Opened 7 years ago

Closed 6 years ago

#28539 closed New feature (wontfix)

REMOTE_USER auth docs (and middleware logging?) should mention that headers with underscores are stripped when using "runserver" command

Reported by: jcmcken Owned by: Israel Fermín Montilla
Component: Documentation Version: 1.11
Severity: Normal Keywords:
Cc: jcmcken, Israel Fermín Montilla Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

I seem to run into this slight annoyance every time I dive back into a new Django app using REMOTE_USER auth:

When using the "runserver" command in a development capacity, and a custom middleware that sets the header to "HTTP_REMOTE_USER", remote user auth will fail because of what's mentioned here:

https://github.com/django/django/blob/ad524980ac9644d5d40c2c79af3c183f4351841e/docs/ref/request-response.txt#L164

This should be mentioned or linked explicitly in the REMOTE_USER auth docs. Even better, maybe there should be a security warning logged whenever a header like this is removed, just to make it explicit when examining the runserver STDOUT log.

What might also make this even more explicit is if there was an example in the docs using something like the "curl" command to simulate logins.

Change History (7)

comment:1 by jcmcken, 7 years ago

Cc: jcmcken added
Component: contrib.authDocumentation
Has patch: set

Proposed patch here.

comment:2 by Israel Fermín Montilla, 7 years ago

Cc: Israel Fermín Montilla added
Owner: changed from nobody to Israel Fermín Montilla
Status: newassigned
Triage Stage: UnreviewedAccepted

I think this is a valid addition to the docs, someone checking how to perform Remote User Authentication might not be aware of this behavior and the fact that django's middleware will normalize evetything to uppercase and underscores and also prepend HTTP_ to the header name.

I left just a couple of comments on the pull request.

comment:3 by Israel Fermín Montilla, 7 years ago

Patch needs improvement: set

comment:4 by Israel Fermín Montilla, 7 years ago

The proposed patch diff along with my comments can be found here: https://github.com/jcmcken/django/commit/f9eb8c81d0338ec2f543e45a4681d494a1716459

comment:5 by Israel Fermín Montilla, 6 years ago

Patch needs improvement: unset

comment:6 by Israel Fermín Montilla, 6 years ago

Triage Stage: AcceptedReady for checkin

comment:7 by Tim Graham, 6 years ago

Resolution: wontfix
Status: assignedclosed

As I commented on the PR, the runserver behavior of stripping underscores is documented in the docs for HttpRequest.META which is linked in the existing sentence. The example of using curl seems outside the scope of Django's documentation.

Note: See TracTickets for help on using tickets.
Back to Top