Fix or squelch ValueError: Malformed authorization header

VERIFIED FIXED in 2015-03-17

Status

P4
minor
VERIFIED FIXED
4 years ago
4 years ago

People

(Reporter: robhudson, Assigned: robhudson)

Tracking

Avenir
2015-03-17
x86
Mac OS X
Points:
---

Details

(Whiteboard: [ktlo])

(Assignee)

Description

4 years ago
In the logs I consistently see this error pretty often.

z.api:ERROR ValueError on verifying_request :./mkt/api/middleware.py:98
Traceback (most recent call last):
  File "./mkt/api/middleware.py", line 93, in process_request
    method, auth_header)
  File "./mkt/api/middleware.py", line 136, in validate_2legged_oauth
    typ, params, oauth_params = oauth._get_signature_type_and_params(req)
  File "/data/addons-stage/www/marketplace.allizom.org/current/venv/lib/python2.7/site-packages/oauthlib/oauth1/rfc5849/endpoints/base.py", line 35, in _get_signature_type_and_params
    exclude_oauth_signature=False, with_realm=True)
  File "/data/addons-stage/www/marketplace.allizom.org/current/venv/lib/python2.7/site-packages/oauthlib/oauth1/rfc5849/signature.py", line 278, in collect_parameters
    authorization_header) if with_realm or i[0] != 'realm'])
  File "/data/addons-stage/www/marketplace.allizom.org/current/venv/lib/python2.7/site-packages/oauthlib/oauth1/rfc5849/utils.py", line 89, in parse_authorization_header
    raise ValueError('Malformed authorization header')
ValueError: Malformed authorization header


If this error is something we don't care about, let's either remove the log or bump it up to log.INFO or log.WARN.

If we do care about this error, let's fix it.
Severity: normal → minor
Priority: -- → P4
It will happen for every request using shared secret as header instead of as query string parameter. We don't do that in fireplace, but we do that at least in reviewer tools.

RestSharedSecretMiddleware should probably be placed before RestOAuthMiddleware in MIDDLEWARE_CLASSES and then modified to alter the headers on the request if it begins with "mkt-shared-secret" to remove the Authorization header, as it's never going to be a valid oauth Authorization header.
(Assignee)

Updated

4 years ago
Assignee: nobody → robhudson.mozbugs
(Assignee)

Comment 3

4 years ago
https://github.com/mozilla/zamboni/commit/7e03cdb 

This is mostly a fix to avoid logging something as an error that isn't really an error but please verify logins aren't affected, from consumer pages and reviewer tools would be good. Thanks.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 2015-03-17

Comment 4

4 years ago
Can you please add some STRs to this bug or mark it as [qa-]?
See comment 3 for QA instructions.

Comment 6

4 years ago
Oh, you are right , in this case I will mark this as verified since everything is working as expected
Status: RESOLVED → VERIFIED
Whiteboard: [ktlo]
You need to log in before you can comment on or make changes to this bug.