Opened 14 months ago

Closed 5 months ago

#28539 closed New feature (wontfix)

REMOTE_USER auth docs (and middleware logging?) should mention that headers with underscores are stripped when using "runserver" command

Reported by: jcmcken Owned by: Israel Fermín Montilla
Component: Documentation Version: 1.11
Severity: Normal Keywords:
Cc: jcmcken, Israel Fermín Montilla Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: yes UI/UX: no

Description

I seem to run into this slight annoyance every time I dive back into a new Django app using REMOTE_USER auth:

When using the "runserver" command in a development capacity, and a custom middleware that sets the header to "HTTP_REMOTE_USER", remote user auth will fail because of what's mentioned here:

https://github.com/django/django/blob/ad524980ac9644d5d40c2c79af3c183f4351841e/docs/ref/request-response.txt#L164

This should be mentioned or linked explicitly in the REMOTE_USER auth docs. Even better, maybe there should be a security warning logged whenever a header like this is removed, just to make it explicit when examining the runserver STDOUT log.

What might also make this even more explicit is if there was an example in the docs using something like the "curl" command to simulate logins.

Change History (7)

comment:1 Changed 14 months ago by jcmcken

Cc: jcmcken added
Component: contrib.authDocumentation
Has patch: set

Proposed patch here.

comment:2 Changed 14 months ago by Israel Fermín Montilla

Cc: Israel Fermín Montilla added
Owner: changed from nobody to Israel Fermín Montilla
Status: newassigned
Triage Stage: UnreviewedAccepted

I think this is a valid addition to the docs, someone checking how to perform Remote User Authentication might not be aware of this behavior and the fact that django's middleware will normalize evetything to uppercase and underscores and also prepend HTTP_ to the header name.

I left just a couple of comments on the pull request.

comment:3 Changed 14 months ago by Israel Fermín Montilla

Patch needs improvement: set

comment:4 Changed 14 months ago by Israel Fermín Montilla

The proposed patch diff along with my comments can be found here: https://github.com/jcmcken/django/commit/f9eb8c81d0338ec2f543e45a4681d494a1716459

comment:5 Changed 5 months ago by Israel Fermín Montilla

Patch needs improvement: unset

comment:6 Changed 5 months ago by Israel Fermín Montilla

Triage Stage: AcceptedReady for checkin

comment:7 Changed 5 months ago by Tim Graham

Resolution: wontfix
Status: assignedclosed

As I commented on the PR, the runserver behavior of stripping underscores is documented in the docs for HttpRequest.META which is linked in the existing sentence. The example of using curl seems outside the scope of Django's documentation.

Note: See TracTickets for help on using tickets.
Back to Top