Authenticate url_auth_token=None
Closed this issue · 2 comments
I am getting the following error when a authenticate
is being called in another third party library and the authentication is not valid so it moves on to the next backend which is sesame and there is no url_auth_token.
TypeError in sesame.backends.ModelBackend, here's the traceback before Django swallows it:
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/sesame/backends.py", line 106, in authenticate
return self.parse_token(url_auth_token)
File "/usr/local/lib/python3.7/site-packages/sesame/backends.py", line 75, in parse_token
data = self.unsign(token)
File "/usr/local/lib/python3.7/site-packages/sesame/backends.py", line 52, in unsign
data = self.signer.unsign(token, max_age=self.max_age)
File "/usr/local/lib/python3.7/site-packages/django/core/signing.py", line 187, in unsign
result = super().unsign(value)
File "/usr/local/lib/python3.7/site-packages/django/core/signing.py", line 165, in unsign
if self.sep not in signed_value:
TypeError: argument of type 'NoneType' is not iterable
I would suggest handling if url_auth_token is None, then just returning like the following:
backends.py
def authenticate(self, request, url_auth_token=None):
"""
Check the token and return the corresponding user.
"""
# SEE THIS BLOCK HERE
if url_auth_token is None:
return
# End of block
try:
return self.parse_token(url_auth_token)
except TypeError:
backend = "%s.%s" % (self.__module__, self.__class__.__name__)
logger.exception(
"TypeError in %s, here's the traceback before Django swallows it:", backend
)
raise
Let me know what you think and if there is a reason for the way it is now. Thanks!
First, the logger.exception
call is a workaround for a bug that was fixed in Django 1.7. I removed it.
Then, in the latest release, any exception occurring in data = self.unsign(token)
should be caught here: https://github.com/aaugustin/django-sesame/blob/1.7/sesame/backends.py#L131-L136. What version of django-sesame are you using?
Finally, can you confirm that the offending call is UrlAuthBackendMixin.authenticate(request)
(rather than UrlAuthBackendMixin.authenticate(request, None)
or UrlAuthBackendMixin.authenticate(request, url_auth_token=None)
? I just pushed a commit that fixes the issue, provided this assumption is correct.
And thanks for the bug report :-)