diff --git a/news/3848.bugfix b/news/3848.bugfix new file mode 100644 index 0000000000..69d2f2b498 --- /dev/null +++ b/news/3848.bugfix @@ -0,0 +1,3 @@ +``extractCredentials``: do not read json from the request. +The result was never used, and it may fail when the request is too large to read. +@maurits \ No newline at end of file diff --git a/src/plone/restapi/pas/plugin.py b/src/plone/restapi/pas/plugin.py index 6e76935f0d..ba92e6298d 100644 --- a/src/plone/restapi/pas/plugin.py +++ b/src/plone/restapi/pas/plugin.py @@ -6,8 +6,6 @@ from datetime import timedelta from plone.keyring.interfaces import IKeyManager from plone.keyring.keyring import GenerateSecret -from plone.restapi import deserializer -from plone.restapi import exceptions from Products.CMFCore.permissions import ManagePortal from Products.PageTemplates.PageTemplateFile import PageTemplateFile from Products.PluggableAuthService.interfaces.plugins import IAuthenticationPlugin @@ -90,27 +88,16 @@ def challenge(self, request, response, **kw): # Extracts a JSON web token from the request. @security.private def extractCredentials(self, request): - """ - Extract credentials either from a JSON POST request or an established JWT token. - """ - # Prefer any credentials in a JSON POST request under the assumption that any - # such requested sent when a JWT token is already in the `Authorization` header - # is intended to change or update the logged in user. - try: - creds = deserializer.json_body(request) - except exceptions.DeserializationError: - pass - else: - if "login" in creds and "password" in creds: - return creds + """Extract credentials from an established JWT token. - creds = {} + Note that logging in should be done by using the @login endpoint, + which gives you the needed JWT token. + """ auth = request._auth if auth is None: return if auth[:7].lower() == "bearer ": - creds["token"] = auth.split()[-1] - return creds + return {"token": auth.split()[-1]} # IAuthenticationPlugin implementation @security.private