ') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That syntax won't fly on Python 2.7 unfortunately...
And should we use .split()
instead of .split(' ')
to allow for multispaces then?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, this can now raise a ValueError
, which I'm not sure is desired (though haven't checked in detail).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
dang you're right, too focused on python3. For the multispace I don't know, doesn't 1*SP
stays for 1 space?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know the feeling :)
Re 1*SP
is one or more spaces... unnatural indeed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
aaaaa gotcha, fixing also that then! :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed both @skion
Somehow Travis-CI didn't add a link to the build, maybe because it has been canceled before starting (5months ago, by who, why?..) So I have restarted the build which is passing, and adding a link : https://travis-ci.org/oauthlib/oauthlib/builds/290372743 |
thanks @JonathanHuot 👍 |
Would you want to add a new unit test which test headers with multiple spaces between As @skion pointed out, it's validated by the RFC. Once done, the PR LGTM, ready for the merge! :-) |
@JonathanHuot I added that header here https://github.com/MattBlack85/oauthlib/blob/38c56b20185ed84989563283f5855f82ef6d91ae/tests/oauth2/rfc6749/test_tokens.py#L68 wasn't this what @skion had in mind? |
I let him reply, however I understood that we need to accept several spaces The line you mention is testing several spaces |
Yes, I think you're missing that positive test case, maybe make this into a list like the fake headers and add a test with multiple spaces between Bearer and the token there? |
@skion looking again at the PR it seems I already made that check here https://github.com/oauthlib/oauthlib/pull/491/files#diff-6096f6f429036633b8a4a4156878b1c4R72 with related test https://github.com/oauthlib/oauthlib/pull/491/files#diff-6096f6f429036633b8a4a4156878b1c4R110 |
LGTM :-) |
While testing some things we noticed that passing a header with a typo like
Beaver
makes the app behaving like it wasBearer
. I don't know if this is a desired behaviour or not but it seems odd to me. I made the check a little bit more rigid and added test cases for that.Feel free to close and kill this if this is an intended behaviour