#37025: Deprecate the prefixing of HTTP_ to header names in
RemoteUserMiddleware.aprocess_request()
------------------------------+---------------------------------------
Reporter: Jacob Walls | Owner: Jacob Walls
Type: Bug | Status: assigned
Component: contrib.auth | Version: 5.2
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
------------------------------+---------------------------------------
Comment (by Jacob Walls):
The flows work, but if we leave the status quo alone, this documented
blurb is not correct for ASGI:
> you can subclass `RemoteUserMiddleware` and set the `header` attribute
to the desired `request.META` key.
Under ASGI, you are forced to use a header attribute that is unprefixed --
if it is prefixed, it will be double-prefixed in `request.META`. Our
existing test case accepts the double-prefix route:
{{{#!py
class CustomHeaderMiddleware(RemoteUserMiddleware):
"""
Middleware that overrides custom HTTP auth user header.
"""
header = "HTTP_AUTHUSER"
}}}
When those test cases run, the client sends `HTTP_AUTHUSER = ...`, so
`request.META` gets `HTTP_HTTP_AUTHUSER`.
That doesn't look right, and I doubt anybody is doing this, so I was
interested to discuss a code change. However, a better idea than forcing
ASGI projects to subclass the middleware would be to perform the lookup
against `self.headers`, which already supports lookups by unprefixed
header names. This is a little more defensible to document, I feel. The
only behavior change would be that an ASGI-only project could now set
`header = "WITH-HYPHENS"` and benefit from a more flexible lookup, which
is backward compatible.
On the security list, Jake suggested roughly, "If we're doing a
deprecation, let's change both WSGI/ASGI paths to use `self.headers` to
have consistency". I think we can punt on whether to do a deprecation
here, and just start with the docs fix paired with the more flexible
lookup. I'll put up a PR to aid triage.
--
Ticket URL: <https://code.djangoproject.com/ticket/37025#comment:9>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/d/msgid/django-updates/0107019d73d3d80e-0c1cf92a-6425-447b-8964-97930b354a97-000000%40eu-central-1.amazonses.com.
