400 error on certain PNGs due to OIDC rerouting...?

2026-05-19 01:02:51 +02:00
parent a2dbcaf79a
commit c4946f8e16
2 changed files with 29 additions and 3 deletions
--- a/boxes/tests.py
+++ b/boxes/tests.py
@@ -1,14 +1,31 @@
+from types import SimpleNamespace
+
 from django.contrib.admin.sites import AdminSite
 from django.contrib.auth.models import User
 from django.core.files.uploadedfile import SimpleUploadedFile
 from django.db import IntegrityError
-from django.test import Client, TestCase
+from django.test import Client, RequestFactory, SimpleTestCase, TestCase
 from django.urls import reverse
+from mozilla_django_oidc.middleware import SessionRefresh

 from .admin import BoxAdmin, BoxTypeAdmin, ThingAdmin
 from .models import Box, BoxType, Facet, Tag, Thing, ThingFile, ThingLink


+class OIDCSessionRefreshTests(SimpleTestCase):
+    """Tests for OIDC session refresh routing exclusions."""
+
+    def test_media_urls_do_not_trigger_oidc_session_refresh(self):
+        """Uploaded files should be served directly, not redirected through OIDC."""
+        request = RequestFactory().get('/media/things/files/251/diag_6606.png')
+        request.user = SimpleNamespace(is_authenticated=True)
+        request.session = {}
+
+        middleware = SessionRefresh(lambda request: None)
+
+        self.assertFalse(middleware.is_refreshable_url(request))
+
+
 class AuthTestCase(TestCase):
    """Base test case that provides authenticated client."""

--- a/labhelper/settings.py
+++ b/labhelper/settings.py
@@ -11,6 +11,7 @@ https://docs.djangoproject.com/en/5.2/ref/settings/
 """

 import os
+import re
 from pathlib import Path

 # Build paths inside the project like this: BASE_DIR / 'subdir'.
@@ -181,5 +182,13 @@ OIDC_STORE_ID_TOKEN = True
 # Redirect to the static login page on auth failure instead of looping back into OIDC
 OIDC_AUTHENTICATION_FAILURE_REDIRECT_URL = os.environ.get('OIDC_AUTHENTICATION_FAILURE_REDIRECT_URL', '/login/')

-# Exempt AJAX endpoints from the session-refresh middleware redirect
-OIDC_EXEMPT_URLS = ['search_api']
+# Exempt endpoints and uploaded media from the session-refresh middleware.
+#
+# Media URLs are already served without a login_required view. If an embedded
+# image request is redirected into a silent OIDC refresh, the callback happens
+# in a subresource context and browsers can withhold the session cookie, causing
+# the OIDC state check to fail with HTTP 400.
+OIDC_EXEMPT_URLS = [
+    'search_api',
+    re.compile(rf'^{re.escape(MEDIA_URL)}'),
+]