Mandrill: include auth in webhook signature calc

Mandrill's webhook signature calculation uses the *exact url* Mandrill is posting to. If HTTP basic auth is also used, that auth is included in the url. Anymail was using Django's request.build_absolute_uri, which doesn't include HTTP basic auth. Anymail now includes the auth in the calculation, if it was present in the request. This should eliminate the need to use the ANYMAIL_MANDRILL_WEBHOOK_URL override, if Django's SECURE_PROXY_SSL_HEADER and USE_X_FORWARDED_HOST (and/or USE_X_FORWARDED_PROTO) settings are correct for your server. (The calculated url is now also included in the validation failure error message, to aid debugging.) Fixes #48
2025-12-20 03:41:05 -05:00 · 2017-01-19 19:01:36 -08:00
parent 12660d3d4f
commit 0ba5d1d4ad
6 changed files with 163 additions and 24 deletions
--- a/anymail/utils.py
+++ b/anymail/utils.py
@@ -1,3 +1,4 @@
+import base64
 import mimetypes
 from base64 import b64encode
 from collections import Mapping, MutableMapping
@@ -12,6 +13,8 @@ from django.core.mail.message import sanitize_address, DEFAULT_ATTACHMENT_MIME_T
 from django.utils.encoding import force_text
 from django.utils.functional import Promise
 from django.utils.timezone import utc
+# noinspection PyUnresolvedReferences
+from six.moves.urllib.parse import urlsplit, urlunsplit

 from .exceptions import AnymailConfigurationError, AnymailInvalidAddress

@@ -342,3 +345,33 @@ def force_non_lazy_dict(obj):
        return {key: force_non_lazy_dict(value) for key, value in obj.items()}
    except (AttributeError, TypeError):
        return force_non_lazy(obj)
+
+
+def get_request_basic_auth(request):
+    """Returns HTTP basic auth string sent with request, or None.
+
+    If request includes basic auth, result is string 'username:password'.
+    """
+    try:
+        authtype, authdata = request.META['HTTP_AUTHORIZATION'].split()
+        if authtype.lower() == "basic":
+            return base64.b64decode(authdata).decode('utf-8')
+    except (IndexError, KeyError, TypeError, ValueError):
+        pass
+    return None
+
+
+def get_request_uri(request):
+    """Returns the "exact" url used to call request.
+
+    Like :func:`django.http.request.HTTPRequest.build_absolute_uri`,
+    but also inlines HTTP basic auth, if present.
+    """
+    url = request.build_absolute_uri()
+    basic_auth = get_request_basic_auth(request)
+    if basic_auth is not None:
+        # must reassemble url with auth
+        parts = urlsplit(url)
+        url = urlunsplit((parts.scheme, basic_auth + '@' + parts.netloc,
+                          parts.path, parts.query, parts.fragment))
+    return url