Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Headers parsing during Request creation #409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
olemoign opened this issue Mar 15, 2016 · 6 comments
Closed

Headers parsing during Request creation #409

olemoign opened this issue Mar 15, 2016 · 6 comments
Labels
Breaking Breaking change, to go in the next major release. Bug
Milestone
3.0.0

Comments

@olemoign
Copy link

Hi,

I am not sure that what I'm seeing is a bug or the intended behaviour. In common.py, class Request, line 380:
self.headers = CaseInsensitiveDict(encode(headers or {}))
The headers are parsed into a CaseInsensitiveDict, which means self.headers['content-type'], self.headers['Content-Type'] and self.headers['cONteNt-tYpE'] will all return the same value BUT the keys of the dictionary are still the ones with which the items were defined.

Line 386, all the _params are set to None, with full lower case keys.

Then line 406
self._params.update(self.headers)
So if some _params were set in the headers they should update the values here. Problem is, the headers all have first-letter capitalization. So passing a token through header will lead to have

self._params
    {"token": None, "Token": token_value}

request.token
    None

Is this the intended behaviour ? I guess not.
@skion skion added this to the 3.0.0 milestone Jul 1, 2018
@JonathanHuot
Copy link
Member

Doing self._params.update(self.headers) is the wrong thing.
We already have request.headers available, and we use it.

I suggest to remove this ability to read HTTP headers from request root attributes. If someone want the headers, it uses request.headers['Token'], and not request.token because they MUST be different.

@JonathanHuot JonathanHuot mentioned this issue Aug 17, 2018
Merged
@JonathanHuot JonathanHuot added Breaking Breaking change, to go in the next major release. Bug labels Aug 17, 2018
@JonathanHuot
Copy link
Member

I tag this one "bug" because a HTTP Header must not override the payload attribute.

e.g. curl ../authorize -d redirect_uri=foo -H 'redirect_uri=bar' will use bar instead of foo

@olemoign
Copy link
Author

I'm not sure I agree with your conclusion. 2 reasons:

  • if we apply your logic, there also is request.body and request.url_query so why update _params with them ?
  • more importantly, I see that the validators use request attributes (client_id, scopes, etc.). So by doing this, you are removing the possibility of passing OAuth data through headers.

@JonathanHuot
Copy link
Member

For 1. each _params is an OAuth valid parameter (client_id, redirect_uri, ...). So the logic is to copy all OAuth data coming from body and URL query into the request attributes.

For 2. The only case where I see OAuth data passing through HTTP Headers is OAuth1 via Authorization header, but oauthlib have specific code handling this (see oauth1..base.py ).

Does it make sense ?

@skion
Copy link
Member

skion commented Aug 20, 2018

I agree we should prevent headers and body/query params overwriting each other.

Re 2. All headers would still be accessible to the validator functions via the request.headers dictionary?

@olemoign
Copy link
Author

Ok, makes sense.

@JonathanHuot JonathanHuot mentioned this issue Dec 3, 2018
Closed
23 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Breaking Breaking change, to go in the next major release. Bug
Projects
None yet
Milestone
3.0.0
Development

No branches or pull requests
3 participants
@skion @JonathanHuot @olemoign