Merge pull request #73 from busykoala/options_auth

Authenticate OPTIONS requests to prevent information leaks

Author: busykoala

CHANGELOG.md

@@ -1,5 +1,13 @@
 # Change Log
 
+## [2.0.1] - 2024-07-15
+- Security Improvement: Added authentication and authorization checks for HTTP
+  OPTIONS requests in OpaMiddleware. This ensures that OPTIONS requests are
+  subjected to the same security policies as other HTTP methods, preventing
+  potential information leaks.
+  [See advisory for more details](https://github.com/advisories/GHSA-5f5c-8rvc-j8wf)
+- Update dependencies due to multiple vulnerabilities.
+
 ## [2.0.0] - 2024-02-07
 - Drop Python 3.7 support due to FastAPI update
 - Update dependencies due to vulnerabilities:

fastapi_opa/opa/opa_middleware.py

@@ -18,12 +18,7 @@
 from fastapi_opa.auth.exceptions import AuthenticationException
 from fastapi_opa.opa.opa_config import OPAConfig
 
-try:
-    Pattern = re.Pattern
-except AttributeError:
-    # Python3.6 does not contain re.Pattern
-    Pattern = None
-
+Pattern = re.Pattern
 logger = logging.getLogger(__name__)
 
 
@@ -76,15 +71,13 @@ async def __call__(
         own_receive = OwnReceive(receive)
         request = Request(scope, own_receive, send)
 
-        if request.method == "OPTIONS":
-            return await self.app(scope, receive, send)
-
         # allow openapi endpoints without authentication
         if should_skip_endpoint(request.url.path, self.skip_endpoints):
             return await self.app(scope, receive, send)
 
         # authenticate user or get redirect to identity provider
         successful = False
+        user_info_or_auth_redirect = None
         for auth in self.config.authentication:
             try:
                 user_info_or_auth_redirect = auth.authenticate(