Merge pull request #282 from lsst-sqre/tickets/DM-31056

[DM-31056] Do not send full name in HTTP headers
lsst-sqre · Jul 14, 2021 · 2e37142 · 2e37142
2 parents 3b9b71f + 5ee25ed
commit 2e37142
Show file tree

Hide file tree

Showing 6 changed files with 241 additions and 222 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -2,14 +2,18 @@
 Change log
 ##########
 
-3.2.0 (unreleased)
+3.2.0 (2021-07-14)
 ==================
 
 - Return HTML errors from login failures instead of JSON.
   The HTML is currently entirely unstyled.
   Add a new Helm configuration option, ``config.errorFooter``, that is included in the HTML of any error message that is shown.
 - Fail authentication and show an error if the user is not a member of any of the groups configured in ``config.groupMapping``.
 - Revoke the GitHub OAuth authorization if the login fails due to no known groups or an invalid username, since in both cases we want to force GitHub to redo the attribute release.
+- HTTP headers are not guaranteed to support character sets other than ASCII, and Starlette forces them to ISO 8859-1.
+  This interferes with correctly passing the user's full name to protected services via HTTP headers.
+  Therefore, drop support for sending the user's full name via ``X-Auth-Request-Name``.
+  The name can still be retrieved from the ``/auth/api/v1/user-info`` API endpoint.
 
 3.1.0 (2021-07-06)
 ==================

diff --git a/docs/applications.rst b/docs/applications.rst
@@ -159,9 +159,6 @@ The value of that annotation is a comma-separated list of desired headers.
 ``X-Auth-Request-User``
     The username of the authenticated user.
 
-``X-Auth-Request-Name``
-    The name of the authenticated user, if available.
-
 ``X-Auth-Request-Email``
     The email address of the authenticated user, if available.
 

diff --git a/src/gafaelfawr/handlers/auth.py b/src/gafaelfawr/handlers/auth.py
@@ -225,8 +225,6 @@ async def get_auth(
     X-Auth-Request-Client-Ip
         The IP address of the client, as determined after parsing
         ``X-Forwarded-For`` headers.
-    X-Auth-Request-Name
-        The full name of the authenticated user, if known.
     X-Auth-Request-Email
         The email address of the authenticated user, if known.
     X-Auth-Request-User
@@ -357,8 +355,6 @@ async def build_success_headers(
         "X-Auth-Request-Token-Scopes": " ".join(sorted(token_data.scopes)),
         "X-Auth-Request-User": token_data.username,
     }
-    if token_data.name:
-        headers["X-Auth-Request-Name"] = token_data.name
     if token_data.email:
         headers["X-Auth-Request-Email"] = token_data.email
     if token_data.uid:

diff --git a/tests/handlers/auth_test.py b/tests/handlers/auth_test.py
@@ -221,7 +221,6 @@ async def test_success(setup: SetupTest) -> None:
     assert r.headers["X-Auth-Request-Scopes-Accepted"] == "exec:admin"
     assert r.headers["X-Auth-Request-Scopes-Satisfy"] == "all"
     assert r.headers["X-Auth-Request-User"] == token_data.username
-    assert r.headers["X-Auth-Request-Name"] == token_data.name
     assert r.headers["X-Auth-Request-Email"] == token_data.email
     assert r.headers["X-Auth-Request-Uid"] == str(token_data.uid)
     assert r.headers["X-Auth-Request-Groups"] == "admin"
@@ -246,7 +245,6 @@ async def test_success_minimal(setup: SetupTest) -> None:
     assert r.headers["X-Auth-Request-Scopes-Satisfy"] == "all"
     assert r.headers["X-Auth-Request-User"] == "user"
     assert r.headers["X-Auth-Request-Uid"] == "1234"
-    assert "X-Auth-Request-Name" not in r.headers
     assert "X-Auth-Request-Email" not in r.headers
     assert "X-Auth-Request-Groups" not in r.headers
 
@@ -487,3 +485,21 @@ async def test_ajax_unauthorized(setup: SetupTest) -> None:
     assert not isinstance(authenticate, AuthErrorChallenge)
     assert authenticate.auth_type == AuthType.Bearer
     assert authenticate.realm == setup.config.realm
+
+
+@pytest.mark.asyncio
+async def test_success_unicode_name(setup: SetupTest) -> None:
+    user_info = TokenUserInfo(username="user", uid=1234, name="名字")
+    token_service = setup.factory.create_token_service()
+    token = await token_service.create_session_token(
+        user_info, scopes=["read:all"], ip_address="127.0.0.1"
+    )
+
+    r = await setup.client.get(
+        "/auth",
+        params={"scope": "read:all"},
+        headers={"Authorization": f"Bearer {token}"},
+    )
+    assert r.status_code == 200
+    assert r.headers["X-Auth-Request-User"] == "user"
+    assert r.headers["X-Auth-Request-Uid"] == "1234"