search

requests / requests-oauthlib

OAuthlib support for Python-Requests!
https://requests-oauthlib.readthedocs.org/
ISC License
1.71k stars 422 forks source link

make OAuth2 session picklable #444

Open bcavagnolo opened 3 years ago

satiowadahc commented 3 years ago

This PR makes me hesitate on a security library when the top of the documentation says pickling is not secure. Can you elaborate on the use case?

https://docs.python.org/3/library/pickle.html

darkrain42 commented 1 year ago

This PR makes me hesitate on a security library when the top of the documentation says pickling is not secure. Can you elaborate on the use case?

The multiprocessing library (and consequently things such as concurrent.futures's ProcessPoolExecutor) requires that the objects be picklable.

darkrain42 commented 1 year ago

That said, the fix here is incomplete, at least with current versions of requests. The requests Session defines a specific list of attributes to save/restore, which doesn't include the OAuth2Session's _client attribute, so the unpickled session is unusable when attempting to make a request.

For context, without the fix in the PR here, I see the following exception:

Traceback (most recent call last):
...
  File "/usr/lib/python3.11/multiprocessing/pool.py", line 873, in next
    raise value
  File "/usr/lib/python3.11/multiprocessing/pool.py", line 540, in _handle_tasks
    put(task)
  File "/usr/lib/python3.11/multiprocessing/connection.py", line 205, in send
    self._send_bytes(_ForkingPickler.dumps(obj))
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/multiprocessing/reduction.py", line 51, in dumps
    cls(buf, protocol).dump(obj)
AttributeError: Can't pickle local object 'OAuth2Session.__init__.<locals>.<lambda>'