Undocumented (error prone) django-rest-framework authentication side-effect #633
Milestone
Comments
gbataille
changed the title
auvipy
pushed a commit
that referenced
this issue
Jun 7, 2019
* Use getattr for oauth2_error access (#633) If the request doesn't have a oauth2_error property the authenticate_header method errors. This can happen when the oauthlib_core.verify_request method raises exceptions in authenticate. It is useful to be able to raise AuthenticationFailed exceptions from within a custom validate_bearer_token method which causes this. * Add Test OAuth2Authentication authenticate override Added a test for if an authenticate method that returns None is used. This should result in a HTTP 401 response for any request.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
In here https://github.com/jazzband/django-oauth-toolkit/blob/master/oauth2_provider/contrib/rest_framework/authentication.py, the
authenticatemethod has a hidden that effect. On authentication error, it sets aoauth2_errorattribute on the request and thenauthenticate_headerassumes it's there.This caused me an issue because I have subclasses
OAuth2Authenticationand to overrideauthenticate. Of course I did not know of this "side effect" and a lot of tests started to fail on my project. Was quite hard to debug.Granted it's odd that we override this class, we have legacy reasons to do so. I think the
authenticate_headermethod should be more relaxed and look likeWhat do you think?
The text was updated successfully, but these errors were encountered: