fix: return 401 on unauthorized non-browser requests

closes #115
SwissDataScienceCenter · Mar 14, 2019 · a70c3a5 · a70c3a5
1 parent a7a80ad
commit a70c3a5
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 42 deletions.
diff --git a/Pipfile b/Pipfile
@@ -19,6 +19,7 @@ pyyaml = ">=4.2b1"
 [dev-packages]
 chartpress = "*"
 pylint = "*"
+yapf = "*"
 
 [requires]
 

diff --git a/Pipfile.lock b/Pipfile.lock
diff --git a/src/notebooks_service.py b/src/notebooks_service.py
@@ -142,6 +142,16 @@ def decorated(*args, **kwargs):
         if user:
             return f(user, *args, **kwargs)
         else:
+            # if the request is not coming from a browser, return 401
+            if request.is_xhr or request.environ['HTTP_ACCEPT'
+                                                 ] == 'application/json':
+                app.logger.info(
+                    'Unauthorized non-browser request - returning 401.'
+                )
+                response = jsonify(error='An authorization token is required.'))
+                response.status_code = 401
+                return response
+
             # redirect to login url on failed auth
             state = auth.generate_state(next_url=request.path)
             app.logger.debug(