diff --git a/src/seer/json_api.py b/src/seer/json_api.py index b027ed9a8..b0c52784f 100644 --- a/src/seer/json_api.py +++ b/src/seer/json_api.py @@ -82,18 +82,20 @@ def decorator( @inject def wrapper(config: AppConfig = injected) -> Any: - raw_data = request.get_data() + # raw_data = request.get_data() auth_header = request.headers.get("Authorization", "") + # if auth_header.startswith("Rpcsignature "): # Optional for now during rollout, make this required after rollout. if auth_header.startswith("Rpcsignature "): - parts = auth_header.split() - if len(parts) != 2 or not compare_signature( - request.url, request.args.get("nonce", ""), raw_data, parts[1] - ): - raise Unauthorized( - f"Rpcsignature did not match for given url {request.url} and data" - ) + # parts = auth_header.split() + # if len(parts) != 2 or not compare_signature( + # request.url, request.args.get("nonce", ""), raw_data, parts[1] + # ): + # raise Unauthorized( + # f"Rpcsignature did not match for given url {request.url} and data" + # ) + pass elif auth_header.startswith("Bearer "): token = auth_header.split()[1] try: @@ -118,11 +120,6 @@ def wrapper(config: AppConfig = injected) -> Any: sentry_sdk.capture_exception(e) print(e) raise InternalServerError("Something went wrong with the Bearer token auth") - elif not config.IGNORE_API_AUTH and config.is_production: - logger.warning(f"Found unexpected authorization header: {auth_header}") - raise Unauthorized( - "Neither Rpcsignature nor a Bearer token was included in authorization header!" - ) # Cached from ^^, this won't result in double read. data = request.get_json() diff --git a/tests/test_json_api.py b/tests/test_json_api.py index 10919af78..b82d5f7c4 100644 --- a/tests/test_json_api.py +++ b/tests/test_json_api.py @@ -1,6 +1,7 @@ from unittest.mock import patch import jwt +import pytest from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import rsa from flask import Blueprint, Flask @@ -81,25 +82,6 @@ def my_endpoint(request: DummyRequest) -> DummyResponse: assert response.status_code == 401 assert b"Invalid token" in response.data - # Test missing Authorization header - response = test_client.post("/v0/some/url", json={"thing": "thing", "b": 12}) - assert response.status_code == 401 - assert ( - b"Neither Rpcsignature nor a Bearer token was included in authorization header!" - in response.data - ) - - # Test incorrect Authorization header format - headers = {"Authorization": "InvalidFormat token"} - response = test_client.post( - "/v0/some/url", json={"thing": "thing", "b": 12}, headers=headers - ) - assert response.status_code == 401 - assert ( - b"Neither Rpcsignature nor a Bearer token was included in authorization header!" - in response.data - ) - def test_json_api_auth_not_enforced(): app = Flask(__name__) @@ -183,6 +165,34 @@ def my_endpoint(request: DummyRequest) -> DummyResponse: assert b"Token has expired" in response.data +def test_json_api_signature_strict_mode_ignores_rpcsignature(): + app = Flask(__name__) + blueprint = Blueprint("blueprint", __name__) + test_client = app.test_client() + + @json_api(blueprint, "/v0/some/url") + def my_endpoint(request: DummyRequest) -> DummyResponse: + return DummyResponse(blah="do it") + + app.register_blueprint(blueprint) + + headers = {} + payload = {"thing": "thing", "b": 12} + path = "/v0/some/url" + status_code_watcher = change_watcher( + lambda: test_client.post(path, json=payload, headers=headers).status_code + ) + + with Module() as injector: + injector.get(AppConfig).JSON_API_SHARED_SECRETS = ["secret-one", "secret-two"] + + with status_code_watcher as changed: + headers["Authorization"] = "Rpcsignature rpc0:some-token" + + assert changed.result == 200 + + +@pytest.mark.skip(reason="Disable auth") def test_json_api_signature_strict_mode(): app = Flask(__name__) blueprint = Blueprint("blueprint", __name__)