Fixed to store the auth state in request instead of the g global object in the flask_login load_user_from_request and unauthorized handlers in the init_app method of the DigestAuth class. This is so that the auth state is always reset in the lifecycle of request even if g stays. Revised the unauthorized to create a new auth state if it is not available in the current request, in the case that the load_user_from_request handler was not run previously.

This commit is contained in:
依瑪貓 2022-12-29 23:43:35 +08:00
parent a07118ef9c
commit aeb93a60e5

View File

@ -356,10 +356,13 @@ class DigestAuth:
:return: None.
"""
state: AuthState = request.digest_auth_state \
if hasattr(request, "digest_auth_state") \
else AuthState()
response: Response = Response()
response.status = 401
response.headers["WWW-Authenticate"] \
= self.__make_response_header(g.digest_auth_state)
= self.__make_response_header(state)
abort(response)
@login_manager.request_loader
@ -370,7 +373,7 @@ class DigestAuth:
:return: The authenticated user, or None if the
authentication fails
"""
g.digest_auth_state = AuthState()
request.digest_auth_state = AuthState()
authorization: Authorization = req.authorization
try:
if authorization is None:
@ -378,7 +381,7 @@ class DigestAuth:
if authorization.type != "digest":
raise UnauthorizedException(
"Not an HTTP digest authorization")
self.__authenticate(g.digest_auth_state)
self.__authenticate(request.digest_auth_state)
user = login_manager.user_callback(
authorization.username)
login_user(user)