jeans/supervisor
jeans/supervisor
1
0
Fork 0
mirror of https://github.com/home-assistant/supervisor.git synced 2025-07-19 15:16:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Return 401 Unauthorized when using json/url encoded auth fails

Browse Source 
When authentication using JSON payload or URL encoded payload fails,
use the generic HTTP response code 401 Unauthorized instead of 400
Bad Request.

This is a more appropriate response code for authentication errors
and is consistent with the behavior of other authentication methods.
This commit is contained in:
Stefan Agner 2025-04-25 15:37:43 +02:00
parent 0e7e4f8b42
commit 14e2ddc6d3
No known key found for this signature in database
GPG Key ID: AE01353D1E44747D
2 changed files with 13 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
supervisor/api/auth.py
View File

@ -79,13 +79,18 @@ class APIAuth(CoreSysAttributes):
# Json # Json
if request.headers.get(CONTENT_TYPE) == CONTENT_TYPE_JSON: if request.headers.get(CONTENT_TYPE) == CONTENT_TYPE_JSON:
data = await request.json(loads=json_loads) data = await request.json(loads=json_loads)
return await self._process_dict(request, addon, data) if not await self._process_dict(request, addon, data):
raise HTTPUnauthorized()
return True
# URL encoded # URL encoded
if request.headers.get(CONTENT_TYPE) == CONTENT_TYPE_URL: if request.headers.get(CONTENT_TYPE) == CONTENT_TYPE_URL:
data = await request.post() data = await request.post()
return await self._process_dict(request, addon, data) if not await self._process_dict(request, addon, data):
raise HTTPUnauthorized()
return True
# Advertise Basic authentication by default
raise HTTPUnauthorized(headers=REALM_HEADER) raise HTTPUnauthorized(headers=REALM_HEADER)
@api_process @api_process

11
tests/api/test_auth.py
View File

@ -3,6 +3,7 @@
from datetime import UTC, datetime, timedelta from datetime import UTC, datetime, timedelta
from unittest.mock import AsyncMock, patch from unittest.mock import AsyncMock, patch
from aiohttp.hdrs import WWW_AUTHENTICATE
from aiohttp.test_utils import TestClient from aiohttp.test_utils import TestClient
import pytest import pytest
@ -137,8 +138,8 @@ async def test_auth_json_invalid_credentials(
resp = await api_client.post( resp = await api_client.post(
"/auth", json={"username": "test", "password": "wrong"} "/auth", json={"username": "test", "password": "wrong"}
) )
# Do we really want the API to return 400 here? assert WWW_AUTHENTICATE not in resp.headers
assert resp.status == 400 assert resp.status == 401
@pytest.mark.parametrize("api_client", [TEST_ADDON_SLUG], indirect=True) @pytest.mark.parametrize("api_client", [TEST_ADDON_SLUG], indirect=True)
@ -184,8 +185,8 @@ async def test_auth_urlencoded_failure(
data="username=test&password=fail", data="username=test&password=fail",
headers={"Content-Type": "application/x-www-form-urlencoded"}, headers={"Content-Type": "application/x-www-form-urlencoded"},
) )
# Do we really want the API to return 400 here? assert WWW_AUTHENTICATE not in resp.headers
assert resp.status == 400 assert resp.status == 401
@pytest.mark.parametrize("api_client", [TEST_ADDON_SLUG], indirect=True) @pytest.mark.parametrize("api_client", [TEST_ADDON_SLUG], indirect=True)
@ -196,7 +197,7 @@ async def test_auth_unsupported_content_type(
resp = await api_client.post( resp = await api_client.post(
"/auth", data="something", headers={"Content-Type": "text/plain"} "/auth", data="something", headers={"Content-Type": "text/plain"}
) )
# This probably should be 400 here for better consistency assert "Basic realm" in resp.headers[WWW_AUTHENTICATE]
assert resp.status == 401 assert resp.status == 401