The Wayback Machine - https://web.archive.org/web/20200523045853/https://github.com/oauthlib/oauthlib/issues/718
Skip to content
oauthlib / oauthlib
Sign up
Sign in Sign up

/ oauthlib

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Misleading method name with "magic" fallback #718

Open
polamayster opened this issue Mar 6, 2020 · 1 comment
Open

Misleading method name with "magic" fallback #718

polamayster opened this issue Mar 6, 2020 · 1 comment

Comments

@polamayster
Copy link
Contributor

@polamayster polamayster commented Mar 6, 2020
edited

oauthlib/oauthlib/oauth2/rfc6749/tokens.py

Lines 240 to 257 in b71636e

def get_token_from_header(request):
"""
Helper function to extract a token from the request header.
:param request: OAuthlib request.
:type request: oauthlib.common.Request
:return: Return the token or None if the Authorization header is malformed.
"""
token = None
if 'Authorization' in request.headers:
split_header = request.headers.get('Authorization').split()
if len(split_header) == 2 and split_header[0].lower() == 'bearer':
token = split_header[1]
else:
token = request.access_token
return token

It would be much more predictable/cleaner if method either did not fallback to body payload/uri_query on line 255:

oauthlib/oauthlib/oauth2/rfc6749/tokens.py

Lines 254 to 255 in b71636e

else:
token = request.access_token

or method was renamed to reflect what it actually does.

Paranoiac mode on: security issue can slip in with a misuse as token in headers is for authorization of the request and token in payload is for introspection/revoke/refresh and can be accidentally used to authorize request itself:

oauthlib/oauthlib/oauth2/rfc6749/tokens.py

Lines 337 to 344 in ca57b0b

def validate_request(self, request):
"""
:param request: OAuthlib request.
:type request: oauthlib.common.Request
"""
token = get_token_from_header(request)
return self.request_validator.validate_bearer_token(
token, request.scopes, request)

@JonathanHuot
Copy link
Member

@JonathanHuot JonathanHuot commented Mar 13, 2020
edited

Yes you're right, I think this part of the code deserves a refactoring to allow #609 , which is essential to progress on the different ways of client authentication.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
@JonathanHuot @polamayster
You can’t perform that action at this time.
Morty Proxy This is a proxified and sanitized view of the page, visit original site.