Authentication fails if device id or push url contains special characters

q-wiki / q-wiki-server

Q-Wiki is a Wikidata based game (Unity front-end with ASP.NET Core back-end) developed by HTW Berlin students in cooperation with Wikimedia Germany.

GNU General Public License v3.0

2 stars 0 forks source link

Authentication fails if device id or push url contains special characters #2

Closed rrrnld closed 5 years ago

rrrnld commented 5 years ago

To reproduce:

curl -X POST "http://localhost:5000/api/Games" -H  "accept: application/json" -H  "X-Device-ID: äöo" -H  "X-Push-URL: abc"

Interestingly this happens mainly with Umlauts in the X-Push-URL or X-Device-ID header.

maltegoetz commented 5 years ago

Actually this seems to be more complicated than I thought first. It does not apply to special characters in general but non ascii chars like (äöü etc.) but device-id and push url should not contain non ascii chars. Therefore we do not need a fix to this.

rrrnld commented 5 years ago

Hm, you're right that maybe we don't need to fix this, but responding with a more appropriate status code like 422 or 400 would still be nice (this way we could be sure that with response 500 we messed up unintentionally).

maltegoetz commented 5 years ago

Unfortunately Kestrel can't handle utf-8 request headers right now, so we can not handle them on our own.