From dc0d5d03c4af53742bce9b3866713e770a530a0c Mon Sep 17 00:00:00 2001 From: Landon GB Date: Wed, 6 Sep 2017 09:44:12 -0600 Subject: [PATCH] have jwt_optional catch and ignore InvalidHeaderError This fixes the case of a different authorization header (for example, into another authorization system) causing jwt_optional to return the invalid header error handler. This is technically a breaking change, but I would argue that this is more of a bug fix and that no one is (or should be) relying on jwt_optional to send back an InvalidHeaderError if they send in a different header then this extension expects. Refs #82 --- flask_jwt_extended/view_decorators.py | 2 +- tests/test_protected_endpoints.py | 16 ++++++++-------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/flask_jwt_extended/view_decorators.py b/flask_jwt_extended/view_decorators.py index 53be7c4a..293bcd9a 100644 --- a/flask_jwt_extended/view_decorators.py +++ b/flask_jwt_extended/view_decorators.py @@ -55,7 +55,7 @@ def wrapper(*args, **kwargs): jwt_data = _decode_jwt_from_request(request_type='access') ctx_stack.top.jwt = jwt_data _load_user(jwt_data[config.identity_claim]) - except NoAuthorizationError: + except (NoAuthorizationError, InvalidHeaderError): pass return fn(*args, **kwargs) return wrapper diff --git a/tests/test_protected_endpoints.py b/tests/test_protected_endpoints.py index 369dc08b..032b3cd3 100644 --- a/tests/test_protected_endpoints.py +++ b/tests/test_protected_endpoints.py @@ -272,8 +272,8 @@ def test_optional_bad_jwt_requests(self): headers={'Authorization': auth_header}) data = json.loads(response.get_data(as_text=True)) status_code = response.status_code - self.assertEqual(status_code, 422) - self.assertIn('msg', data) + self.assertEqual(data, {'msg': 'unprotected hello world'}) + self.assertEqual(status_code, 200) # Test with type not being Bearer in authorization header auth_header = "BANANA {}".format(access_token) @@ -281,8 +281,8 @@ def test_optional_bad_jwt_requests(self): headers={'Authorization': auth_header}) data = json.loads(response.get_data(as_text=True)) status_code = response.status_code - self.assertEqual(status_code, 422) - self.assertIn('msg', data) + self.assertEqual(data, {'msg': 'unprotected hello world'}) + self.assertEqual(status_code, 200) # Test with too many items in auth header auth_header = "Bearer {} BANANA".format(access_token) @@ -290,8 +290,8 @@ def test_optional_bad_jwt_requests(self): headers={'Authorization': auth_header}) data = json.loads(response.get_data(as_text=True)) status_code = response.status_code - self.assertEqual(status_code, 422) - self.assertIn('msg', data) + self.assertEqual(data, {'msg': 'unprotected hello world'}) + self.assertEqual(status_code, 200) def test_bad_tokens(self): # Test expired access token @@ -527,8 +527,8 @@ def test_different_headers_jwt_optional(self): self.app.config['JWT_HEADER_TYPE'] = '' status, data = self._jwt_get('/partially-protected', access_token, header_type='Bearer') - self.assertIn('msg', data) - self.assertEqual(status, 422) + self.assertEqual(data, {'msg': 'unprotected hello world'}) + self.assertEqual(status, 200) self.app.config['JWT_HEADER_TYPE'] = 'Bearer' self.app.config['JWT_HEADER_NAME'] = 'Auth'