Opened 3 months ago

Last modified 2 months ago

#28539 assigned New feature

REMOTE_USER auth docs (and middleware logging?) should mention that headers with underscores are stripped when using "runserver" command

Reported by: jcmcken Owned by: Israel Fermín Montilla
Component: Documentation Version: 1.11
Severity: Normal Keywords:
Cc: jcmcken, Israel Fermín Montilla Triage Stage: Accepted
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: yes
Easy pickings: yes UI/UX: no

Description

I seem to run into this slight annoyance every time I dive back into a new Django app using REMOTE_USER auth:

When using the "runserver" command in a development capacity, and a custom middleware that sets the header to "HTTP_REMOTE_USER", remote user auth will fail because of what's mentioned here:

https://github.com/django/django/blob/ad524980ac9644d5d40c2c79af3c183f4351841e/docs/ref/request-response.txt#L164

This should be mentioned or linked explicitly in the REMOTE_USER auth docs. Even better, maybe there should be a security warning logged whenever a header like this is removed, just to make it explicit when examining the runserver STDOUT log.

What might also make this even more explicit is if there was an example in the docs using something like the "curl" command to simulate logins.

Change History (4)

comment:1 Changed 3 months ago by jcmcken

Cc: jcmcken added
Component: contrib.authDocumentation
Has patch: set

Proposed patch here.

comment:2 Changed 2 months ago by Israel Fermín Montilla

Cc: Israel Fermín Montilla added
Owner: changed from nobody to Israel Fermín Montilla
Status: newassigned
Triage Stage: UnreviewedAccepted

I think this is a valid addition to the docs, someone checking how to perform Remote User Authentication might not be aware of this behavior and the fact that django's middleware will normalize evetything to uppercase and underscores and also prepend HTTP_ to the header name.

I left just a couple of comments on the pull request.

comment:3 Changed 2 months ago by Israel Fermín Montilla

Patch needs improvement: set

comment:4 Changed 2 months ago by Israel Fermín Montilla

The proposed patch diff along with my comments can be found here: https://github.com/jcmcken/django/commit/f9eb8c81d0338ec2f543e45a4681d494a1716459

Note: See TracTickets for help on using tickets.
Back to Top