From 0f21ffdea54cbc6d2a6dd9096ecba63dae4ee72c Mon Sep 17 00:00:00 2001 From: Francis Charette Migneault Date: Fri, 8 Sep 2023 12:54:54 -0400 Subject: [PATCH] fix returned headers on 401 response --- CHANGES.rst | 9 ++++++++- magpie/utils.py | 15 +++++++++++---- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/CHANGES.rst b/CHANGES.rst index 3a929a38..05d34778 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -9,7 +9,14 @@ Changes `Unreleased `_ (latest) ------------------------------------------------------------------------------------ -* Nothing new for the moment. +Features / Changes +~~~~~~~~~~~~~~~~~~~~~ +* n/a + +Bug Fixes +~~~~~~~~~~~~~~~~~~~~~ +* Fix returned headers in ``401 Unauthenticated`` response which did not properly employ ``Authentication-Control`` + header to return the ``location-when-unauthenticated`` parameter instead of returning it directly as invalid header. .. _changes_3.35.0: diff --git a/magpie/utils.py b/magpie/utils.py index e44ceb35..e3b7bca3 100644 --- a/magpie/utils.py +++ b/magpie/utils.py @@ -629,11 +629,18 @@ def get_authenticate_headers(request, error_type="invalid_token"): # WWW-Authenticate: challenge-1 [realm="<>" title="<>" ...], # challenge-2 [...], ... # provide URL with both 'domain' and 'uri' which are two variants that can exist, depending on implementation - "WWW-Authenticate": ("Cookie cookie-name=\"{c}\" error=\"{e}\" title=\"{t}\" " - "domain=\"{u}\" uri=\"{u}\" realm=\"{r}\" " - .format(c=cookie_name, e=error_type, u=signin_url, r=hostname, t=title)), + "WWW-Authenticate": ( + "Cookie cookie-name=\"{c}\" error=\"{e}\" title=\"{t}\" domain=\"{u}\" uri=\"{u}\" realm=\"{r}\" ".format( + c=cookie_name, e=error_type, u=signin_url, r=hostname, t=title + ) + ), + # https://tools.ietf.org/html/rfc8053#section-4 # https://tools.ietf.org/html/rfc8053#section-4.3 - "Location-When-Unauthenticated": login_url, + "Authentication-Control": ( + "Cookie cookie-name=\"{c}\" realm=\"{r}\" location-when-unauthenticated=\"{u}\"".format( + c=cookie_name, r=hostname, u=login_url + ) + ), } return headers