[PATCH 1 of 5] auth: do not redirect to login page on invalid API key

Thomas De Schampheleire patrickdepinguin at gmail.com
Wed Mar 25 07:01:29 EDT 2015


# HG changeset patch
# User Thomas De Schampheleire <thomas.de.schampheleire at gmail.com>
# Date 1427269791 -3600
#      Wed Mar 25 08:49:51 2015 +0100
# Node ID c5828585502f1a061f162abe8cbd181c17039843
# Parent  6017996e4dcfda0f5623498a45c51bb184eb67bb
auth: do not redirect to login page on invalid API key

When accessing Kallithea through an API call, providing an API key, it
doesn't make sense to redirect to a login page on failed authentication.
Instead, raise a 401 Unauthorized exception.

The WWW-authenticate header is a mandatory element for 401 Unauthorized, as
specified by RFC 7235. The exact contents do not seem to be important, so
define a custom auth scheme 'APIKEY' with a realm of 'Kallithea'.

diff --git a/kallithea/lib/auth.py b/kallithea/lib/auth.py
--- a/kallithea/lib/auth.py
+++ b/kallithea/lib/auth.py
@@ -58,6 +58,7 @@
     get_user_group_slug, conditional_cache
 from kallithea.lib.caching_query import FromCache
 
+from webob.exc import HTTPUnauthorized
 
 log = logging.getLogger(__name__)
 
@@ -763,6 +764,8 @@
                     log.debug("API KEY *NOT* present in request")
                 else:
                     log.warning("API KEY ****%s *NOT* valid" % _api_key[-4:])
+                    headers = [('WWW-Authenticate', 'APIKEY realm="Kallithea"')]
+                    raise HTTPUnauthorized(headers=headers)
 
         log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))
         reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'


More information about the kallithea-general mailing list