Skip to content

Http Method "OPTIONS" and security #163

New issue
New issue
Open
Open
Http Method "OPTIONS" and security#163
Assignees
nickatnight
@LeonardoGentile

Description

@LeonardoGentile
LeonardoGentile
opened on Jan 29, 2016

In rest_auth.registration.views the allowed methods are allowed_methods = ('POST', 'OPTIONS', 'HEAD'). Please notice that performing a request with OPTIONS method will return something like this

{
  "name": "Register",
  "description": "Accepts the credentials and creates a new user\nif user does not exist already\nReturn the REST Token if the credentials are valid and authenticated.\nCalls allauth complete_signup method\n\nAccept the following POST parameters: username, email, password\nReturn the REST Framework Token Object's key.",
  "renders": [
    "application/json",
    "text/html"
  ],
  "parses": [
    "application/json",
    "application/x-www-form-urlencoded",
    "multipart/form-data"
  ]
}

As you can see this returns a description of the endpoint (as OPTIONS is menat to be) but expose the docstring describing RegisterView in fact maybe telling the user much more than what it should know..

Reference: http://www.django-rest-framework.org/api-guide/metadata/

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions