Opened 7 years ago
Closed 6 years ago
#28539 closed New feature (wontfix)
REMOTE_USER auth docs (and middleware logging?) should mention that headers with underscores are stripped when using "runserver" command
Reported by: | jcmcken | Owned by: | Israel Fermín Montilla |
---|---|---|---|
Component: | Documentation | Version: | 1.11 |
Severity: | Normal | Keywords: | |
Cc: | jcmcken, Israel Fermín Montilla | Triage Stage: | Ready for checkin |
Has patch: | yes | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | yes | UI/UX: | no |
Description
I seem to run into this slight annoyance every time I dive back into a new Django app using REMOTE_USER auth:
When using the "runserver" command in a development capacity, and a custom middleware that sets the header to "HTTP_REMOTE_USER", remote user auth will fail because of what's mentioned here:
This should be mentioned or linked explicitly in the REMOTE_USER auth docs. Even better, maybe there should be a security warning logged whenever a header like this is removed, just to make it explicit when examining the runserver STDOUT log.
What might also make this even more explicit is if there was an example in the docs using something like the "curl" command to simulate logins.
Change History (7)
comment:1 by , 7 years ago
Cc: | added |
---|---|
Component: | contrib.auth → Documentation |
Has patch: | set |
comment:2 by , 7 years ago
Cc: | added |
---|---|
Owner: | changed from | to
Status: | new → assigned |
Triage Stage: | Unreviewed → Accepted |
I think this is a valid addition to the docs, someone checking how to perform Remote User Authentication might not be aware of this behavior and the fact that django's middleware will normalize evetything to uppercase and underscores and also prepend HTTP_
to the header name.
I left just a couple of comments on the pull request.
comment:3 by , 7 years ago
Patch needs improvement: | set |
---|
comment:4 by , 7 years ago
The proposed patch diff along with my comments can be found here: https://github.com/jcmcken/django/commit/f9eb8c81d0338ec2f543e45a4681d494a1716459
comment:5 by , 6 years ago
Patch needs improvement: | unset |
---|
comment:6 by , 6 years ago
Triage Stage: | Accepted → Ready for checkin |
---|
comment:7 by , 6 years ago
Resolution: | → wontfix |
---|---|
Status: | assigned → closed |
As I commented on the PR, the runserver
behavior of stripping underscores is documented in the docs for HttpRequest.META
which is linked in the existing sentence. The example of using curl
seems outside the scope of Django's documentation.
Proposed patch here.