[Django] #28539: REMOTE_USER auth docs (and middleware logging?) should mention that headers with underscores are stripped when using "runserver" command
Django
with underscores are stripped when using "runserver" command
----------------------------------------+------------------------
Reporter: jcmcken | Owner: nobody
Type: New feature | Status: new
Component: contrib.auth | Version: 1.11
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Needs documentation: 0 | Needs tests: 0
Patch needs improvement: 0 | Easy pickings: 1
UI/UX: 0 |
----------------------------------------+------------------------
I seem to run into this slight annoyance every time I dive back into a new
Django app using REMOTE_USER auth:
When using the "runserver" command in a development capacity, and a custom
middleware that sets the header to "HTTP_REMOTE_USER", remote user auth
will fail because of what's mentioned here:
https://github.com/django/django/blob/ad524980ac9644d5d40c2c79af3c183f4351841e/docs/ref
/request-response.txt#L164
This should be mentioned or linked explicitly in the REMOTE_USER auth
docs. Even better, maybe there should be a security warning logged
whenever a header like this is removed, just to make it explicit when
examining the runserver STDOUT log.
What might also make this even more explicit is if there was an example in
the docs using something like the "curl" command to simulate logins.
--
Ticket URL: <https://code.djangoproject.com/ticket/28539>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
with underscores are stripped when using "runserver" command
Reporter: jcmcken | Owner: nobody
Type: New feature | Status: new
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by jcmcken):
* cc: jcmcken (added)
* has_patch: 0 => 1
* component: contrib.auth => Documentation
Comment:
Proposed patch [https://github.com/jcmcken/django/tree/ticket_28539 here].
--
Ticket URL: <https://code.djangoproject.com/ticket/28539#comment:1>
Django
with underscores are stripped when using "runserver" command
Reporter: jcmcken | Owner: Israel
| Fermín Montilla
Type: New feature | Status: assigned
Component: Documentation | Version: 1.11
Severity: Normal | Resolution:
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Israel Fermín Montilla):
* cc: Israel Fermín Montilla (added)
* status: new => assigned
* owner: nobody => Israel Fermín Montilla
* stage: Unreviewed => Accepted
Comment:
I think this is a valid addition to the docs, someone checking how to
perform Remote User Authentication might not be aware of this behavior and
the fact that django's middleware will normalize evetything to uppercase
and underscores and also prepend `HTTP_` to the header name.
I left just a couple of comments on the pull request.
--
Ticket URL: <https://code.djangoproject.com/ticket/28539#comment:2>
Django
with underscores are stripped when using "runserver" command
Reporter: jcmcken | Owner: Israel
| Fermín Montilla
Type: New feature | Status: assigned
Component: Documentation | Version: 1.11
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Changes (by Israel Fermín Montilla):
* needs_better_patch: 0 => 1
--
Ticket URL: <https://code.djangoproject.com/ticket/28539#comment:3>
Django
with underscores are stripped when using "runserver" command
Reporter: jcmcken | Owner: Israel
| Fermín Montilla
Type: New feature | Status: assigned
Component: Documentation | Version: 1.11
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Comment (by Israel Fermín Montilla):
The proposed patch diff along with my comments can be found here:
https://github.com/jcmcken/django/commit/f9eb8c81d0338ec2f543e45a4681d494a1716459
--
Ticket URL: <https://code.djangoproject.com/ticket/28539#comment:4>
Django
with underscores are stripped when using "runserver" command
Reporter: jcmcken | Owner: Israel
| Fermín Montilla
Type: New feature | Status: assigned
Component: Documentation | Version: 1.11
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Israel Fermín Montilla):
* needs_better_patch: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/28539#comment:5>
Django
with underscores are stripped when using "runserver" command
Reporter: jcmcken | Owner: Israel
| Fermín Montilla
Type: New feature | Status: assigned
Component: Documentation | Version: 1.11
Severity: Normal | Resolution:
| checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Israel Fermín Montilla):
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/28539#comment:6>
Django
with underscores are stripped when using "runserver" command
Reporter: jcmcken | Owner: Israel
| Fermín Montilla
Component: Documentation | Version: 1.11
Severity: Normal | Resolution: wontfix
Keywords: | Triage Stage: Ready for
| checkin
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Tim Graham):
* status: assigned => closed
* resolution: => wontfix
Comment:
As I commented on [https://github.com/django/django/pull/9960 the PR], the
`runserver` behavior of stripping underscores is documented in the docs
for `HttpRequest.META` which is linked in the existing sentence. The
example of using `curl` seems outside the scope of Django's documentation.
--
Ticket URL: <https://code.djangoproject.com/ticket/28539#comment:7>