Skip to content

FIX: Auth methods registered for base URLs being dropped for capability-declared sub-paths#758

Open
stvoutsin wants to merge 1 commit into
astropy:mainfrom
stvoutsin:issue-749
Open

FIX: Auth methods registered for base URLs being dropped for capability-declared sub-paths#758
stvoutsin wants to merge 1 commit into
astropy:mainfrom
stvoutsin:issue-749

Conversation

@stvoutsin
Copy link
Copy Markdown
Contributor

@stvoutsin stvoutsin commented May 28, 2026

Description

This PR is my attempt to address issue #749 where non-IVOA recognized authentication methods added by the users via add_security_method_for_url (e.g. bearer tokens) are replaced by auth methods declared in the VOSI capabilities for more specific sub-paths (/tap/tables). Auth fails in this case as the client's custom credentials are no longer in the list of available methods.

Cause

AuthURLs stored both caller registrations and capability-discovered methods in the same base_urls dict, then used longest-match to pick one entry.
A capability entry for /tap/tables would win over the caller's /tap registration, discarding it entirely.

Fix

The fix proposed here is to split the base_urls into two collections:

  • _explicit_urls : Caller registrations via add_security_method_for_url. Methods registered for a base URL apply to all URLs beneath it.
  • _capability_urls: Populated from VOSI capabilities, only the most-specific (longest) matching entry is used

Tests

Added a few tests covering the various related use-cases

Fixes: #749

@stvoutsin stvoutsin marked this pull request as ready for review May 28, 2026 22:39
@codecov
Copy link
Copy Markdown

codecov Bot commented May 28, 2026

Codecov Report

❌ Patch coverage is 85.18519% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 79.88%. Comparing base (828ea43) to head (9754692).
⚠️ Report is 11 commits behind head on main.

Files with missing lines Patch % Lines
pyvo/auth/authurls.py 85.18% 4 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main     #758      +/-   ##
==========================================
+ Coverage   79.79%   79.88%   +0.08%     
==========================================
  Files          91       91              
  Lines       10297    10311      +14     
==========================================
+ Hits         8217     8237      +20     
+ Misses       2080     2074       -6

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

andamian
andamian approved these changes Jun 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@andamian andamian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me and implements the solution discussed in the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andamian andamian andamian approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

BUG: allowed_auth_methods drops caller-registered auth when capabilities declare more-specific sub-path URLs

2 participants

@stvoutsin @andamian