profile
viewpoint

lepture/authlib 1580

The ultimate Python library in building OAuth and OpenID Connect servers. JWS,JWE,JWK,JWA,JWT included.

lepture/captcha 603

A captcha library that generates audio and image CAPTCHAs.

avelino/liquidluck 338

Felix Felicis (aka liquidluck) is a static blog generator in python

lepture/colorful 58

colorful environment for command line tools in node

lepture/chinalaw 44

请关注 https://github.com/cn

lepture/ansible-sentry 20

Ansible role which manage Sentry, with supervisor

lepture/burglar 12

Let's rob the fat guys, and publish everything into feeds.

authlib/example-oidc-server 10

Example for OpenID Connect 1.0 Server for Authlib.

lepture/color-patterns 10

Colors that I love.

lepture/aiowhoosh 8

Whoosh over HTTP by aiohttp

push eventlepture/authlib

Bob Haddleton

commit sha 7f4e2af155030afc6f7f1f44ebdadcaacf9a2ad5

Update Content-Length header if present when body size changes (#191) If the Content-Length header has already been populated when the encoding methods update the body content, the Content-Length needs to be updated to include the new text.

view details

push time in 4 days

PR merged lepture/authlib

Update Content-Length header if present when body size changes

If the Content-Length header has already been populated when the encoding methods update the body content, the Content-Length needs to be updated to include the new text.

Closes #190

What kind of change does this PR introduce? (check at least one)

  • [X] Bugfix
  • [ ] Feature
  • [ ] Code style update
  • [ ] Refactor
  • [ ] Other, please describe:

Does this PR introduce a breaking change? (check one)

  • [ ] Yes
  • [X] No

  • [X] You consent that the copyright of your pull request source code belongs to Authlib's author.
+4 -0

0 comment

1 changed file

bobh66

pr closed time in 4 days

issue closedlepture/authlib

oauth2.auth.encode_none() changes the body size but leaves content-length header set to the old size

Describe the bug

When using the HTTPX AsyncOAuth2Client with password grant, the httpx_client OAuth2ClientAuth.auth_flow() method modifies the body by adding the client_id, but it does not update the Content-Length header which has already been calculated. This causes an exception in the httpx h11 processing when it deletes more characters from the stream buffer than the content-length has specified.

Error Stacks

.virtualenvs/traffica_stc/lib/python3.7/site-packages/authlib/integrations/httpx_client/oauth2_client.py:109: in _fetch_token
    auth=auth, **kwargs)
.virtualenvs/traffica_stc/lib/python3.7/site-packages/httpx/client.py:1316: in post
    timeout=timeout,
.virtualenvs/traffica_stc/lib/python3.7/site-packages/authlib/integrations/httpx_client/oauth2_client.py:89: in request
    method, url, auth=auth, **kwargs)
.virtualenvs/traffica_stc/lib/python3.7/site-packages/httpx/client.py:1097: in request
    request, auth=auth, allow_redirects=allow_redirects, timeout=timeout,
.virtualenvs/traffica_stc/lib/python3.7/site-packages/httpx/client.py:1118: in send
    request, auth=auth, timeout=timeout, allow_redirects=allow_redirects,
.virtualenvs/traffica_stc/lib/python3.7/site-packages/httpx/client.py:1148: in send_handling_redirects
    request, auth=auth, timeout=timeout, history=history
.virtualenvs/traffica_stc/lib/python3.7/site-packages/httpx/client.py:1184: in send_handling_auth
    response = await self.send_single_request(request, timeout)
.virtualenvs/traffica_stc/lib/python3.7/site-packages/httpx/client.py:1208: in send_single_request
    response = await dispatcher.send(request, timeout=timeout)
.virtualenvs/traffica_stc/lib/python3.7/site-packages/httpx/dispatch/connection_pool.py:157: in send
    raise exc
.virtualenvs/traffica_stc/lib/python3.7/site-packages/httpx/dispatch/connection_pool.py:153: in send
    response = await connection.send(request, timeout=timeout)
.virtualenvs/traffica_stc/lib/python3.7/site-packages/httpx/dispatch/connection.py:44: in send
    return await self.connection.send(request, timeout=timeout)
.virtualenvs/traffica_stc/lib/python3.7/site-packages/httpx/dispatch/http11.py:51: in send
    await self._send_request_body(request, timeout)
.virtualenvs/traffica_stc/lib/python3.7/site-packages/httpx/dispatch/http11.py:101: in _send_request_body
    await self._send_event(event, timeout)
.virtualenvs/traffica_stc/lib/python3.7/site-packages/httpx/dispatch/http11.py:117: in _send_event
    bytes_to_send = self.h11_state.send(event)
.virtualenvs/traffica_stc/lib/python3.7/site-packages/h11/_connection.py:464: in send
    data_list = self.send_with_data_passthrough(event)
.virtualenvs/traffica_stc/lib/python3.7/site-packages/h11/_connection.py:498: in send_with_data_passthrough
    writer(event, data_list.append)
.virtualenvs/traffica_stc/lib/python3.7/site-packages/h11/_writers.py:69: in __call__
    self.send_data(event.data, write)
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <h11._writers.ContentLengthWriter object at 0x7fdbaa265a58>
data = b'grant_type=password&username=foo&password=barbar%23123&client_id=foo-backend'
write = <built-in method append of list object at 0x7fdbaa25ba88>

    def send_data(self, data, write):
        self._length -= len(data)
        if self._length < 0:
            raise LocalProtocolError(
>               "Too much data for declared Content-Length")
E           h11._util.LocalProtocolError: Too much data for declared Content-Length

.virtualenvs/traffica_stc/lib/python3.7/site-packages/h11/_writers.py:89: LocalProtocolError
---------------------------- Captured log teardown -----------------------------

To Reproduce

import pytest
from authlib.integrations.httpx_client import AsyncOAuth2Client


@pytest.mark.asyncio
async def test_keycloak():
    client = AsyncOAuth2Client(client_id="foo-backend",
                               client_secret=None,
                               username="foo", password="barbar#123",
                               token_endpoint="https://keycloak/auth/realms/myrealm/protocol/openid-connect/token",
                               verify=False, trust_env=False)
    client.token = await client.fetch_token(url="https://keycloak/auth/realms/myrealm/protocol/openid-connect/token", username="foo",
                                            password="barbar#123")
    print(client.token)

Expected behavior

The token should be fetched from the server

Environment:

  • OS: CentOS Linux
  • Python Version: 3.7
  • Authlib Version: 0.14

Additional context

This change in oauth2/auth.py fixes the problem:

def encode_none(client, method, uri, headers, body):
    if method == 'GET':
        uri = add_params_to_uri(uri, [('client_id', client.client_id)])
        return uri, headers, body
    body = add_params_to_qs(body, [('client_id', client.client_id)])
    # Update Content-Length header
    headers['Content-Length'] = str(len(body))
    return uri, headers, body

closed time in 4 days

bobh66

issue commentlepture/authlib

Unable to decode ID Token with unicode characters - Part 1

No, I didn't get such emails. @TomAtHulu you need to provide example (data) for me to test it.

TomAtHulu

comment created time in 5 days

issue commentlepture/authlib

Unable to decode ID Token with unicode characters - Part 1

I didn't see any example. parse_token.py.zip is just python code. Please provide a minimal example to reproduce your problem.

TomAtHulu

comment created time in 6 days

PR closed lepture/authlib

Reviewers
Add sync HTTPX AssertionClient and OAuth2Client

What kind of change does this PR introduce? (check at least one)

  • [ ] Bugfix
  • [x] Feature
  • [ ] Code style update
  • [ ] Refactor
  • [ ] Other, please describe:

Does this PR introduce a breaking change? (check one)

  • [ ] Yes
  • [x] No (I think)

  • [x] You consent that the copyright of your pull request source code belongs to Authlib's author.
+145 -8

3 comments

3 changed files

ulodciv

pr closed time in 6 days

pull request commentlepture/authlib

Add sync HTTPX AssertionClient and OAuth2Client

HTTPX changes very quickly, it once dropped support for sync mode, that is when Authlib removed sync client. I'm not sure if they will drop sync client again. I'll wait until it reaches 1.0.

ulodciv

comment created time in 6 days

issue commentlepture/mistune

Any ideas about saving and exposing state in class Markdown?

You can pass a state dict yourself:

state = {}
md = Markdown()
md.parse(text, state)

In this way, you can access state after parsing.

schwarzichet

comment created time in 6 days

push eventlepture/authlib

Hsiaoming Yang

commit sha e3e18da74d689b61a8dc8db46775ff77a57c6c2a

Update docs for httpx clients

view details

push time in 8 days

issue commentlepture/authlib

headers.append of WWW-Authenticate causing infinite loop of appending headers.

It was fixed by https://github.com/lepture/authlib/pull/181

JakeDEvans

comment created time in 8 days

issue closedlepture/authlib

RemoteApp moved around?

Describe the bug

Previous imports are no longer working.

Python 3.6.4 (default, Jan  8 2020, 14:32:46) 
[GCC 4.2.1 Compatible Apple LLVM 11.0.0 (clang-1100.0.33.8)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> from authlib.flask.client import OAuth
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/Users/mrunchey/brokerdev/lib/python3.6/site-packages/authlib/flask/client/__init__.py", line 4, in <module>
    from authlib.integrations.flask_client import OAuth, RemoteApp
ImportError: cannot import name 'RemoteApp'

closed time in 8 days

mattrunchey

issue commentlepture/authlib

RemoteApp moved around?

authlib.flask.client is deprecated, and it will be removed in v1.0. I've just fixed the legacy imports in v0.14.1.

mattrunchey

comment created time in 8 days

created taglepture/authlib

tagv0.14.1

The ultimate Python library in building OAuth and OpenID Connect servers. JWS,JWE,JWK,JWA,JWT included.

created time in 8 days

push eventlepture/authlib

Hsiaoming Yang

commit sha 7ca1787bf03274607bc904ed357bf7714808e074

Fix flask and django clients legacy imports https://github.com/lepture/authlib/issues/189

view details

Hsiaoming Yang

commit sha 8e8786bd2b0308d82438ef8a9424765a1777bfce

Version bump 0.14.1

view details

push time in 8 days

issue commentlepture/authlib

RemoteApp moved around?

https://docs.authlib.org/en/latest/client/flask.html

from authlib.integrations.flask_client import OAuth
mattrunchey

comment created time in 8 days

issue closedlepture/authlib

Make framework integration easier

Is your feature request related to a problem? Please describe.

I'm currently building framework integration for Zope (and will build Pyramid next). What's frustrating me is that the integration layer with these frameworks only very loosely specifies what is required of these frameworks to actually interoperate with Authlib.

Describe the solution you'd like

I've started the Zope layer from a refactoring of the flask layer, to get started, and in the process pulled out an FramworkIntegration object, that only has the job to describe what authlib needs from the framework. That way it is much simpler to know what has to be implemented to make things work, without having to understand so much about how authlib works. Have a look at it here. https://github.com/zms-publishing/zope.openid-connect/tree/master/zope/openid_connect/authlib_integration

Of course it is still very rough, but the Idea here is to have a delegate object, that subclasses the Framework-Integration Interface, that has methods to access session and cache values and documents what kind of requirements these sessions / caches have to be viable (i.e. these values can not be user visible, but these can...). Also how to get at form or query arguments from a request, etc.

There will maybe be different interfaces to support sync and async operation, and probably some optional methods to support stuff like Flasks partially configured state (app factory pattern). See the repo for some rough sketches.

Describe alternatives you've considered

I've tried to adapt the code from the flask example directly and found it very hard as I had to understand quite a bit about authlib to make that happen. Maybe now I do, but having a simple delegate object that just encapsulates how the specific framework accomplishes things was in the end much more viable.

Additional context

I'd like to add, that having such a delegate pattern, should also make unit testing much simpler, as it is quite easy to fake such an interface without having to bring up / in the actual frameworks.

What I'm currently having is a simple delegate object, but this could also become a factory and holder of the Authlib objects, allowing it to make callbacks - not sure what is the best way here yet.

Also, this is very much still a work in progress, but I wanted to a) get feedback and b) see how you react, and if maybe that is something that can be extracted into a project in the authlib organisation.

closed time in 8 days

dwt

push eventlepture/authlib

Jeremy Wright

commit sha f6e184d28644d2db79036932f18dc9a6ff626fb3

Fix misspelling in README.md (#183)

view details

push time in 8 days

PR merged lepture/authlib

Reviewers
Fix misspelling in README.md

DO NOT SEND ANY SECURITY FIX HERE. Please read "Security Reporting" section on README.

What kind of change does this PR introduce? (check at least one)

  • [ ] Bugfix
  • [ ] Feature
  • [ ] Code style update
  • [ ] Refactor
  • [x] Other, please describe: Fix spelling in README.md documentation.

  • [x] You consent that the copyright of your pull request source code belongs to Authlib's author.
+1 -1

0 comment

1 changed file

JeremyLWright

pr closed time in 8 days

PR closed lepture/authlib

Starlette: Force GET on authorize_redirect

Starlette uses 307 status code for RedirectResponse by default: https://www.starlette.io/responses/#redirectresponse

This will reuse the same method of the original request: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/307

...while RFC6749 only ensures that GET is accepted (POST is optional): https://tools.ietf.org/html/rfc6749#section-3.1

By using HTTP_303_SEE_OTHER the redirect will always occur using a GET: https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/303

DO NOT SEND ANY SECURITY FIX HERE. Please read "Security Reporting" section on README.

What kind of change does this PR introduce? (check at least one)

  • [x] Bugfix
  • [ ] Feature
  • [ ] Code style update
  • [ ] Refactor
  • [ ] Other, please describe:

Does this PR introduce a breaking change? (check one)

  • [ ] Yes
  • [x] No

  • [x] You consent that the copyright of your pull request source code belongs to Authlib's author.
+2 -1

2 comments

1 changed file

phy25

pr closed time in 8 days

pull request commentlepture/authlib

Starlette: Force GET on authorize_redirect

Fixed in v0.14

phy25

comment created time in 8 days

issue closedlepture/authlib

0.13 throws away oidc nonce provided by the application

See this snippet here:

https://github.com/lepture/authlib/blob/3834a2a80876a87cdaab4240d77185179970c3ab/authlib/integrations/_client/base_app.py#L189-L193

This is called from RemoteApp.create_authorization_url which is called by RemoteApp.authorize_redirect which is called by my application (I'm not using the registry).

So if I pass my own nonce (which I'm storing in the session myself) it gets overwritten, so when I try to parse the id token later it fails of course. I fixed it in my app like this but it feels extremely ugly.

So it would be nice if:

  • no new nonce was generated if the caller already provided one
  • there was an api to access the session data without popping it and without using internal apis (_get_session_data); using retrieve_access_token_params just to get the nonce would be pretty inappropriate since it does much more
  • there was a proper OIDC client built-in in addition to the standard OAuth2 client ;)

closed time in 8 days

ThiefMaster

issue commentlepture/authlib

0.13 throws away oidc nonce provided by the application

Fixed in v0.14

ThiefMaster

comment created time in 8 days

issue closedlepture/authlib

headers.append of WWW-Authenticate causing infinite loop of appending headers.

Describe the bug

https://github.com/lepture/authlib/commit/8b535a8b09ebeaa9d9410e4c86e0371abc7d7bd6#diff-15546a372b6f5de06be881e91fec2e24R100

https://github.com/lepture/authlib/commit/8b535a8b09ebeaa9d9410e4c86e0371abc7d7bd6#diff-efe7a7a222a30214529e7718318c355eR63

Will eventually throw: https://stackoverflow.com/questions/23055378/http-client-httpexception-got-more-than-100-headers

WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."
WWW-Authenticate: Bearer error="invalid_token", error_description="The access token provided is expired, revoked, malformed, or invalid for other reasons."

To Reproduce

Continued use of authlib

Expected behavior

one instance of WWW-Authenticate

Environment:

  • OS: alpine
  • Python Version: 3.7
  • Authlib Version: 0.12

Additional context

I suggest using headers.set to ensure only one header is added/created.

closed time in 8 days

JakeDEvans

release lepture/authlib

v0.14

released time in 8 days

created taglepture/authlib

tagv0.14

The ultimate Python library in building OAuth and OpenID Connect servers. JWS,JWE,JWK,JWA,JWT included.

created time in 9 days

push eventlepture/authlib

Hsiaoming Yang

commit sha 25e7fe4803af94b4b4057920a854fb6d0994ac78

Version bump 0.14

view details

push time in 9 days

issue commentlepture/authlib

Make framework integration easier

It is available in v0.14

dwt

comment created time in 9 days

issue closedlepture/authlib

v0.13, django client: lazy-loading server metadata breaks logout flows

Describe the bug

Version 0.13 intoduces lazy loading of server metadata on first auth request, but this breaks logout flows for some OIDC providers (in my case, Keycloak).

Consider this logout view (django):

def logout(request):
    """ log user out of django and redirect to the Keycloak logout url, so that he gets logged out everywhere  """
    log_out(request)
    return_to = urlencode({'redirect_uri': request.build_absolute_uri('/')})
    logout_url = oauth.keycloak.server_metadata['end_session_endpoint']
    logout_url += '?' + return_to
    return HttpResponseRedirect(logout_url)

This logic counts on server_metadata['end_session_endpoint'] being available (this is a special Keycloak feature). However, when the django app restarts, server metadata is empty until someone performs a login flow. Until that, all logout flows will end up with an error.

Error Stacks

Internal Server Error: /logout
Traceback (most recent call last):
  File "/Users/1111/Library/Caches/pypoetry/virtualenvs/demo-keycloak-client-py3.7/lib/python3.7/site-packages/django/core/handlers/exception.py", line 34, in inner
    response = get_response(request)
  File "/Users/1111/Library/Caches/pypoetry/virtualenvs/demo-keycloak-client-py3.7/lib/python3.7/site-packages/django/core/handlers/base.py", line 115, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/Users/1111/Library/Caches/pypoetry/virtualenvs/demo-keycloak-client-py3.7/lib/python3.7/site-packages/django/core/handlers/base.py", line 113, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/Users/1111/_projects/fasttrack/demo_keycloak_client/auth0login/views.py", line 28, in logout
    logout_url = oauth.keycloak.server_metadata['end_session_endpoint']
KeyError: 'end_session_endpoint'

To Reproduce

Instantiate the client like so:

from authlib.integrations.django_client import OAuth

oauth = OAuth()

oauth.register(
    'keycloak',
    server_metadata_url='https://sso.fstrk.io/auth/realms/fasttrack/.well-known/openid-configuration',
    client_kwargs={'scope': 'openid profile email'}
)

assert oauth.keycloak.server_metadata['end_session_endpoint']

Suggestions Currently I am force-loading the metadata on Django startup:

oauth.keycloak._load_server_metadata()

Since end_session_endpoint is Keycloak-specific and the library cannot be extented to provide a deauthorize_redirect() method, my suggestion is make load_server_metadata() public and document it.

Thanks!

closed time in 9 days

kurtgn

issue commentlepture/authlib

v0.13, django client: lazy-loading server metadata breaks logout flows

It will be available in v0.14

kurtgn

comment created time in 9 days

push eventlepture/authlib

Hsiaoming Yang

commit sha ebe4546d4c6714d52a12103c8dfab6ddba90566b

Test python 3.8

view details

push time in 9 days

push eventlepture/authlib

Hsiaoming Yang

commit sha 20483349583d8eb13f0b45a1aeb4c91aab8e0cf1

Make load_server_metadata method public https://github.com/lepture/authlib/issues/169

view details

Hsiaoming Yang

commit sha 5fc34556a86f069d9c35404dd181e88245f00e16

Add changelog for v0.14

view details

push time in 9 days

issue commentlepture/authlib

Unable to decode ID Token with unicode characters - Part 1

Could you provide a test case for it?

TomAtHulu

comment created time in 9 days

push eventlepture/authlib

Hsiaoming Yang

commit sha 2a52d1e95898f9b3024018736210cf73ba9ad6bc

Fix upload coverage

view details

push time in 9 days

push eventlepture/authlib

Hsiaoming Yang

commit sha f754eff0c21a11c837a25bc6d4a49875de243c72

Restructure client integration https://github.com/lepture/authlib/issues/167

view details

push time in 9 days

issue closedlepture/authlib

Decoding a JWS token with ES256 doesn't work

Describe the bug

Hi! I'm trying to implement an OAuth2 server with authlib and I found a bug in the library with ES256. I was trying to decode a JWS token signed with ES256 but the library has raised an exception. The generation of a JWT with ES256 works, but not the decoding.

Here it's the small piece of code that raises an exception :

def gen_refresh_token(self, client, grant_type, user, scope):
        jws = JsonWebSignature(algorithms=JWS_ALGORITHMS)
        header = {'alg': 'ES256'}
        date = datetime.utcnow()
        payload = {
            'client_id': client.get_client_id(),
            'iat': int(date.timestamp()),
            'user_id': user["id"],
            'scope': scope,
            'exp': 604800
        }
        try:
            key = open("my_ec_key.pem", 'r').read()
            s = jws.serialize_compact(header, json.dumps(payload), key)
        except Exception as e:
            logger.exception('JWS exception', e)
        return s.decode("utf-8")
...

class RefreshTokenGrant(grants.RefreshTokenGrant):
    INCLUDE_NEW_REFRESH_TOKEN = True

    def authenticate_refresh_token(self, refresh_token):
        jws = JsonWebSignature(algorithms=JWS_ALGORITHMS)
        try:
            key = open("my_ec_pub.pem", 'r').read()
            jws_obj = jws.deserialize_compact(refresh_token, key)
            ...
        except Exception as e:
            logger.exception('JWS exception', e)

And the traceback :

Traceback (most recent call last):
  File "/mnt/d/documents/exo1/src/exo1/rest/flask/oauth2.py", line 64, in authenticate_refresh_token
    jws_obj = jws.deserialize_compact(refresh_token, key)
  File "/home/yohann/.local/lib/python3.6/site-packages/authlib/jose/rfc7515/jws.py", line 115, in deserialize_compact
    self._algorithms, jws_header, payload, key)
  File "/home/yohann/.local/lib/python3.6/site-packages/authlib/jose/util.py", line 14, in prepare_algorithm_key
    key = algorithm.prepare_public_key(key)
  File "/home/yohann/.local/lib/python3.6/site-packages/authlib/jose/rfc7518/_backends/_key_cryptography.py", line 42, in prepare_public_key
    if key.startswith(b'ecdsa-sha2-'):
TypeError: startswith first arg must be str or a tuple of str, not bytes

To Reproduce

I put a small example of the code above.

Expected behavior

I should get the content of the token.

Environment:

  • OS: Windows Subsystem for Linux
  • Python Version: 3.6.8
  • Authlib Version: 0.13.0

Additional context

I found a patch for my use case. You have to edit the file in : authlib/jose/rfc7518/_backends/_key_cryptography.py

In the class ECKey, the method prepare_public_key doesn't convert the key to bytes. I did the following patch :

def prepare_public_key(self, key):
        if isinstance(key, EllipticCurvePublicKey):
            return key
        key = to_bytes(key)
        if key.startswith(b'ecdsa-sha2-'):
            return load_ssh_public_key(key, backend=default_backend())
        else:
            return load_pem_public_key(key, backend=default_backend())

Add any other context about the problem here.

closed time in 9 days

fenix01

issue commentlepture/authlib

Decoding a JWS token with ES256 doesn't work

fixed in master

fenix01

comment created time in 9 days

issue closedlepture/authlib

Authlib does not correctly work with httpx middleware

Describe the bug

A clear and concise description of what the bug is.

Error Stacks

Traceback (most recent call last):
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/uvicorn/protocols/http/httptools_impl.py", line 385, in run_asgi
    result = await app(self.scope, self.receive, self.send)
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/uvicorn/middleware/proxy_headers.py", line 45, in __call__
    return await self.app(scope, receive, send)
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/fastapi/applications.py", line 140, in __call__
    await super().__call__(scope, receive, send)
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/starlette/applications.py", line 134, in __call__
    await self.error_middleware(scope, receive, send)
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/starlette/middleware/errors.py", line 178, in __call__
    raise exc from None
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/starlette/middleware/errors.py", line 156, in __call__
    await self.app(scope, receive, _send)
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/starlette/middleware/sessions.py", line 75, in __call__
    await self.app(scope, receive, send_wrapper)
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/starlette/exceptions.py", line 73, in __call__
    raise exc from None
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/starlette/exceptions.py", line 62, in __call__
    await self.app(scope, receive, sender)
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/starlette/routing.py", line 590, in __call__
    await route(scope, receive, send)
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/starlette/routing.py", line 208, in __call__
    await self.app(scope, receive, send)
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/starlette/routing.py", line 41, in app
    response = await func(request)
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/fastapi/routing.py", line 127, in app
    raw_response = await dependant.call(**values)
  File "./proj/apps/auth/api.py", line 77, in callback_oauth
    token = await current_oauth.authorize_access_token(request, redirect_uri=redirect_uri)
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/src/authlib/authlib/integrations/starlette_client/remote_app.py", line 39, in authorize_access_token
    return await self.fetch_access_token(**params)
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/src/authlib/authlib/integrations/asgi_client/base_app.py", line 104, in fetch_access_token
    token = await client.fetch_token(token_endpoint, **kwargs)
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/src/authlib/authlib/integrations/httpx_client/oauth2_client.py", line 105, in _fetch_token
    resp = await self.post(
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/httpx/client.py", line 772, in post
    return await self.request(
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/src/authlib/authlib/integrations/httpx_client/oauth2_client.py", line 86, in request
    return await super(AsyncOAuth2Client, self).request(
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/httpx/client.py", line 259, in request
    response = await self.send(
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/httpx/client.py", line 403, in send
    response = await self.send_handling_redirects(
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/httpx/client.py", line 465, in send_handling_redirects
    response = await self.send_handling_auth(
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/httpx/client.py", line 589, in send_handling_auth
    request = next(auth_flow)
  File "/home/ken/.local/share/virtualenvs/testproj-lMPjJ55e/lib/python3.8/site-packages/httpx/auth.py", line 62, in __call__
    yield self.func(request)
TypeError: __call__() missing 1 required positional argument: 'get_response'

To Reproduce

  1. Install Starlette/FastAPI
  2. Use the current github version of authlib
  3. Attempt to call authorize_access_token()

Expected behavior

It should work.

Environment:

  • OS: Ubuntu 18.04
  • Python Version: 3.8
  • Authlib Version: Current master branch

Additional context

Why this is happening is pretty obvious when you look at the code. Here's what httpx is doing:

class FunctionAuth(Auth):
    """
    Allows the 'auth' argument to be passed as a simple callable function,
    that takes the request, and returns a new, modified request.
    """

    def __init__(self, func: typing.Callable[[Request], Request]) -> None:
        self.func = func

    def __call__(self, request: Request) -> AuthFlow:
        yield self.func(request)

Notice it's calling self.func(request).

Here's the class it's calling call on:

class OAuth2ClientAuth(Middleware, ClientAuth):
    async def __call__(
        self, request: Request, get_response: typing.Callable
    ) -> Response:
        return await auth_call(self, request, get_response)

get_response is not passed.

closed time in 9 days

kkinder

issue commentlepture/authlib

Authlib does not correctly work with httpx middleware

fixed in master

kkinder

comment created time in 9 days

issue closedlepture/authlib

broken with httpx 0.10

Describe the bug

authlib uses old classes of httpx. New version of httpx 0.10 removed AsyncRequest AsyncResponse and also there's no middleware.

Environment:

  • OS: Linux
  • Python Version: 3.7
  • Authlib Version: 0.13

closed time in 9 days

kesavkolla

issue commentlepture/authlib

broken with httpx 0.10

fixed in master

kesavkolla

comment created time in 9 days

issue closedlepture/authlib

JWT validation of exp claim doesn't work if exp is 0

Describe the bug

Validation fails when the exp claim is 0.

To Reproduce

A minimal example to reproduce the behavior:

>>> from authlib.jose import JWTClaims
>>> claims = JWTClaims({"exp": 0}, {"alg": "HS256"})
>>> claims.validate()
>>> 

Expected behavior

What we should see is what we see with a positive value:

>>> claims = JWTClaims({"exp": 1}, {"alg": "HS256"})
>>> claims.validate()
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/.../python3.7/site-packages/authlib/jose/rfc7519/claims.py", line 98, in validate
    self.validate_exp(now, leeway)
  File "/.../python3.7/site-packages/authlib/jose/rfc7519/claims.py", line 171, in validate_exp
    raise ExpiredTokenError()
authlib.jose.errors.ExpiredTokenError: expired_token: The token is expired

Environment:

  • OS: macOS
  • Python Version: 3.7.5
  • Authlib Version: 0.13

closed time in 9 days

mivade

issue commentlepture/authlib

JWT validation of exp claim doesn't work if exp is 0

fixed

mivade

comment created time in 9 days

push eventlepture/authlib

Hsiaoming Yang

commit sha 0d3e0258742bd6f19ddaaac65dc3a467e9f14de0

Allow custom nonce for openid request https://github.com/lepture/authlib/issues/180

view details

Hsiaoming Yang

commit sha 7d755602276a31e16b8c497faeaa4e0ae5265a82

Fix for HTTPX integrations

view details

Hsiaoming Yang

commit sha 81be03a4380e4c2235284257b28c519478a355eb

Force bytes for ES key https://github.com/lepture/authlib/issues/176

view details

Hsiaoming Yang

commit sha 142a7e5b8d4290707808baa5b35635961bcb279a

Update CI configuration

view details

push time in 9 days

issue closedlepture/mistune

Error when used as a submodule

Commands run

git submodule add git@github.com:lepture/mistune.git mistune
python3 -c 'from mistune import mistune

Output

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/home/olepor/go/src/github.com/mendersoftware/mender-hub/mistune/mistune/__init__.py", line 6, in <module>
    from .plugins import PLUGINS
  File "/home/olepor/go/src/github.com/mendersoftware/mender-hub/mistune/mistune/plugins/__init__.py", line 1, in <module>
    from .extra import plugin_url, plugin_strikethrough
  File "/home/olepor/go/src/github.com/mendersoftware/mender-hub/mistune/mistune/plugins/extra.py", line 1, in <module>
    from mistune.scanner import escape_url
ModuleNotFoundError: No module named 'mistune.scanner'

closed time in 9 days

oleorhagen

issue commentlepture/mistune

Error when used as a submodule

You need to install it at first:

pip install .
oleorhagen

comment created time in 9 days

issue closedlepture/authlib

Flask JWT validation decorator

Is your feature request related to a problem? Please describe.

We have several Flask API apps that need to be secured similar to this. OAuth 2.0 client credentials will be used, so just the authentication headers needs to be validated.

Describe the solution you'd like

A reusable Flask JWT validation decorator from Authlib sounds pretty ideal.

Describe alternatives you've considered

https://github.com/auth0-samples/auth0-python-api-samples/blob/master/00-Starter-Seed/server.py

Additional context

closed time in 9 days

ctaggart

issue commentlepture/authlib

Flask JWT validation decorator

It won't be a feature in Authlib.

ctaggart

comment created time in 9 days

issue commentlepture/authlib

OIDC refresh token

@leogout can you try with:

server.register_grant(RefreshTokenGrant, [OpenIDCode(require_nonce=False)])

It is already supported in this way.

leogout

comment created time in 9 days

issue commentlepture/mistune

Parse line numbers

I'm not sure if it is possible to add line numbers in AstRenderer. What is the usage of line numbers in your case?

choldgraf

comment created time in 10 days

issue commentlepture/mistune

AST is incomplete?

You had a misunderstanding of how mistune works. It doesn't work in your text -> ast -> html way. The AstRenderer was used to print out the structure of the ast, but it is not meant to be used by HTMLRenderer.

cellularmitosis

comment created time in 10 days

issue commentlepture/authlib

Check for Secure connection should be configurable

It is your wsgi server's responsibility to handle wsgi.scheme.

wildex

comment created time in 14 days

issue closedlepture/authlib

Check for Secure connection should be configurable

Is your feature request related to a problem? Please describe.

When I ran Flask app + Authlib behind Nginx SSL with proxy_pass directive, I am still getting InsecureTransportError exception. This is happening because App runs inside server on the "insecure" http, while web facing Nginx uses secure HTTPS and then proxies requests.

Describe the solution you'd like

I know, that we can use environment variable AUTHLIB_INSECURE_TRANSPORT=1. But in this case transport is still secure and there should be possibility to configure library in other way to work in such stacks. For example it can be done with some native configuration to the library.

Additional context

Example nginx config:

server {
  server_name exmple.com; 
  listen 443 ssl; 

  location / {
    client_max_body_size 0;
    gzip off;

    proxy_http_version 1.1;

    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;

    proxy_pass http://localhost:5000;
  }

closed time in 14 days

wildex

issue commentlepture/authlib

Check for Secure connection should be configurable

If you are using gunicorn, here is the configure:

https://docs.gunicorn.org/en/stable/settings.html#secure-scheme-headers

wildex

comment created time in 14 days

pull request commentlepture/mistune

Adding Travis-Ci Support For Arm64

Why do we need test for ARM64? We have no system related code.

ossdev07

comment created time in 17 days

pull request commentlepture/mistune

add failing test for [**0**]

Thanks for your report.

peterdemin

comment created time in 17 days

push eventlepture/mistune

Hsiaoming Yang

commit sha a8b549cad7c0ac9fed1e60814d1a1222681131de

Fix https://github.com/lepture/mistune/pull/214

view details

push time in 17 days

PR closed lepture/mistune

Reviewers
add failing test for [**0**] bug

I was playing with v2 and found what might be a bug. As I understand, mistune fails to detect strong emphasis on string of 1 character. Please see the test case I added. Is it a bug, or is it indented?

+22 -1

1 comment

1 changed file

peterdemin

pr closed time in 17 days

push eventtyplog/china-indie-podcasts

Xiaolei Liu

commit sha d8b7b87672828918957ebf5df70670765ee91e4b

Create jiumutalk.json

view details

Xiaolei Liu

commit sha e9b172ceda4dafd39e0ab266ed0c075bdd224a6b

Update the link of Castro

view details

Xiaolei Liu

commit sha 3710d94c2c713d6fca702df0ae551216aa92a7d4

add Google Podcasts URL

view details

Hsiaoming Yang

commit sha d26a1498cd861cdd93ffb824a36d32b80c2b122b

Merge pull request #64 from Cubernet/master Create jiumutalk.json

view details

push time in 17 days

PR merged typlog/china-indie-podcasts

Reviewers
Create jiumutalk.json
+17 -0

0 comment

1 changed file

Cubernet

pr closed time in 17 days

push eventtyplog/china-indie-podcasts

Siying Dong

commit sha 1a5f8e72bc25672a25b8e572fdcfc814e6b2fedd

Add Avocado Toast

view details

Siying Dong

commit sha 167ede3442a9beb01e1fee96f98b85bcf774b547

Update index.txt

view details

Siying Dong

commit sha dec49b3ae5bfd477bfdb7bf5a3a1cdedfcb73975

Update avocadotoast.json

view details

Hsiaoming Yang

commit sha b15be5f88a29f3b40f7a21808de43d28e0ffb0b5

Merge pull request #65 from siying/patch-1 Add Avocado Toast

view details

push time in 17 days

PR merged typlog/china-indie-podcasts

Reviewers
Add Avocado Toast
+20 -0

0 comment

2 changed files

siying

pr closed time in 17 days

push eventtyplog/china-indie-podcasts

Erpengli

commit sha f282d73e67c75d3a8907b321aadedca52fe4bf16

Create yeyuwanjia.json To whom it may concern, I’m the owner of podcast yeyuwanjia (业余玩家), now submitting this .json file as instructed, to get included in typelog’s Chinese independent podcast catalog. feel free to contact me if any issue (hosts ‘at’ yeyuwanjia.net ). Thanks Best regards, Hosts at Yeyuwanjia

view details

Hsiaoming Yang

commit sha 7f667fb214c05c0096f08c912748442a3ef2778f

Merge pull request #67 from Erpengli/patch-1 Create yeyuwanjia.json

view details

push time in 17 days

PR merged typlog/china-indie-podcasts

Reviewers
Create yeyuwanjia.json

To whom it may concern,

I’m the owner of podcast yeyuwanjia (业余玩家), now submitting this .json file as instructed, to get included in typelog’s Chinese independent podcast catalog. feel free to contact me if any issue (hosts ‘at’ yeyuwanjia.net ). Thanks

Best regards, Hosts at Yeyuwanjia

+18 -0

0 comment

1 changed file

Erpengli

pr closed time in 17 days

push eventlepture/mistune

Hsiaoming Yang

commit sha 903b099b98f268c76f9e3097406ba523e12d47df

Add more test cases

view details

push time in a month

push eventlepture/mistune

Hsiaoming Yang

commit sha a6345ed5eab03119cf774d1388bca91482e64034

Fix parsing tight or loose list

view details

push time in a month

push eventtyplog/docs

Hsiaoming Yang

commit sha 30afe2ce62ec473c39d58cdb3daa43fe54aa6308

Update docs

view details

push time in a month

push eventlepture/authlib

Tarun Bhardwaj

commit sha f09e310f556349f4918cf83b8030cd378d8efad4

Do not use mutate default_json_header constant (#181) Fix the issue when wrong token is passed multiple times, duplicate WWW-Authenticate is returned on each invalid request.

view details

push time in a month

PR merged lepture/authlib

Reviewers
Do not mutate default_json_header constant

This fixes the issue when api request is made using wrong token multiple times. WWW-Authenticate header is added on each response.

DO NOT SEND ANY SECURITY FIX HERE. Please read "Security Reporting" section on README.

What kind of change does this PR introduce? (check at least one)

  • [x] Bugfix
  • [ ] Feature
  • [ ] Code style update
  • [ ] Refactor
  • [ ] Other, please describe:

Does this PR introduce a breaking change? (check one)

  • [ ] Yes
  • [x] No

If yes, please describe the impact and migration path for existing applications:

(If no, please delete the above question and this text message.)


  • [x] You consent that the copyright of your pull request source code belongs to Authlib's author.
+1 -1

1 comment

1 changed file

tarunbhardwaj

pr closed time in a month

push eventtyplog/sphinx-typlog-theme

Matthias Geier

commit sha bbf939ed1d7061b74c5e6245510ddfc5f6625b58

Increase font weights for RobotoMono Closes #17. See https://github.com/bashtage/sphinx-material/issues/15.

view details

Hsiaoming Yang

commit sha 086dc333155504d7c91c08eb24c9c35dc2553703

Merge pull request #18 from mgeier/font-weights Increase font weights for RobotoMono

view details

push time in a month

PR merged typlog/sphinx-typlog-theme

Increase font weights for RobotoMono

Closes #17.

I've simply taken the solution from https://github.com/bashtage/sphinx-material/issues/15.

+1 -1

0 comment

1 changed file

mgeier

pr closed time in a month

issue closedtyplog/sphinx-typlog-theme

Bold code font is wider than non-bold (on Firefox)

First of all, thanks for this great theme, it is looking really good!

I've used it as an example theme for my Sphinx extension nbsphinx, see https://nbsphinx.readthedocs.io/en/typlog-theme/

There is a problem with the "code" font, though (at least on Firefox).

Bold characters are wider than non-bold ones, as can be seen here: https://nbsphinx.readthedocs.io/en/typlog-theme/code-cells.html#ANSI-Colors

Here's how it looks on Firefox:

image

I also tried it on Chrome, where the columns are correctly aligned.

closed time in a month

mgeier

push eventlepture/authlib

Hsiaoming Yang

commit sha 3834a2a80876a87cdaab4240d77185179970c3ab

Fix validate JWT on exp=0 https://github.com/lepture/authlib/issues/179

view details

push time in a month

pull request commentencode/httpx

Public Auth API

yes, that would work.

tomchristie

comment created time in a month

pull request commentlepture/mistune

Implement text renderer.

Is there a standard for this text renderer. I'm not quite sure what is the format you are using. So if it is for terminal, I see text **strong**, but there is actually a bold style with ansi escape. If you are meaning ansi escape for terminal, I'd like to call this renderer AnsiRenderer.

It is ok to include it in mistune if it is dependency free since terminal is a common use case.

csadorf

comment created time in a month

issue commentlepture/mistune

Support for Front Matter?

I thought it may require an external dependency of yaml. I'd like to keep mistune dependency free.

EmilStenstrom

comment created time in a month

issue commentlepture/mistune

Support for Front Matter?

Yes, that can be done with plugins. Just register a before_parse_hooks to parse the front matter into state:

def parse_front_matters(md, s, state):
    # fake method, you need to write it your own
    front_text, markdown_text = split_front_matter(s)
    state['front_matters'] = yaml.load(front_text)
    return markdown_text, state

def plugin_front_matters(md):
    md.before_parse_hooks.append(parse_front_matters)

It could be something like this.

EmilStenstrom

comment created time in a month

pull request commentlepture/mistune

Implement text renderer.

I'm not quite sure if it is ok to include this into mistune; how about making your own renderer a python project, because it is using bs4.

In mistune, I'd like to keep it dependency free.

csadorf

comment created time in a month

issue closedlepture/authlib

estimated 0.14 release date

I'm not sure this is the right place for asking this...

Do you have estimated release date for the version 0.14 ? thanks

closed time in a month

dmartin35

issue commentlepture/authlib

estimated 0.14 release date

No plan yet, currently busy on other projects. I'm hoping to make a new release in March.

dmartin35

comment created time in a month

issue commentlepture/authlib

broken with httpx 0.10

cc @tomchristie @florimondmanca

I've checked httpx 0.10 code, but I can't find any way to read request body in auth __call__. Can you provide a way to read request content so that I can make a signature in auth __call__.

kesavkolla

comment created time in a month

issue commentlepture/authlib

broken with httpx 0.10

oh, httpx broken change again.

kesavkolla

comment created time in a month

issue commentlepture/authlib

broken with httpx 0.10

It is already fixed in https://github.com/lepture/authlib/commit/c88ea7fe999a39e6da265f5ae012cab386538eaa

Not released yet.

kesavkolla

comment created time in 2 months

issue commentlepture/authlib

Decoding a JWS token with ES256 doesn't work

Ok, I got it. Your code should be:

    key = open("./etc/oauth_ec_key.pem", 'rb').read()
    s = jws.serialize_compact(header, json.dumps(payload), key)

You need to open with rb.

fenix01

comment created time in 2 months

issue commentlepture/authlib

Decoding a JWS token with ES256 doesn't work

Hi, can you test this code with your Python interpreter:

>>> s = b'hello'
>>> s.startswith(b'h')

I can't reproduce your problem.

fenix01

comment created time in 2 months

issue closedlepture/mistune

Infinite loop when parsing malformed/non-standard markdown

Example code:

import mistune

markdown = mistune.create_markdown(renderer=mistune.HTMLRenderer())
markdown('''
. Foo 
. Bar
. Baz
''')

It appears to be getting stuck in scanner.py:

https://github.com/lepture/mistune/blob/75884268396ed6b1cb846b610facebe284eee1f3/mistune/scanner.py#L106-L120

  File "mistune_test.py", line 8, in <module>
    ''')
  File "/Users/nickw/.local/share/virtualenvs/100-warm-tunas-pipeline-NrcgpDFS/lib/python3.7/site-packages/mistune/markdown.py", line 69, in __call__
    return self.parse(s)
  File "/Users/nickw/.local/share/virtualenvs/100-warm-tunas-pipeline-NrcgpDFS/lib/python3.7/site-packages/mistune/markdown.py", line 52, in parse
    tokens = self.block.parse(s, state)
  File "/Users/nickw/.local/share/virtualenvs/100-warm-tunas-pipeline-NrcgpDFS/lib/python3.7/site-packages/mistune/block_parser.py", line 240, in parse
    return list(self._scan(s, state, rules))
  File "/Users/nickw/.local/share/virtualenvs/100-warm-tunas-pipeline-NrcgpDFS/lib/python3.7/site-packages/mistune/scanner.py", line 56, in _scan
    for tok in sc.iter(s, state, self.parse_text):
  File "/Users/nickw/.local/share/virtualenvs/100-warm-tunas-pipeline-NrcgpDFS/lib/python3.7/site-packages/mistune/scanner.py", line 117, in iter
    token = method(match, state, string)
  File "/Users/nickw/.local/share/virtualenvs/100-warm-tunas-pipeline-NrcgpDFS/lib/python3.7/site-packages/mistune/block_parser.py", line 155, in parse_list_start
    items, pos = _find_list_items(string, m.start(), spaces, marker)
  File "/Users/nickw/.local/share/virtualenvs/100-warm-tunas-pipeline-NrcgpDFS/lib/python3.7/site-packages/mistune/block_parser.py", line 315, in _find_list_items
    pattern = _create_list_item_pattern(spaces, marker)
  File "/Users/nickw/.local/share/virtualenvs/100-warm-tunas-pipeline-NrcgpDFS/lib/python3.7/site-packages/mistune/block_parser.py", line 300, in _create_list_item_pattern
    r'(?:\1(?:' + s1 + '|' + s2 + ')'
  File "/Users/nickw/.local/share/virtualenvs/100-warm-tunas-pipeline-NrcgpDFS/lib/python3.7/re.py", line 232, in compile
    def compile(pattern, flags=0):
KeyboardInterrupt

closed time in 2 months

nickw444

issue commentlepture/mistune

Infinite loop when parsing malformed/non-standard markdown

Thanks for your reporting. Fixed in v2.0.0a2.

nickw444

comment created time in 2 months

created taglepture/mistune

tagv2.0.0a2

A fast yet powerful Python Markdown parser with renderers and plugins.

created time in 2 months

push eventlepture/mistune

Hsiaoming Yang

commit sha 7902450832626f07d00806d65abf74e629354aa0

Fix list regex #213

view details

Hsiaoming Yang

commit sha dcaf974a6bf8e70bdee57d7333b6eac0a2ff14c5

Release v2.0.0a2

view details

push time in 2 months

push eventtyplog/china-indie-podcasts

Andie Zhu

commit sha 1200c17cdef6227b461347c1e872fba88e5bf854

Merge pull request #1 from typlog/master merge from source

view details

Andie Zhu

commit sha 2a1ec638bfc59854de530a9f6911cbbfb001f730

update DAO information

view details

Hsiaoming Yang

commit sha be4cb00f027e7267a54bac1ac49e0b1924cda2fd

Merge pull request #61 from zhufengme/master band updated jinjinledao to DAO

view details

push time in 2 months

issue closedlepture/mistune

DirectiveToc takes code comment as title

version

  • Python: 3.5.6
  • mistune: 2.0.0a1

description

Here is my markdown text:

### 938. rrange-sum-of-bst

```python
# Definition for a binary tree node.
# class TreeNode:
#     def __init__(self, x):
#         self.val = x
#         self.left = None
#         self.right = None

class Solution:
    def rangeSumBST(self, root: TreeNode, L: int, R: int) -> int:
        if not root:
            return 0
        if root.val < L:
            res = self.rangeSumBST(root.right, L, R)
        elif root.val > R:
            res = self.rangeSumBST(root.left, L, R)
        else:
            left_res = self.rangeSumBST(root.left, L, root.val)
            right_res = self.rangeSumBST(root.right, root.val, R)
            res = left_res + right_res + root.val
        return res
```
Then something else

and toc generated is :

image

closed time in 2 months

Microndgt

issue commentlepture/mistune

DirectiveToc takes code comment as title

Fixed via https://github.com/lepture/mistune/commit/75884268396ed6b1cb846b610facebe284eee1f3

Microndgt

comment created time in 2 months

push eventlepture/mistune

Hsiaoming Yang

commit sha 75884268396ed6b1cb846b610facebe284eee1f3

Fix extract_toc_items #210

view details

push time in 2 months

issue commentlepture/mistune

DirectiveToc takes code comment as title

Do you mean extract_toc_items?

Microndgt

comment created time in 2 months

push eventtyplog/china-indie-podcasts

Hsiaoming Yang

commit sha 341755865431044d2db273de551a9fd88ca8ccb6

Add anyobody into index

view details

push time in 2 months

push eventtyplog/china-indie-podcasts

lamons

commit sha 2984f48faed89678edcde7be70f634aea4ca2502

update cover for yangjingbang && add zhuchangsile into index.txt

view details

Hsiaoming Yang

commit sha 7db93a1490535e24cd38dcf79b9f0e119f0db60a

Merge pull request #57 from lamons/master update cover for yangjingbang && add zhuchangsile into index.txt

view details

push time in 2 months

push eventtyplog/china-indie-podcasts

zhuchangsile

commit sha 205a194d2215b400be845bd94aab3eef63512dc0

add zhuchangsile

view details

Hsiaoming Yang

commit sha 7f96888d235e579c2895d1978fb47b6998feb647

Merge pull request #56 from zhuchangsile/patch-2 add zhuchangsile

view details

push time in 2 months

more