have jwt_optional catch and ignore InvalidHeaderError

This fixes the case of a different authorization header (for example, into another authorization system) causing jwt_optional to return the invalid header error handler. This is technically a breaking change, but I would argue that this is more of a bug fix and that no one is (or should be) relying on jwt_optional to send back an InvalidHeaderError if they send in a different header then this extension expects. Refs #82
vimalloc · Sep 6, 2017 · dc0d5d0 · dc0d5d0
1 parent 36e7dc3
commit dc0d5d0
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 9 deletions.
diff --git a/flask_jwt_extended/view_decorators.py b/flask_jwt_extended/view_decorators.py
@@ -55,7 +55,7 @@ def wrapper(*args, **kwargs):
             jwt_data = _decode_jwt_from_request(request_type='access')
             ctx_stack.top.jwt = jwt_data
             _load_user(jwt_data[config.identity_claim])
-        except NoAuthorizationError:
+        except (NoAuthorizationError, InvalidHeaderError):
             pass
         return fn(*args, **kwargs)
     return wrapper

diff --git a/tests/test_protected_endpoints.py b/tests/test_protected_endpoints.py
@@ -272,26 +272,26 @@ def test_optional_bad_jwt_requests(self):
                                    headers={'Authorization': auth_header})
         data = json.loads(response.get_data(as_text=True))
         status_code = response.status_code
-        self.assertEqual(status_code, 422)
-        self.assertIn('msg', data)
+        self.assertEqual(data, {'msg': 'unprotected hello world'})
+        self.assertEqual(status_code, 200)
 
         # Test with type not being Bearer in authorization header
         auth_header = "BANANA {}".format(access_token)
         response = self.client.get('/partially-protected',
                                    headers={'Authorization': auth_header})
         data = json.loads(response.get_data(as_text=True))
         status_code = response.status_code
-        self.assertEqual(status_code, 422)
-        self.assertIn('msg', data)
+        self.assertEqual(data, {'msg': 'unprotected hello world'})
+        self.assertEqual(status_code, 200)
 
         # Test with too many items in auth header
         auth_header = "Bearer {} BANANA".format(access_token)
         response = self.client.get('/partially-protected',
                                    headers={'Authorization': auth_header})
         data = json.loads(response.get_data(as_text=True))
         status_code = response.status_code
-        self.assertEqual(status_code, 422)
-        self.assertIn('msg', data)
+        self.assertEqual(data, {'msg': 'unprotected hello world'})
+        self.assertEqual(status_code, 200)
 
     def test_bad_tokens(self):
         # Test expired access token
@@ -527,8 +527,8 @@ def test_different_headers_jwt_optional(self):
         self.app.config['JWT_HEADER_TYPE'] = ''
         status, data = self._jwt_get('/partially-protected', access_token,
                                      header_type='Bearer')
-        self.assertIn('msg', data)
-        self.assertEqual(status, 422)
+        self.assertEqual(data, {'msg': 'unprotected hello world'})
+        self.assertEqual(status, 200)
 
         self.app.config['JWT_HEADER_TYPE'] = 'Bearer'
         self.app.config['JWT_HEADER_NAME'] = 'Auth'