Don't check for auth token during OPTIONS preflight #258
Conversation
kernel_gateway/mixins.py
Outdated
| @@ -65,7 +65,7 @@ def prepare(self): | |||
| package. | |||
| """ | |||
| server_token = self.settings.get('kg_auth_token') | |||
| if server_token: | |||
| if (server_token != '') & (self.request.method != 'OPTIONS'): | |||
There was a problem hiding this comment.
That should be and instead of &. Python uses keywords for logical operators.
https://docs.python.org/2/library/stdtypes.html#boolean-operations-and-or-not
https://docs.python.org/2/library/stdtypes.html#bitwise-operations-on-integer-types
There was a problem hiding this comment.
Not sure if != '' is the correct check here. Could server_token be None instead of the empty string?
There was a problem hiding this comment.
if server_token and self.request.method != 'OPTIONS':
There was a problem hiding this comment.
Also looks like a test is failing because self.request does not exist.
Traceback (most recent call last):
File "/home/travis/build/jupyter/kernel_gateway/kernel_gateway/tests/test_mixins.py", line 49, in test_no_token_required
self.mixin.prepare()
File "/home/travis/build/jupyter/kernel_gateway/kernel_gateway/mixins.py", line 68, in prepare
if (server_token != '') & (self.request.method != 'OPTIONS'):
AttributeError: 'TestableTokenAuthHandler' object has no attribute 'request'
|
@SimonBiggs thanks for submitting this. I'm a little miffed why If you get stuck debugging the syntax and test problems, feel free to ping for help. |
|
Thanks for the feedback. In https://github.com/jupyter/kernel_gateway/blob/master/kernel_gateway/gatewayapp.py the following is given: @default('auth_token')
def _auth_token_default(self):
return os.getenv(self.auth_token_env, '')I think that makes it so that if auth_token isn't defined it will always be ''. I can explicitly test against '' or if I swap to using logical and instead of & I will also just be able to leave it as I'll update the pull request soon to account for non existing |
|
Is there a way to mock CORS requests within nose? I don't really know where to begin. Anyway, I'm just writing a test to cover this case with OPTIONS, however it would be nice to also test CORS + authentication token directly. |
| @@ -150,6 +150,20 @@ def _set_api(): | |||
| self.assertRaises(ImportError, _set_api) | |||
|
|
|||
| @gen_test | |||
| def test_options_and_auth_token(self): | |||
| "OPTIONS requests should not need to submit a token." | |||
There was a problem hiding this comment.
Make this triple-quoted so that it's a canonical docstring.
|
I haven't ever tried to mock a CORS request with Python. I think the test you've added to see if OPTIONS succeeds when a token is set provides enough test coverage and value. |
|
@parente Thanks for that. |
kernel_gateway/mixins.py
Outdated
| @@ -64,8 +64,14 @@ def prepare(self): | |||
| with the `@web.authenticated` decorated methods in the notebook | |||
| package. | |||
| """ | |||
| request_is_options = False | |||
| if 'request' in dir(self): | |||
There was a problem hiding this comment.
This check is not needed, see my latest comment in the conversation.
(original review comment here:)
I'm not too firm in Python myself, but I think the calls to dir() are creating two temporary lists in this section, just to check whether there are attributes. Try the following instead (I haven't checked the exact syntax):
request_is_options = hasattr(self, 'request') and getattr(self.request, 'method', '') == 'OPTIONS'https://stackoverflow.com/a/610893/5629418
https://stackoverflow.com/a/611708/5629418
This could also be inlined below as
if server_token and not (...):But looking further below, client_token is also read from self.request without checking whether that exists, and a request without method wouldn't make any sense. I agree with @parente that it is probably a problem with the test setup if self.request doesn't exist.
| @@ -150,6 +150,20 @@ def _set_api(): | |||
| self.assertRaises(ImportError, _set_api) | |||
|
|
|||
| @gen_test | |||
| def test_options_and_auth_token(self): | |||
There was a problem hiding this comment.
Could you please rename this to test_options_without_auth_token?
|
I found the error message after all... That's not from a Tornado test, but from some mock I set up to test the auth handler. There is exactly one test which doesn't set the @SimonBiggs, could you please just copy the |
|
@SimonBiggs: On second thought, could you add another test case for OPTIONS to the |
|
@parente: I'll leave the final look and merge to you, in case I missed something. |
|
LGTM to me. Thanks @SimonBiggs for the code and tests. 🍰 for your first contrib here. |
|
Thanks :). It's a pleasure :). Might this be able to be pushed out in a patch version release to pip? |
Details provided within #257