Skip to content

Make check for Authorization header more robust. #174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 29, 2015
Merged

Make check for Authorization header more robust. #174

merged 1 commit into from
Jul 29, 2015

Conversation

joestump
Copy link
Owner

Addresses the following issues:

The check for Authorization is now case insensitive and the library also checks for HTTP_AUTHORIZATION so you can pass WSGI headers directly.

Here are the tests without the patch applied:

(python-oauth2)Joes-MacBook:python-oauth2 jstump$ py.test
====================================================================== test session starts ======================================================================
platform darwin -- Python 2.7.6 -- py-1.4.30 -- pytest-2.7.2
rootdir: /Users/jstump/Dropbox/jstump/dev/python-oauth2, inifile: 
collected 72 items 

tests/test_oauth.py .......................FF...............................................

=========================================================================== FAILURES ============================================================================
______________________________________________ TestRequest.test_from_request_is_case_insensitive_checking_for_auth ______________________________________________

self = <tests.test_oauth.TestRequest testMethod=test_from_request_is_case_insensitive_checking_for_auth>

    def test_from_request_is_case_insensitive_checking_for_auth(self):
        """Checks for the Authorization header should be case insensitive."""
        url = "http://sp.example.com/"

        params = {
            'oauth_version': "1.0",
            'oauth_nonce': "4572616e48616d6d65724c61686176",
            'oauth_timestamp': "137131200",
            'oauth_consumer_key': "0685bd9184jfhq22",
            'oauth_signature_method': "HMAC-SHA1",
            'oauth_token': "ad180jjd733klru7",
            'oauth_signature': "wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
        }

        req = oauth.Request("GET", url, params)
        headers = req.to_header()

        # Munge the headers
        headers['authorization'] = headers['Authorization']
        del headers['Authorization']

        # Test from the headers
        req = oauth.Request.from_request("GET", url, headers)
>       self.assertEquals(req.method, "GET")
E       AttributeError: 'NoneType' object has no attribute 'method'

tests/test_oauth.py:969: AttributeError
_________________________________________________________ TestRequest.test_from_request_works_with_wsgi _________________________________________________________

self = <tests.test_oauth.TestRequest testMethod=test_from_request_works_with_wsgi>

    def test_from_request_works_with_wsgi(self):
        """Make sure WSGI header HTTP_AUTHORIZATION is detected correctly."""
        url = "http://sp.example.com/"

        params = {
            'oauth_version': "1.0",
            'oauth_nonce': "4572616e48616d6d65724c61686176",
            'oauth_timestamp': "137131200",
            'oauth_consumer_key': "0685bd9184jfhq22",
            'oauth_signature_method': "HMAC-SHA1",
            'oauth_token': "ad180jjd733klru7",
            'oauth_signature': "wOJIO9A2W5mFwDgiDvZbTSMK%2FPY%3D",
        }

        req = oauth.Request("GET", url, params)
        headers = req.to_header()

        # Munge the headers
        headers['HTTP_AUTHORIZATION'] = headers['Authorization']
        del headers['Authorization']

        # Test from the headers
        req = oauth.Request.from_request("GET", url, headers)
>       self.assertEquals(req.method, "GET")
E       AttributeError: 'NoneType' object has no attribute 'method'

tests/test_oauth.py:941: AttributeError
============================================================== 2 failed, 70 passed in 3.20 seconds ==============================================================

@joestump
Make check for Authorization header case insensitive and also check f…
eb5e0f7 
…or WSGI's HTTP_AUTHORIZATION in the headers.
@joestump joestump added this to the 2.0 milestone Jul 29, 2015
@jaitaiwan
Copy link
Contributor

Awesome. LGTM

@rickhanlonii
Copy link
Collaborator

This is great!

Just so it's clear to those following along at home, HTTP headers are case-insensitive according to RFC 2616 section 4.2:

Each header field consists of a name followed by a colon (":") and the field value. Field names are case-insensitive.

Also, the field value is allowed to have whitespace, but the field name is not--so there's no need to add trimming here.

joestump added a commit that referenced this pull request Jul 29, 2015
@joestump
Merge pull request #174 from joestump/fix-authorization-detection
b909b48 
Make check for Authorization header more robust.
@joestump joestump merged commit b909b48 into master Jul 29, 2015
@joestump
Copy link
Owner Author

@rickhanlonii are you interested in joining @jaitaiwan and I maintaining this library? 😃

@rickhanlonii
Copy link
Collaborator

I'd be happy to! 💁

@joestump
Copy link
Owner Author

@rickhanlonii welcome to the team. Added you! 👊

@rickhanlonii
Copy link
Collaborator

@joestump thanks, happy to help!

@rickhanlonii rickhanlonii deleted the fix-authorization-detection branch July 29, 2015 20:48
@jaitaiwan
Copy link
Contributor

Woot! 2/3 majority time for LGTM haha

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Bug Enhancement
Projects
None yet
Milestone
2.0
Development

Successfully merging this pull request may close these issues.
3 participants
@joestump @jaitaiwan @rickhanlonii