BaseRequest.authorization raises uncatchable ValueError for malformed header

[Kobnar]

As part of my application's auth system, I need to get the values in request.authorization. While writing some basic tests for my app, I experimented with incorrectly formatted authorization headers. To my surprise, there is no simple way of dealing with a poorly supplied header from the client.

To some degree this looks like an upstream issue with WebOb (see #231). Their parse_auth function attempts to split the header's string, but it offers no exception handling for strings that do not comply the standard. This results in a ValueError getting thrown whenever parse_auth is called for a malformed string.

It looks like a Pylons project member (rightly) doesn't like the idea of WebOb failing quietly, and I can see how it would be a trivial exception to catch if your working with WebOb itself. The problem is that request.authorization is handled way before my own app logic is called. The associated ValueError therefore raises an unhanded exception that results in a 501 Server Error instead of a 400 Bad Request - as one would expect.

I'd be happy to go at this. Any guidance before I dig in?

[Kobnar]

Examples

Valid header:
Authorization: Key a48f684882d498b4408e2a725d4e2e5f7532dc0642f8594516dd84c5

Invalid header:
Authorization: a48f684882d498b4408e2a725d4e2e5f7532dc0642f8594516dd84c5

The former should work fine, and the latter should raise a 400 Bad Request.

[mmerickel]

This is a duplicate of Pylons/webob#231.

[Kobnar]

Okay, I'll fiddle over there.