erp5_oauth2_authorisation: Store more HTTPResponse headers using setHeader

During the response process (especially setBody), HTTPResponse accesses and updates some response headers in its "headers" property (a dictionary). addHeader puts the response headers in a list which will not be updated by HTTPResponse. This is "more correct" from an RFC perspective, as any header specified as being a sequence of values delimited by commas may be split among multiple headers. So, keep using addHeader by default, but special-case some headers which are accessed and must be successfully updated by HTTPResponse itself so that those headers are set using setHeader, which updates the "headers" property.

erp5_oauth2_authorisation: Store more HTTPResponse headers using setHeader
During the response process (especially setBody), HTTPResponse accesses and updates some response headers in its "headers" property (a dictionary). addHeader puts the response headers in a list which will not be updated by HTTPResponse. This is "more correct" from an RFC perspective, as any header specified as being a sequence of values delimited by commas may be split among multiple headers. So, keep using addHeader by default, but special-case some headers which are accessed and must be successfully updated by HTTPResponse itself so that those headers are set using setHeader, which updates the "headers" property.
b680b016 · Vincent Pelletier · 93f018e7 · b680b016
Commit b680b016 authored Jun 15, 2023 by Vincent Pelletier
Showing with 12 additions and 9 deletions

bt5/erp5_oauth2_authorisation/DocumentTemplateItem/portal_components/document.erp5.OAuth2AuthorisationServerConnector.py ...nents/document.erp5.OAuth2AuthorisationServerConnector.py +12 -9

No files found.
--- a/bt5/erp5_oauth2_authorisation/DocumentTemplateItem/portal_components/document.erp5.OAuth2AuthorisationServerConnector.py
+++ b/bt5/erp5_oauth2_authorisation/DocumentTemplateItem/portal_components/document.erp5.OAuth2AuthorisationServerConnector.py
@@ -883,18 +883,21 @@ def _handleOAuth2Error(RESPONSE, exc):
  RESPONSE.setHeader('Content-Type', 'application/json')
  RESPONSE.setBody(exc.json, lock=True)

+# A minimal set of headers which must not be set on an HTTPResponse using addHeader,
+# but must be set using setHeader instead because HTTPResponse treat them specially
+# (ex: modifies them while rendering the final response form).
+_SPECIAL_HEADER_NAME_SET = (
+  'content-type',
+  'content-length',
+)
 def _setupZopeResponse(RESPONSE, status, header_item_list, body):
  RESPONSE.setStatus(status, lock=True)
  for key, value in header_item_list:
-    if key.lower().replace('_', '-') == 'content-type':
-      # If RESPONSE is an HTTPResponse, it will not intercept this
-      # RESPONSE.addHeader, and will set its own default value,
-      # so the response ends up with multiple content-types, like:
-      #   text/plain; charset=utf-8, application/json
-      # So, intercept this header, and set it separately.
-      RESPONSE.setHeader(key, value)
-    else:
-      RESPONSE.addHeader(key, value)
+    (
+      RESPONSE.setHeader
+      if key.lower() in _SPECIAL_HEADER_NAME_SET else
+      RESPONSE.addHeader
+    )(key, value)
  return body

 def _wrapOAuth2Endpoint(func):