Merge pull request #46 from mdsol/include-asgi-root-path

Include ASGI scope root_path in url used to validate mAuth signature

Author: ejinotti-mdsol

CHANGELOG.md

@@ -1,3 +1,7 @@
+# 1.6.2
+- Fix `MAuthASGIMiddleware` signature validation when the full URL path is split
+  between `root_path` and `path` in the request scope.
+
 # 1.6.1
 - Fix `MAuthWSGIMiddleware` to return a string for "status" and to properly set
   content-length header.

mauth_client/middlewares/asgi.py

@@ -38,8 +38,9 @@ async def __call__(
         if scope["type"] != "http" or path in self.exempt:
             return await self.app(scope, receive, send)
 
+        root_path = scope["root_path"]
         query_string = scope["query_string"]
-        url = f"{path}?{decode(query_string)}" if query_string else path
+        url = f"{root_path}{path}?{decode(query_string)}" if query_string else f"{root_path}{path}"
         headers = {decode(k): decode(v) for k, v in scope["headers"]}
 
         events, body = await self._get_body(receive)

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "mauth-client"
-version = "1.6.1"
+version = "1.6.2"
 description = "MAuth Client for Python"
 repository = "https://github.com/mdsol/mauth-client-python"
 authors = ["Medidata Solutions <support@mdsol.com>"]

tests/middlewares/asgi_test.py

@@ -179,3 +179,39 @@ async def ws(websocket: WebSocket):
         with self.client.websocket_connect("/ws") as websocket:
             data = websocket.receive_json()
             self.assertEqual(data, {"msg": "helloes"})
+
+
+class TestMAuthASGIMiddlewareInSubApplication(unittest.TestCase):
+    def setUp(self):
+        self.app_uuid = str(uuid4())
+        Config.APP_UUID = self.app_uuid
+        Config.MAUTH_URL = "https://mauth.com"
+        Config.MAUTH_API_VERSION = "v1"
+        Config.PRIVATE_KEY = "key"
+
+        self.app = FastAPI()
+        sub_app = FastAPI()
+        sub_app.add_middleware(MAuthASGIMiddleware)
+
+        @sub_app.get("/path")
+        async def sub_app_path():
+            return {"msg": "sub app path"}
+
+        self.app.mount("/sub_app", sub_app)
+
+        self.client = TestClient(self.app)
+
+    @patch.object(LocalAuthenticator, "is_authentic", autospec=True)
+    def test_includes_base_application_path_in_signature_verification(self, is_authentic_mock):
+        request_url = None
+
+        def is_authentic_effect(self):
+            nonlocal request_url
+            request_url = self.signable.attributes_for_signing["request_url"]
+            return True, 200, ""
+
+        is_authentic_mock.side_effect = is_authentic_effect
+
+        self.client.get("/sub_app/path")
+
+        self.assertEqual(request_url, "/sub_app/path")