I want to define custom error handling for a Flask-restful API.
The suggested approach in the documentation here is to do the following:
errors = {
'UserAlreadyExistsError': {
'message': "A user with that username already exists.",
'status': 409,
},
'ResourceDoesNotExist': {
'message': "A resource with that ID no longer exists.",
'status': 410,
'extra': "Any extra information you want.",
},
}
app = Flask(__name__)
api = flask_restful.Api(app, errors=errors)
Now I find this format pretty attractive but I need to specify more parameters when some exception happens. For example, when encountering ResourceDoesNotExist, I want to specify what id does not exist.
Currently, I'm doing the following:
app = Flask(__name__)
api = flask_restful.Api(app)
class APIException(Exception):
def __init__(self, code, message):
self._code = code
self._message = message
#property
def code(self):
return self._code
#property
def message(self):
return self._message
def __str__(self):
return self.__class__.__name__ + ': ' + self.message
class ResourceDoesNotExist(APIException):
"""Custom exception when resource is not found."""
def __init__(self, model_name, id):
message = 'Resource {} {} not found'.format(model_name.title(), id)
super(ResourceNotFound, self).__init__(404, message)
class MyResource(Resource):
def get(self, id):
try:
model = MyModel.get(id)
if not model:
raise ResourceNotFound(MyModel.__name__, id)
except APIException as e:
abort(e.code, str(e))
When called with an id that doesn't exist MyResource will return the following JSON:
{'message': 'ResourceDoesNotExist: Resource MyModel 5 not found'}
This works fine but I'd like to use to Flask-restful error handling instead.
According to the docs
Flask-RESTful will call the handle_error() function on any 400 or 500 error that happens on a Flask-RESTful route, and leave other routes alone.
You can leverage this to implement the required functionality. The only downside is having to create a custom Api.
class CustomApi(flask_restful.Api):
def handle_error(self, e):
flask_restful.abort(e.code, str(e))
If you keep your defined exceptions, when an exception occurs, you'll get the same behaviour as
class MyResource(Resource):
def get(self, id):
try:
model = MyModel.get(id)
if not model:
raise ResourceNotFound(MyModel.__name__, id)
except APIException as e:
abort(e.code, str(e))
Instead of attaching errors dict to Api, I am overriding handle_error method of Api class to handle exceptions of my application.
# File: app.py
# ------------
from flask import Blueprint, jsonify
from flask_restful import Api
from werkzeug.http import HTTP_STATUS_CODES
from werkzeug.exceptions import HTTPException
from view import SomeView
class ExtendedAPI(Api):
"""This class overrides 'handle_error' method of 'Api' class ,
to extend global exception handing functionality of 'flask-restful'.
"""
def handle_error(self, err):
"""It helps preventing writing unnecessary
try/except block though out the application
"""
print(err) # log every exception raised in the application
# Handle HTTPExceptions
if isinstance(err, HTTPException):
return jsonify({
'message': getattr(
err, 'description', HTTP_STATUS_CODES.get(err.code, '')
)
}), err.code
# If msg attribute is not set,
# consider it as Python core exception and
# hide sensitive error info from end user
if not getattr(err, 'message', None):
return jsonify({
'message': 'Server has encountered some error'
}), 500
# Handle application specific custom exceptions
return jsonify(**err.kwargs), err.http_status_code
api_bp = Blueprint('api', __name__)
api = ExtendedAPI(api_bp)
# Routes
api.add_resource(SomeView, '/some_list')
Custom exceptions can be kept in separate file, like:
# File: errors.py
# ---------------
class Error(Exception):
"""Base class for other exceptions"""
def __init__(self, http_status_code:int, *args, **kwargs):
# If the key `msg` is provided, provide the msg string
# to Exception class in order to display
# the msg while raising the exception
self.http_status_code = http_status_code
self.kwargs = kwargs
msg = kwargs.get('msg', kwargs.get('message'))
if msg:
args = (msg,)
super().__init__(args)
self.args = list(args)
for key in kwargs.keys():
setattr(self, key, kwargs[key])
class ValidationError(Error):
"""Should be raised in case of custom validations"""
And in the views exceptions can be raised like:
# File: view.py
# -------------
from flask_restful import Resource
from errors import ValidationError as VE
class SomeView(Resource):
def get(self):
raise VE(
400, # Http Status code
msg='some error message', code=SomeCode
)
Like in view, exceptions can actually be raised from any file in the app which will be handled by the ExtendedAPI handle_error method.
I've used the Blueprint to work with the flask-restful, and I've found that the solution #billmccord and #cedmt provided on the issue not worked for this case, because the Blueprint don't have the handle_exception and handle_user_exception functions.
My workaround is that enhance the function handle_error of the Api, if the "error handler" of the "Exception" have been registered, just raise it, the "error handler" registered on app will deal with that Exception, or the Exception will be passed to the "flask-restful" controlled "custom error handler".
class ImprovedApi(Api):
def handle_error(self, e):
for val in current_app.error_handler_spec.values():
for handler in val.values():
registered_error_handlers = list(filter(lambda x: isinstance(e, x), handler.keys()))
if len(registered_error_handlers) > 0:
raise e
return super().handle_error(e)
api_entry = ImprovedApi(api_entry_bp)
BTW, seems the flask-restful had been deprecated...
I faced the same issue too and after extending flask-restful.Api I realized that
you really don't need to extend the flask-restful.Api
you can easily do this by inheriting from werkzeug.exceptions.HTTPException and solve this issue
app = Flask(__name__)
api = flask_restful.Api(app)
from werkzeug.exceptions import HTTPException
class APIException(HTTPException):
def __init__(self, code, message):
super().__init__()
self.code = code
self.description = message
class ResourceDoesNotExist(APIException):
"""Custom exception when resource is not found."""
def __init__(self, model_name, id):
message = 'Resource {} {} not found'.format(model_name.title(), id)
super().__init__(404, message)
class MyResource(Resource):
def get(self, id):
try:
model = MyModel.get(id)
if not model:
raise ResourceNotFound(MyModel.__name__, id)
except APIException as e:
abort(e.code, str(e))
Related
I want my endpoints to throw a 404 status code WITH a message like "parameter foo not found" if the request is missing a required field.
Since i have too many endpoints, adding 3 lines of code (try, except, return) is not a happy solution for me.
That's why i want to make a function similar to get_object_or_404 from django.shortcuts, where just using the function, the request returns 404 instead of just raising an exception and crashing the server.
Taking a look to the get_object_or_404 function, i note that it does raise Http404 and this does work, but it always returns "detail": "Not Found" ignoring any parameter i pass to the exception raising code.
Here's what i did:
class ParamNotFound(Exception):
def __init__(self, param_name):
self.param_name = param_name
self.status_code = 404
def __str__(self) -> str:
return f"Param {self.param_name} not found"
def get_body_param_or_404(params, param_name: str):
param = params.get(param_name, None)
if param is None:
raise ParamNotFound(f"param_name {param_name} not found")
return param
But this does only raise a exception and crash the server if i dont explicitly catch it.
Is there a clean and short way to do this?
Well, the answer was more complicated that i thought.
I ended implementing a middleware, where i can catch my own exception returning a custom JsonResponse.
class ParamMiddleware:
def __init__(self, get_response) -> None:
self.get_response = get_response
def __call__(self, request):
return self.get_response(request)
def process_exception(self, request, exception):
if isinstance(exception, ParamNotFound):
return JsonResponse({"msg": str(exception), "status": 404})
I am using django behind nginx reverse proxy and django sees the server url different than what it actually is hosted on like:
Django: http://webserver.com
Nginx: https://webserver.com
When I try to add the WSDL to SoapUI it automatically defaults to the first http://webserver.com server and then all the requests fail. I have tried the code below, but it did not work:
...
app = Application(
[EXTWS],
tns='soap.views',
in_protocol=Soap11(validator='soft'),
out_protocol=Soap11(),
)
app.transport = "no_transport_at_all"
...
wsdl = Wsdl11(app.interface)
if os.environ.get("DEBUG"):
wsdl.build_interface_document('http://localhost:8000/wsdl/')
else:
url = f'https://{settings.DOMAIN}/wsdl/'
wsdl.build_interface_document(url)
Inspirations: here and here
EDIT:
Looks like the code above achieves some things but the resulting WSDL document when accessed in browser is still the same, maybe it is generated on request; the documentation said "... Spyne will get the URL from the first request, build the wsdl on-the-fly and cache it as a string in memory for later requests." but here it is generated manually, so it should not generate a new one maybe? Or it is generating it by request because it is django, not wsgi.
EDIT:
Looks like building the tree by hand does not make any difference as when you send the first requests, a new instance of Wsdl11 class is generated.
Temporarily, I achieved changing the url to what I want by basically monkey patching the two classes as follows:
from functools import update_wrapper
from spyne.server.http import HttpBase, HttpMethodContext, HttpTransportContext
from spyne.application import get_fault_string_from_exception, Application
from django.http import HttpResponse, HttpResponseNotAllowed, Http404
class MonkeyDjangoServer(DjangoServer):
def handle_wsdl(self, request, *args, **kwargs):
"""Return services WSDL."""
ctx = HttpMethodContext(self, request,
'text/xml; charset=utf-8')
if self.doc.wsdl11 is None:
raise Http404('WSDL is not available')
if self._wsdl is None:
# Interface document building is not thread safe so we don't use
# server interface document shared between threads. Instead we
# create and build interface documents in current thread. This
# section can be safely repeated in another concurrent thread.
self.doc.wsdl11.service_elt_dict = {}
# here you can put whatever you want
self.doc.wsdl11.build_interface_document("http://MONKEY/")
wsdl = self.doc.wsdl11.get_interface_document()
if self._cache_wsdl:
self._wsdl = wsdl
else:
wsdl = self._wsdl
ctx.transport.wsdl = wsdl
response = HttpResponse(ctx.transport.wsdl)
return self.response(response, ctx, ())
class MonkeyDjangoView(DjangoView):
#classmethod
def as_view(cls, **initkwargs):
"""Register application, server and create new view.
:returns: callable view function
"""
# sanitize keyword arguments
for key in initkwargs:
if key in cls.http_method_names:
raise TypeError("You tried to pass in the %s method name as a "
"keyword argument to %s(). Don't do that."
% (key, cls.__name__))
if not hasattr(cls, key):
raise TypeError("%s() received an invalid keyword %r. as_view "
"only accepts arguments that are already "
"attributes of the class." % (cls.__name__,
key))
def get(key):
value = initkwargs.get(key)
return value if value is not None else getattr(cls, key)
def pop(key):
value = initkwargs.pop(key, None)
return value if value is not None else getattr(cls, key)
application = get('application') or Application(
services=get('services'),
tns=get('tns'),
name=get('name'),
in_protocol=get('in_protocol'),
out_protocol=get('out_protocol'),
)
server = pop('server') or MonkeyDjangoServer(application,
chunked=get('chunked'),
cache_wsdl=get('cache_wsdl'))
def view(request, *args, **kwargs):
self = cls(server=server, **initkwargs)
if hasattr(self, 'get') and not hasattr(self, 'head'):
self.head = self.get
self.request = request
self.args = args
self.kwargs = kwargs
return self.dispatch(request, *args, **kwargs)
# take name and docstring from class
update_wrapper(view, cls, updated=())
# and possible attributes set by decorators
# like csrf_exempt from dispatch
update_wrapper(view, cls.dispatch, assigned=())
return view
urlpatterns = [
url(r'^EXTWS/$', MonkeyDjangoView.as_view(application=app)),
# url(r'^schema/$', get_schema),
]
This is some unacceptable kind of solution so I will be waiting for a logical implementation of this behavior. Until then, I will be using this.
I use tornado and a jwt decorator as below:
def jwtauth(handler_class):
"""
Tornado JWT Auth Decorator
"""
def wrap_execute(handler_execute):
def require_auth(handler, kwargs):
auth = handler.request.headers.get(AUTHORIZATION_HEADER)
if auth:
parts = auth.split()
if not is_valid_header(parts):
return_header_error(handler)
token = parts[1]
try:
result = jwt.decode(
token,
SECRET_KEY,
options=jwt_options
)
except Exception as err:
return_auth_error(handler, str(err))
else:
handler._transforms = []
handler.write(MISSING_AUTHORIZATION_KEY)
handler.finish()
return result
def _execute(self, transforms, *args, **kwargs):
try:
result = require_auth(self, kwargs)
except Exception:
return False
return handler_execute(self, transforms, *args, **kwargs)
return _execute
handler_class._execute = wrap_execute(handler_class._execute)
return handler_class
#jwtauth
class MyHandler(tornado.web.RequestHandler):
def post(self):
unit = json.loads(self.request.body.decode('utf-8'))
# TODO:
# get the result from jwtauth decorator and use it here
print(result) # The result from jwtauth
Now, I'd like to get the jwt decode result and pass into MyHandler for further verification. Can I do it? I checked most of the comment that I can pass the parameter to a decorator but I cannot get from it. Is is possible to pass the jwtauth result to my function?
A class decorator takes your class and spits out a new version of your class (usually with some features added to it). In this case, the #jwtauth decorator takes your class and spits out a new class that makes sure that each request is checked for a valid JWT token in the authorization header. tornado.web.RequestHandler._execute internally calls post. The current behavior is that if the JWT token auth fails, then post will never be called.
In short, you probably want to just raise an error below instead of returning False.
try:
result = require_auth(self, kwargs)
except Exception:
return False
If you need to add more logic about what kind of error to raise, then you probably want to pass that into the decorator along with the class.
I created a simple Server Interceptor that retrieves the user based on the JWT token.
But now I would like to make it available to all the methods of my services.
At the moment im using decorators. But I would like to avoid having to decorate all the methods. In case, decorate only those that do not need the user.
Some one can give me a clue ?
here is my code:
class AuthInterceptor(grpc.ServerInterceptor):
"""Authorization Interceptor"""
def __init__(self, loader):
self._loader = loader
def intercept_service(self, continuation, handler_call_details):
# Authenticate if we not requesting token.
if not handler_call_details.method.endswith('GetToken'):
# My Authentication class.
auth = EosJWTAuth()
# Authenticate using the headers tokens to get the user.
user = auth.authenticate(
dict(handler_call_details.invocation_metadata))[0]
# Do something here to pass the authenticated user to the functions.
cont = continuation(handler_call_details)
return cont
And I'd like my methods can to access the user in a way like this.
class UserService(BaseService, users_pb2_grpc.UserServicer):
"""User service."""
def get_age(self, request, context):
"""Get user's age"""
user = context.get_user()
# or user = context.user
# or user = self.user
# os user = request.get_user()
return pb.UserInfo(name=user.name, age=user.age)
This is a common need for web servers, and it is a good idea to add decorators to the handlers to explicitly set requirement for authentication/authorization. It helps readability, and reduces the overall complexity.
However, here is a workaround to solve your question. It uses Python metaclass to automatically decorate every servicer method.
import grpc
import functools
import six
def auth_decorator(func):
#functools.wraps(func)
def wrapper(request, context):
if not func.__name__.endswith('GetToken'):
auth = FooAuthClass()
try:
user = auth.authenticate(
dict(context.invocation_metadata)
)[0]
request.user = user
except UserNotFound:
context.abort(
grpc.StatusCode.UNAUTHENTICATED,
'Permission denied.',
)
return func(request, context)
return wrapper
class AuthMeta:
def __new__(self, class_name, bases, namespace):
for key, value in list(namespace.items()):
if callable(value):
namespace[key] = auth_decorator(value)
return type.__new__(self, class_name, bases, namespace)
class BusinessServer(FooServicer, six.with_metaclass(AuthMeta)):
def LogicA(self, request, context):
# request.user accessible
...
def LogicGetToken(self, request, context):
# request.user not accessible
...
I think my problem is related on the way I structured my pyramid project.
What I want to accomplish is to make my code runs on all views, I don't want to paste same codes on all views. Its like I will include the code in all views by just simply calling it. This is my code.
my wizard module
from pyramid.view import view_config, view_defaults
from .models import *
from datetime import datetime
from pyramid.response import Response
from bson import ObjectId
from pyramid.httpexceptions import HTTPFound
import json
class WizardView:
def __init__(self, request):
self.request = request
#view_config(route_name='wizard', renderer='templates/wizard.jinja2')
def wizard(self):
session = self.request.session
if session:
return {'fullname':session['name'],'userrole':session['userrole']}
else:
url = self.request.route_url('login')
return HTTPFound(location=url)
my bill module
from pyramid.view import view_config, view_defaults
from .models import *
from datetime import datetime
from pyramid.response import Response
from bson import ObjectId
from pyramid.httpexceptions import HTTPFound
class BillView:
def __init__(self, request):
self.request = request
#view_config(route_name='bills', renderer='templates/bills.jinja2')
def bills(self):
session = self.request.session
if session:
return {'fullname':session['name'],'userrole':session['userrole']}
else:
url = self.request.route_url('login')
return HTTPFound(location=url)
As you can see I have to paste this code twice (this code checks if session exist, if not, then redirect user to login page)
session = self.request.session
if session:
return {'fullname':session['name'],'userrole':session['userrole']}
else:
url = self.request.route_url('login')
return HTTPFound(location=url)
I've tried to search and I think what I need is some sort of auto loader? How can I apply this on pyramid? Or should I stick with this process?
If you wish to return exactly the same thing from both (many) views, then the best way is to use inheritance.
class GenericView:
def __init__(self, request):
self.request = request
def generic_response(self):
session = self.request.session
if session:
return {'fullname':session['name'],'userrole':session['userrole']}
else:
url = self.request.route_url('login')
return HTTPFound(location=url)
Use generic_response in WizardView and BillView
class WizardView(GenericView):
def __init__(self, request):
super().__init__(request)
# Do wizard specific initialization
#view_config(route_name='wizard', renderer='templates/wizard.jinja2')
def wizard(self):
return self.generic_response()
class BillView(GenericView):
def __init__(self, request):
super().__init__(request)
# Do bill specific initialization
#view_config(route_name='bills', renderer='templates/bills.jinja2')
def bills(self):
return self.generic_response()
If you want to just check (and redirect) when session does not exists and otherwise proceed normally you could use custom exceptions and corresponding views.
First define custom exception
class SessionNotPresent(Exception):
pass
And view for this exception
#view_config(context=SessionNotPresent)
def handle_no_session(context, request):
# context is our custom exception, request is normal request
request.route_url('login')
return HTTPFound(location=url)
Then just check if session exists in parent constructor
class SessionView:
def __init__(self, request):
self.request = request
if not self.request.session:
raise SessionNotPresent() # Pyramid will delegate request handilng to handle_no_request
In views simply extend SessionView and non existing sessions will be handeled by handle_no_session.
class WizardView(SessionView):
def __init__(self, request):
super().__init__(request)
# Do wizard specific initialization
#view_config(route_name='wizard', renderer='templates/wizard.jinja2')
def wizard(self):
session = self.request.session
return {'fullname':session['name'],'userrole':session['userrole']}
class BillView(SessionView):
def __init__(self, request):
super().__init__(request)
# Do bill specific initialization
#view_config(route_name='bills', renderer='templates/bills.jinja2')
def bills(self):
session = self.request.session
return {'fullname':session['name'],'userrole':session['userrole']}
You could easily add additional parameters to exception (redirect_url, ...)
For exception handling see http://docs.pylonsproject.org/projects/pyramid-cookbook/en/latest/pylons/exceptions.html
You can use events: http://docs.pylonsproject.org/projects/pyramid/en/latest/narr/events.html
Example:
from pyramid.events import subscriber, NewRequest
#subscriber(NewRequest)
def check_session(event):
if not event.request.session:
raise HTTPFound(location=event.request.route_path('login'))