search

florimondmanca / djangorestframework-api-key

🔐 API key permissions for Django REST Framework
https://florimondmanca.github.io/djangorestframework-api-key/
MIT License
669 stars 103 forks source link

`KeyParser` should match `keyword` exactly #218

Closed Kostia-K closed 1 year ago

Kostia-K commented 2 years ago

KeyParser matches if authentication scheme ends with the keyword. I suppose, this situation shouldn't come up in most use cases but this behaviour is surprising nonetheless. Example:

from rest_framework_api_key.permissions import KeyParser

class Request:
    pass

request = Request()
request.META = {"HTTP_AUTHORIZATION": "My-Special-Api-Key 123456789"}

# prints the key 123456789
print(KeyParser().get(request))

In comparison, Django Rest Framework TokenAuthentication matches the keyword exactly (case-insensitive): https://github.com/encode/django-rest-framework/blob/master/rest_framework/authentication.py#L177

florimondmanca commented 1 year ago

That sounds inappropriate, yup. Marked this as a bug. Anyone up for digging into this, much welcome!