Allow error response to return a 200 status code (Fixes #114)

miguelgrinberg · Nov 16, 2020 · f3e6a57 · f3e6a57
1 parent e3c6e5f
commit f3e6a57
Show file tree

Hide file tree

Showing 2 changed files with 50 additions and 2 deletions.
diff --git a/flask_httpauth.py b/flask_httpauth.py
@@ -12,7 +12,7 @@
 from functools import wraps
 from hashlib import md5
 from random import Random, SystemRandom
-from flask import request, make_response, session, g
+from flask import request, make_response, session, g, Response
 from werkzeug.datastructures import Authorization
 from werkzeug.security import safe_str_cmp
 
@@ -49,8 +49,9 @@ def error_handler(self, f):
         @wraps(f)
         def decorated(*args, **kwargs):
             res = f(*args, **kwargs)
+            check_status_code = not isinstance(res, (tuple, Response))
             res = make_response(res)
-            if res.status_code == 200:
+            if check_status_code and res.status_code == 200:
                 # if user didn't set status code, use 401
                 res.status_code = 401
             if 'WWW-Authenticate' not in res.headers.keys():

diff --git a/tests/test_error_responses.py b/tests/test_error_responses.py
@@ -0,0 +1,47 @@
+import unittest
+import base64
+from flask import Flask, Response
+from flask_httpauth import HTTPBasicAuth
+
+
+class HTTPAuthTestCase(unittest.TestCase):
+    responses = [
+        ['error', 401],
+        [('error', 403), 403],
+        [('error', 200), 200],
+        [Response('error'), 200],
+        [Response('error', 403), 403],
+    ]
+
+    def setUp(self):
+        app = Flask(__name__)
+        app.config['SECRET_KEY'] = 'my secret'
+
+        basic_verify_auth = HTTPBasicAuth()
+
+        @basic_verify_auth.verify_password
+        def basic_verify_auth_verify_password(username, password):
+            return False
+
+        @basic_verify_auth.error_handler
+        def error_handler():
+            self.assertIsNone(basic_verify_auth.current_user())
+            return self.error_response
+
+        @app.route('/')
+        @basic_verify_auth.login_required
+        def index():
+            return 'index'
+
+        self.app = app
+        self.basic_verify_auth = basic_verify_auth
+        self.client = app.test_client()
+
+    def test_default_status_code(self):
+        creds = base64.b64encode(b'foo:bar').decode('utf-8')
+
+        for r in self.responses:
+            self.error_response = r[0]
+            response = self.client.get(
+                '/', headers={'Authorization': 'Basic ' + creds})
+            self.assertEqual(response.status_code, r[1])