From aeb93a60e521185ccc171c23433824cb409df316 Mon Sep 17 00:00:00 2001 From: imacat Date: Thu, 29 Dec 2022 23:43:35 +0800 Subject: [PATCH] Fixed to store the auth state in request instead of the g global object in the flask_login load_user_from_request and unauthorized handlers in the init_app method of the DigestAuth class. This is so that the auth state is always reset in the lifecycle of request even if g stays. Revised the unauthorized to create a new auth state if it is not available in the current request, in the case that the load_user_from_request handler was not run previously. --- src/flask_digest_auth/auth.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/src/flask_digest_auth/auth.py b/src/flask_digest_auth/auth.py index 8d30512..181972a 100644 --- a/src/flask_digest_auth/auth.py +++ b/src/flask_digest_auth/auth.py @@ -356,10 +356,13 @@ class DigestAuth: :return: None. """ + state: AuthState = request.digest_auth_state \ + if hasattr(request, "digest_auth_state") \ + else AuthState() response: Response = Response() response.status = 401 response.headers["WWW-Authenticate"] \ - = self.__make_response_header(g.digest_auth_state) + = self.__make_response_header(state) abort(response) @login_manager.request_loader @@ -370,7 +373,7 @@ class DigestAuth: :return: The authenticated user, or None if the authentication fails """ - g.digest_auth_state = AuthState() + request.digest_auth_state = AuthState() authorization: Authorization = req.authorization try: if authorization is None: @@ -378,7 +381,7 @@ class DigestAuth: if authorization.type != "digest": raise UnauthorizedException( "Not an HTTP digest authorization") - self.__authenticate(g.digest_auth_state) + self.__authenticate(request.digest_auth_state) user = login_manager.user_callback( authorization.username) login_user(user)