11

I have a Flask app that uses a custom decorator to verify an AWS Cognito login token passed in an HTTP header attribute. The process includes refreshing the token (which is beyond the scope of this question). Once I get the refreshed token, I would like to update the header attribute to include the refreshed token and exit. Since the Flask/Werkzeug request.headers property is immutable, I can't update it by normal means.

How can I update the headers in the context of this decorator? Is there a better way that I am not thinking of?

Here's some sample code that demonstrates the issue:

def login_required(f):
    @wraps(f)
    def decorated_function(*args, **kwargs):
        token = request.headers.get('X-MyApp-Auth')
        if not token:
            return redirect(url_for('login', next=request.url))
        # Test for expired token (pseudocode)
        if expired(token):
            # Refresh the token (pseudocode)
            new_token = refresh(refresh_token)
            # This is the part where the immutability gets me stuck
            request.headers.set('X-MyApp-Auth', new_token)
        return f(*args, **kwargs)
    return decorated_function
Nicholas Tulach
  • 1,023
  • 3
  • 12
  • 35
  • Please check this [link](https://stackoverflow.com/questions/25860304/how-do-i-set-response-headers-in-flask) is this gives answer for your question? – krishna Mar 13 '20 at 17:34

2 Answers2

10

This example wraps the Flask application in a custom WSGI middleware that modifies the WSGI environment before Flask request handling:

from flask import Flask, request, jsonify


class InterceptRequestMiddleware:
    def __init__(self, wsgi_app):
        self.wsgi_app = wsgi_app

    def __call__(self, environ, start_response):
        environ['HTTP_USER_AGENT'] = 'foobar'
        return self.wsgi_app(environ, start_response)


app = Flask(__name__)
app.wsgi_app = InterceptRequestMiddleware(app.wsgi_app)


@app.route('/')
def index():
    return jsonify({'headers': {k: v for k, v in request.headers}})


if __name__ == '__main__':
    app.run(debug=True)

Links:

enter image description here

codeape
  • 97,830
  • 24
  • 159
  • 188
  • Brilliant! That is the answer I was looking for after getting error `'EnvironHeaders' objects are immutable` when trying to modify `request.headers` directly – Kakash1hatake Sep 01 '22 at 05:18
1

I've got the same issue - I've got a decorator that performs cleansing, authentication, and supplies authorization information used throughout the application.

Two design points with request.headers make them hard to work with. a) the data is immutable, b) the keys are case insensitive.

One way I've gotten around this is to copy the request headers into another data structure that has bonafide acceptable content rather than anything the hacker provides.

from requests.structures import CaseInsensitiveDict
copy = CaseInsensitiveDict()
for k, v in request.headers:
    copy[k] = v

This can be extended to white-list filter the necessary headers, cleaning of values as per https://owasp.org/www-project-top-ten/2017/A1_2017-Injection, and amend the parameter block with custom private information.

This method does not update the request.headers object. You should develop a pattern whereby the parameter blocks user by your application are trusted and the blocks supplied by flask are untrusted.

Stevko
  • 4,345
  • 6
  • 39
  • 66