[PATCH 1 of 5] auth: do not redirect to login page on invalid API key

Mads Kiilerich mads at kiilerich.com
Wed Mar 25 14:54:19 EDT 2015 

On 03/25/2015 12:01 PM, Thomas De Schampheleire wrote:
> # HG changeset patch
> # User Thomas De Schampheleire <thomas.de.schampheleire at gmail.com>
> # Date 1427269791 -3600
> #      Wed Mar 25 08:49:51 2015 +0100
> # Node ID c5828585502f1a061f162abe8cbd181c17039843
> # Parent  6017996e4dcfda0f5623498a45c51bb184eb67bb
> auth: do not redirect to login page on invalid API key
>
> When accessing Kallithea through an API call, providing an API key, it
> doesn't make sense to redirect to a login page on failed authentication.
> Instead, raise a 401 Unauthorized exception.
>
> The WWW-authenticate header is a mandatory element for 401 Unauthorized, as
> specified by RFC 7235. The exact contents do not seem to be important, so
> define a custom auth scheme 'APIKEY' with a realm of 'Kallithea'.
>
> diff --git a/kallithea/lib/auth.py b/kallithea/lib/auth.py
> --- a/kallithea/lib/auth.py
> +++ b/kallithea/lib/auth.py
> @@ -58,6 +58,7 @@
>       get_user_group_slug, conditional_cache
>   from kallithea.lib.caching_query import FromCache
>   
> +from webob.exc import HTTPUnauthorized
>   
>   log = logging.getLogger(__name__)
>   
> @@ -763,6 +764,8 @@
>                       log.debug("API KEY *NOT* present in request")
>                   else:
>                       log.warning("API KEY ****%s *NOT* valid" % _api_key[-4:])
> +                    headers = [('WWW-Authenticate', 'APIKEY realm="Kallithea"')]

The API does not use HTTP authentication. I thus think it is misleading 
to return 401 and WWW-Authenticate.

I think it would be better to just fail with 400 Bad Request.

When we don't add headers, we can just use "return abort(400)" as done 
elsewhere in the same file.

/Mads

> +                    raise HTTPUnauthorized(headers=headers)
>   
>           log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))
>           reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'
> _______________________________________________
> kallithea-general mailing list
> kallithea-general at sfconservancy.org
> http://lists.sfconservancy.org/mailman/listinfo/kallithea-general

More information about the kallithea-general mailing list