Fixes for auth header checking.

2025-01-23 15:54:16 +03:00 · 2013-03-08 22:56:24 +00:00 · 2013-03-08 22:56:24 +00:00 · 2596c12a21
commit 2596c12a21
parent 1016c14a8a
2 changed files with 9 additions and 6 deletions
--- a/rest_framework/authentication.py
+++ b/rest_framework/authentication.py
@ -63,7 +63,8 @@ class BasicAuthentication(BaseAuthentication):

        if len(auth) == 1:
            msg = 'Invalid basic header. No credentials provided.'
-        if len(auth) > 2:
+            raise exceptions.AuthenticationFailed(msg)
+        elif len(auth) > 2:
            msg = 'Invalid basic header. Credentials string should not contain spaces.'
            raise exceptions.AuthenticationFailed(msg)

@ -144,12 +145,13 @@ class TokenAuthentication(BaseAuthentication):
    def authenticate(self, request):
        auth = get_authorization_header(request).split()

-        if not auth or auth[0].lower() != "token":
+        if not auth or auth[0].lower() != b'token':
            return None

        if len(auth) == 1:
            msg = 'Invalid token header. No credentials provided.'
-        if len(auth) > 2:
+            raise exceptions.AuthenticationFailed(msg)
+        elif len(auth) > 2:
            msg = 'Invalid token header. Token string should not contain spaces.'
            raise exceptions.AuthenticationFailed(msg)

@ -293,12 +295,13 @@ class OAuth2Authentication(BaseAuthentication):

        auth = get_authorization_header(request).split()

-        if not auth or auth[0].lower() != 'bearer':
+        if not auth or auth[0].lower() != b'bearer':
            return None

        if len(auth) == 1:
            msg = 'Invalid bearer header. No credentials provided.'
-        if len(auth) > 2:
+            raise exceptions.AuthenticationFailed(msg)
+        elif len(auth) > 2:
            msg = 'Invalid bearer header. Token string should not contain spaces.'
            raise exceptions.AuthenticationFailed(msg)

--- a/rest_framework/tests/authentication.py
+++ b/rest_framework/tests/authentication.py
@ -159,7 +159,7 @@ class TokenAuthTests(TestCase):

    def test_post_form_passing_token_auth(self):
        """Ensure POSTing json over token auth with correct credentials passes and does not require CSRF"""
-        auth = "Token " + self.key
+        auth = 'Token ' + self.key
        response = self.csrf_client.post('/token/', {'example': 'example'}, HTTP_AUTHORIZATION=auth)
        self.assertEqual(response.status_code, status.HTTP_200_OK)