aaugustin/django-sesame

Authenticate url_auth_token=None

Closed this issue · 2 comments

k90armstrong commented

I am getting the following error when a authenticate is being called in another third party library and the authentication is not valid so it moves on to the next backend which is sesame and there is no url_auth_token.

TypeError in sesame.backends.ModelBackend, here's the traceback before Django swallows it:
Traceback (most recent call last):
  File "/usr/local/lib/python3.7/site-packages/sesame/backends.py", line 106, in authenticate
    return self.parse_token(url_auth_token)
  File "/usr/local/lib/python3.7/site-packages/sesame/backends.py", line 75, in parse_token
    data = self.unsign(token)
  File "/usr/local/lib/python3.7/site-packages/sesame/backends.py", line 52, in unsign
    data = self.signer.unsign(token, max_age=self.max_age)
  File "/usr/local/lib/python3.7/site-packages/django/core/signing.py", line 187, in unsign
    result = super().unsign(value)
  File "/usr/local/lib/python3.7/site-packages/django/core/signing.py", line 165, in unsign
    if self.sep not in signed_value:
TypeError: argument of type 'NoneType' is not iterable

I would suggest handling if url_auth_token is None, then just returning like the following:

backends.py

def authenticate(self, request, url_auth_token=None):
        """
        Check the token and return the corresponding user.
        """
        # SEE THIS BLOCK HERE
        if url_auth_token is None:
            return
        # End of block
        try:
            return self.parse_token(url_auth_token)
        except TypeError:
            backend = "%s.%s" % (self.__module__, self.__class__.__name__)
            logger.exception(
                "TypeError in %s, here's the traceback before Django swallows it:", backend
            )
            raise

Let me know what you think and if there is a reason for the way it is now. Thanks!

aaugustin commented

First, the logger.exception call is a workaround for a bug that was fixed in Django 1.7. I removed it.

Then, in the latest release, any exception occurring in data = self.unsign(token) should be caught here: https://github.com/aaugustin/django-sesame/blob/1.7/sesame/backends.py#L131-L136. What version of django-sesame are you using?

Finally, can you confirm that the offending call is UrlAuthBackendMixin.authenticate(request) (rather than UrlAuthBackendMixin.authenticate(request, None) or UrlAuthBackendMixin.authenticate(request, url_auth_token=None)? I just pushed a commit that fixes the issue, provided this assumption is correct.

aaugustin commented

And thanks for the bug report :-)