UnboundLocalError: local variable 'token' referenced before assignment

Question

UnboundLocalError: local variable 'token' referenced before assignment

jfmontanaro opened this issue 4 years ago · comments

Describe the bug
The /token endpoint returns a 500 error when the request has an empty body or is missing the Content-Type: application/json header.

To Reproduce

Send a POST request to /token with no body or no content-type header

Expected behavior

In the case of no body, the API should return a token created with default parameters.
In the case of no Content-Type header, the API should assume application/json and proceed accordingly, possibly returning a more descriptive error if JSON fails to parse.

System:
Ubuntu, matrix-registration v0.8.1.dev3 (from dockerhub)

In api.py the token object is being created inside the if data: block, so if data is {} then it never gets created. It doesn't look like there should be any problem with moving that statement out of the block.

The content-type issue can be solved by supplying force=True to the get_json call (weird that Flask doesn't default to this IMO, it's bitten me before) assuming you want to support that use case.

I'd be happy to submit a pull request to make these changes if you think they make sense.

Jona Abdinghoff · Answer 1 · Mon Jan 18 2021 02:25:40 GMT+0800 (China Standard Time)

yes that does sound sensible, thank you!

jfmontanaro · Answer 2 · Mon Jan 18 2021 03:10:26 GMT+0800 (China Standard Time)

Ok, unfortunately it looks like Flask returns a 400 error when force_json=True and the request body is empty. This can be overridden by extending the default flask.Request class object with a custom on_json_loading_failed() method that returns None in that particular case. Not sure if this is worth the added complexity, however.

As an alternative we could also specify silent=False, which would cause get_json() to return None any time JSON parsing fails. This seems like a really bad idea to me though because it would result in the server silently substituting default values any time the user supplies invalid JSON, which would be surprising at best and catastrophic at worst (e.g. someone tries to create a one-time use token with a short lifetime and ends up creating an unlimited-use token that lives forever.)

What do you think? Worth customizing the Request class or no?

jfmontanaro · Answer 3 · Mon Jan 18 2021 03:32:45 GMT+0800 (China Standard Time)

actually, wait - BadRequest is an exception, so we can just catch that and handle it. Let me just make sure that works.

Edit: Ok, looks like it does.

seth586 · Answer 4 · Tue Feb 16 2021 05:25:41 GMT+0800 (China Standard Time)

Getting the same error when attempting to list tokens as documented, related?

curl -H "Authorization: SharedSecret verysecuresecret" \
     http://localhost:5000/token

jfmontanaro · Answer 5 · Thu Feb 18 2021 04:05:57 GMT+0800 (China Standard Time)

Looks like it could be related, does including a Content-Type: application/json header eliminate the issue?