HTTPSignatureAuth modifies `self` preventing reuse

Question

HTTPSignatureAuth modifies `self` preventing reuse

Diggsey opened this issue 4 years ago · comments

The add_digest method modifies self.headers in-place making this class unsuitable for reuse across multiple requests.

Andrey Kislyuk · Answer 1 · Sat Apr 25 2020 22:47:38 GMT+0800 (China Standard Time)

Instances of HTTPSignatureAuth are safe for reuse as long as the request method remains the same.

Diggory Blake · Answer 2 · Sat Apr 25 2020 23:07:49 GMT+0800 (China Standard Time)

This is not true: https://github.com/pyauth/requests-http-signature/blob/master/requests_http_signature/__init__.py#L78

As you can see - even if the method stays the same, if you first make a POST request with a body, and then make a POST request without a body, then this will incorrectly try to sign the (non-existent) digest header on the second request.

Even if what you say were true, that's not a reasonable contract for this library to have. An authentication scheme should be reusable across multiple requests regardless of what HTTP method is used.

Andrey Kislyuk · Answer 3 · Sun Apr 26 2020 04:39:38 GMT+0800 (China Standard Time)

OK, that's fair. PRs are welcome if you wish to correct this behavior.

Andrey Kislyuk · Answer 4 · Mon Apr 11 2022 07:03:50 GMT+0800 (China Standard Time)

This is no longer an issue with the latest released version. Instances of HTTPSignatureAuth are safe for reuse across any type of request.