From 455778d138ea623d224c9206e5001fd2a1fd7e1c Mon Sep 17 00:00:00 2001 From: Tres Seaver <tseaver@palladion.com> Date: Tue, 31 May 2016 19:35:57 +0200 Subject: [PATCH] middleware: Avoid passing extracted 'identity' to 'remember' during egress. --- CHANGES.rst | 3 +++ repoze/who/tests/test_middleware.py | 34 ++++++++++++++++++++++++++++++++++ repoze/who/middleware.py | 5 ++--- 3 files changed, 39 insertions(+), 3 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index d507b75..9e4b6eb 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -8,6 +8,9 @@ - Drop support for Python 2.6 and 3.2. +- ``middleware``: avoid passing extracted ``identity`` to ``remember`` + during egress (the app may have called ``api.forget()``). See #21. + - ``_auth_tkt`` / ``plugins.auth_tkt``: add support for any hash algorithm supported by the ``hashlib`` module in Python's standard library. Fixes #22 via #23. diff --git a/repoze/who/middleware.py b/repoze/who/middleware.py index 8b5771e..d84c4ed 100644 --- a/repoze/who/middleware.py +++ b/repoze/who/middleware.py @@ -72,8 +72,7 @@ logger = self.logger path_info = environ.get('PATH_INFO', None) logger and logger.info(_STARTED % path_info) - identity = None - identity = api.authenticate() + api.authenticate() # identity saved in environ # allow identifier plugins to replace the downstream # application (to do redirection and unauthorized themselves @@ -114,7 +113,7 @@ raise RuntimeError('no challengers found') else: logger and logger.info('no challenge required') - remember_headers = api.remember(identity) + remember_headers = api.remember() wrapper.finish_response(remember_headers) logger and logger.info(_ENDED % path_info) diff --git a/repoze/who/tests/test_middleware.py b/repoze/who/tests/test_middleware.py index b79998d..f53e81a 100644 --- a/repoze/who/tests/test_middleware.py +++ b/repoze/who/tests/test_middleware.py @@ -224,6 +224,29 @@ self.assertEqual(start_response.status, '200 OK') self.assertEqual(start_response.headers, headers) + def test_call_200_no_challengers_app_calls_forget(self): + # See https://github.com/repoze/repoze.who/issues/21 + environ = self._makeEnviron() + remember_headers = [('remember', '1')] + forget_headers = [('forget', '1')] + app = DummyLogoutApp('200 OK') + credentials = {'login':'chris', 'password':'password'} + identifier = DummyIdentifier( + credentials, + remember_headers=remember_headers, + forget_headers=forget_headers) + identifiers = [ ('identifier', identifier) ] + authenticator = DummyAuthenticator() + authenticators = [ ('authenticator', authenticator) ] + mw = self._makeOne( + app=app, identifiers=identifiers, authenticators=authenticators) + start_response = DummyStartResponse() + result = mw(environ, start_response) + self.assertEqual(mw.app.environ, environ) + self.assertEqual(result, ['body']) + self.assertEqual(start_response.status, '200 OK') + self.assertEqual(start_response.headers, forget_headers) + def test_call_401_no_identifiers(self): from webob.exc import HTTPUnauthorized environ = self._makeEnviron() @@ -607,6 +630,17 @@ start_response(self.status, self.headers) return ['body'] +class DummyLogoutApp(object): + def __init__(self, status): + self.status = status + + def __call__(self, environ, start_response): + self.environ = environ + api = environ['repoze.who.api'] + headers = api.logout() + start_response(self.status, headers) + return ['body'] + class DummyGeneratorApp(object): def __init__(self, status, headers): self.status = status -- Gitblit v1.9.3