On 03/25/2015 12:01 PM, Thomas De Schampheleire wrote:
# HG changeset patch
# User Thomas De Schampheleire <[email protected]>
# Date 1427269791 -3600
# Wed Mar 25 08:49:51 2015 +0100
# Node ID c5828585502f1a061f162abe8cbd181c17039843
# Parent 6017996e4dcfda0f5623498a45c51bb184eb67bb
auth: do not redirect to login page on invalid API key
When accessing Kallithea through an API call, providing an API key, it
doesn't make sense to redirect to a login page on failed authentication.
Instead, raise a 401 Unauthorized exception.
The WWW-authenticate header is a mandatory element for 401 Unauthorized, as
specified by RFC 7235. The exact contents do not seem to be important, so
define a custom auth scheme 'APIKEY' with a realm of 'Kallithea'.
diff --git a/kallithea/lib/auth.py b/kallithea/lib/auth.py
--- a/kallithea/lib/auth.py
+++ b/kallithea/lib/auth.py
@@ -58,6 +58,7 @@
get_user_group_slug, conditional_cache
from kallithea.lib.caching_query import FromCache
+from webob.exc import HTTPUnauthorized
log = logging.getLogger(__name__)
@@ -763,6 +764,8 @@
log.debug("API KEY *NOT* present in request")
else:
log.warning("API KEY ****%s *NOT* valid" % _api_key[-4:])
+ headers = [('WWW-Authenticate', 'APIKEY
realm="Kallithea"')]
The API does not use HTTP authentication. I thus think it is misleading
to return 401 and WWW-Authenticate.
I think it would be better to just fail with 400 Bad Request.
When we don't add headers, we can just use "return abort(400)" as done
elsewhere in the same file.
/Mads
+ raise HTTPUnauthorized(headers=headers)
log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))
reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'
_______________________________________________
kallithea-general mailing list
[email protected]
http://lists.sfconservancy.org/mailman/listinfo/kallithea-general
_______________________________________________
kallithea-general mailing list
[email protected]
http://lists.sfconservancy.org/mailman/listinfo/kallithea-general
