Skip to content

Commit 3b4c810

Browse files
authored
jwt_auth plugin extractCredentials: check request content-type (#1728)
Only look for credentials in JSON requests
1 parent c43fd4f commit 3b4c810

2 files changed

Lines changed: 9 additions & 7 deletions

File tree

news/1728.bugfix

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Fix jwt_auth extractCredentials plugin to only try to read credentials from the request body if there is a `Content-Type: application/json` header. @davisagli

src/plone/restapi/pas/plugin.py

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -96,13 +96,14 @@ def extractCredentials(self, request):
9696
# Prefer any credentials in a JSON POST request under the assumption that any
9797
# such requested sent when a JWT token is already in the `Authorization` header
9898
# is intended to change or update the logged in user.
99-
try:
100-
creds = deserializer.json_body(request)
101-
except exceptions.DeserializationError:
102-
pass
103-
else:
104-
if "login" in creds and "password" in creds:
105-
return creds
99+
if request.getHeader("Content-Type") == "application/json":
100+
try:
101+
creds = deserializer.json_body(request)
102+
except exceptions.DeserializationError:
103+
pass
104+
else:
105+
if "login" in creds and "password" in creds:
106+
return creds
106107

107108
creds = {}
108109
auth = request._auth

0 commit comments

Comments
 (0)