zamzterz / Flask-pyoidc

Flask extension for using pyoidc as authentication for Flask apps.
Apache License 2.0
80 stars 38 forks source link

Invalid authorization headers raise an exception #174

Open azmeuk opened 7 months ago

azmeuk commented 7 months ago

I stumbled upon a crash to an endpoint protected by token_auth, with a curl request for which I forgot to provide a token.

$ curl -H "Authorization: Bearer " -H "Accept: application/json" "http://localhost:5000/my_api_endpoint"
...
web     |   File "/usr/local/lib/python3.11/site-packages/flask_pyoidc/flask_pyoidc.py", line 455, in wrapper
web     |     token_introspection_result = self.introspect_token(
web     |                                  ^^^^^^^^^^^^^^^^^^^^^^
web     |   File "/usr/local/lib/python3.11/site-packages/flask_pyoidc/flask_pyoidc.py", line 388, in introspect_token
web     |     received_access_token = self._parse_access_token(request)
web     |                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
web     |   File "/usr/local/lib/python3.11/site-packages/flask_pyoidc/flask_pyoidc.py", line 362, in _parse_access_token
web     |     _, access_token = request.headers['Authorization'].split(maxsplit=1)

The faulty line is this one: https://github.com/zamzterz/Flask-pyoidc/blob/26b123572cba0b3fa84482c6c0270900042a73c9/src/flask_pyoidc/flask_pyoidc.py#L362

This is reproducible in a repr:

>>> a, b, = "Bearer ".split(maxsplit=1)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ValueError: not enough values to unpack (expected 2, got 1)
infohash commented 7 months ago

I'll add exception handling there to let the user know that it's a bad access token format. I have an open PR which does few changes to these methods, I'll add this fix there.