Skip to content

Return 401 Unauthorized when using json/url encoded auth fails #5844

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Return 401 Unauthorized when using json/url encoded auth fails #5844

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions supervisor/api/auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,13 +79,18 @@ async def auth(self, request: web.Request) -> bool:
# Json
if request.headers.get(CONTENT_TYPE) == CONTENT_TYPE_JSON:
data = await request.json(loads=json_loads)
return await self._process_dict(request, addon, data)
if not await self._process_dict(request, addon, data):
raise HTTPUnauthorized()
return True

# URL encoded
if request.headers.get(CONTENT_TYPE) == CONTENT_TYPE_URL:
data = await request.post()
return await self._process_dict(request, addon, data)
if not await self._process_dict(request, addon, data):
raise HTTPUnauthorized()
return True

# Advertise Basic authentication by default
raise HTTPUnauthorized(headers=REALM_HEADER)

@api_process
Expand Down
11 changes: 6 additions & 5 deletions tests/api/test_auth.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
from datetime import UTC, datetime, timedelta
from unittest.mock import AsyncMock, patch

from aiohttp.hdrs import WWW_AUTHENTICATE
from aiohttp.test_utils import TestClient
import pytest

Expand Down Expand Up @@ -137,8 +138,8 @@ async def test_auth_json_invalid_credentials(
resp = await api_client.post(
"/auth", json={"username": "test", "password": "wrong"}
)
# Do we really want the API to return 400 here?
assert resp.status == 400
assert WWW_AUTHENTICATE not in resp.headers
assert resp.status == 401


@pytest.mark.parametrize("api_client", [TEST_ADDON_SLUG], indirect=True)
Expand Down Expand Up @@ -184,8 +185,8 @@ async def test_auth_urlencoded_failure(
data="username=test&password=fail",
headers={"Content-Type": "application/x-www-form-urlencoded"},
)
# Do we really want the API to return 400 here?
assert resp.status == 400
assert WWW_AUTHENTICATE not in resp.headers
assert resp.status == 401


@pytest.mark.parametrize("api_client", [TEST_ADDON_SLUG], indirect=True)
Expand All @@ -196,7 +197,7 @@ async def test_auth_unsupported_content_type(
resp = await api_client.post(
"/auth", data="something", headers={"Content-Type": "text/plain"}
)
# This probably should be 400 here for better consistency
assert "Basic realm" in resp.headers[WWW_AUTHENTICATE]
assert resp.status == 401


Expand Down