Use getattr for oauth2_error access (#633) (#716)

* Use getattr for oauth2_error access (#633) If the request doesn't have a oauth2_error property the authenticate_header method errors. This can happen when the oauthlib_core.verify_request method raises exceptions in authenticate. It is useful to be able to raise AuthenticationFailed exceptions from within a custom validate_bearer_token method which causes this. * Add Test OAuth2Authentication authenticate override Added a test for if an authenticate method that returns None is used. This should result in a HTTP 401 response for any request.
jazzband · Jun 7, 2019 · f86dfb8 · f86dfb8
1 parent d5da62b
commit f86dfb8
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/oauth2_provider/contrib/rest_framework/authentication.py b/oauth2_provider/contrib/rest_framework/authentication.py
@@ -39,7 +39,8 @@ def authenticate_header(self, request):
         www_authenticate_attributes = OrderedDict([
             ("realm", self.www_authenticate_realm,),
         ])
-        www_authenticate_attributes.update(request.oauth2_error)
+        oauth2_error = getattr(request, "oauth2_error", {})
+        www_authenticate_attributes.update(oauth2_error)
         return "Bearer {attributes}".format(
             attributes=self._dict_to_string(www_authenticate_attributes),
         )
diff --git a/tests/test_rest_framework.py b/tests/test_rest_framework.py
@@ -98,6 +98,13 @@ class TokenHasScopeViewWrongAuth(BrokenOAuth2View):
 class MethodScopeAltViewWrongAuth(BrokenOAuth2View):
     permission_classes = [TokenMatchesOASRequirements]
 
+class AuthenticationNone(OAuth2Authentication):
+    def authenticate(self, request):
+        return None
+
+class AuthenticationNoneOAuth2View(MockView):
+    authentication_classes = [AuthenticationNone]
+
 
 urlpatterns = [
     url(r"^oauth2/", include("oauth2_provider.urls")),
@@ -110,6 +117,7 @@ class MethodScopeAltViewWrongAuth(BrokenOAuth2View):
     url(r"^oauth2-method-scope-test/.*$", MethodScopeAltView.as_view()),
     url(r"^oauth2-method-scope-fail/$", MethodScopeAltViewBad.as_view()),
     url(r"^oauth2-method-scope-missing-auth/$", MethodScopeAltViewWrongAuth.as_view()),
+    url(r"^oauth2-authentication-none/$", AuthenticationNoneOAuth2View.as_view()),
 ]
 
 
@@ -399,3 +407,8 @@ def test_method_scope_alt_missing_scope_attr(self):
         with self.assertRaises(AssertionError) as e:
             self.client.get("/oauth2-method-scope-missing-auth/", HTTP_AUTHORIZATION=auth)
         self.assertTrue("`oauth2_provider.rest_framework.OAuth2Authentication`" in str(e.exception))
+
+    def test_authentication_none(self):
+        auth = self._create_authorization_header(self.access_token.token)
+        response = self.client.get("/oauth2-authentication-none/", HTTP_AUTHORIZATION=auth)
+        self.assertEqual(response.status_code, 401)