Skip to content

fix xml response for unauthenticated requests

Alexander Pace requested to merge unauth-xml into master

fixes #365 (closed)

Before when an unauthenticated user would request a g-event or the g-event list in xml format, GraceDB would throw a 500 error due to a 10+ year old bug in ligolw xml rendering. This is related to this "fix" i pushed before, but unauthenticated requests stubbornly go around it. This change fixes the 500 error to the correct 403 response and gives an error message about credentials. It's also generalized so that any error message that gets thrown out is returned in xml format, so that users can read it if it in the browser.

Now it returns the correct error message and doesn't trigger the 500 response when getting a g-event:

$ curl https://gracedb-dev1.ligo.org/api/events/G422366\?format\=xml
<?xml version="1.0" encoding="UTF-8" ?><root><detail>Authentication credentials were not provided.</detail></root>

or the g-event list:

$ curl https://gracedb-dev1.ligo.org/api/events/\?format\=xml
<?xml version="1.0" encoding="UTF-8" ?><root><detail>Authentication credentials were not provided.</detail></root>

It returns the correct status code:

$ curl -I https://gracedb-dev1.ligo.org/api/events/\?format\=xml
HTTP/1.1 403 Forbidden
Date: Thu, 12 Dec 2024 18:52:52 GMT
Server: gunicorn
Strict-Transport-Security: max-age=63072000; includeSubDomains
Content-Type: application/xml; charset=utf-8
Vary: Accept,Cookie
Allow: GET, POST, HEAD, OPTIONS
Expires: Thu, 12 Dec 2024 18:52:52 GMT
Cache-Control: max-age=0, no-cache, no-store, must-revalidate, private
Content-Length: 114
Via: 1.1 gracedb-dev1.ligo.org
Content-Security-Policy: frame-ancestors 'none'

and gets render in the browser correctly:

Screenshot_2024-12-12_at_2.21.05_PM

Merge request reports

Loading