search

vertexcover-io / falcon-auth

A falcon middleware + authentication backends that adds authentication layer to you app/api service.
MIT License
103 stars 31 forks source link

Wrong Template URI Check #28

Closed m3th0d closed 5 years ago

m3th0d commented 5 years ago

I need to have disabled authorization in some resource class so I added to it:

auth = {
    'auth_disabled': True,
}

But when I try to call a method of this resource I get Missing Authorization Header error. I have similar cases in my code and they work ok. So I noticed that correct cases have static routes (parameterless) unlike failing one. I did some investigation - in falcon_auth/middleware.py:

...
    def _get_auth_settings(self, req, resource):
...
        if auth_settings.get('auth_disabled'):
            auth_settings['exempt_routes'].append(req.path)
...

and

...
    def process_resource(self, req, resp, resource, *args, **kwargs):
        auth_setting = self._get_auth_settings(req, resource)
        if (req.uri_template in auth_setting['exempt_routes'] or
            req.method in auth_setting['exempt_methods']):
            return
...

In case of URI with parameters actual path differs from uri_template - that's why it doesn't exempts the method from auth. I checked file history and as I understand req.path was replaced with req.uri_template in process_resource recently, but req.path in _get_auth_settings was not updated. Fix it please

jcwilson commented 5 years ago

Can you check #29 to validate that this will address your issue?

m3th0d commented 5 years ago

It looks ok. Thank you

jcwilson commented 5 years ago

Resolved by #29