diff --git a/auth/auth.py b/auth/auth.py index 66ba4b921..d7dce7568 100644 --- a/auth/auth.py +++ b/auth/auth.py @@ -1,6 +1,7 @@ import logging from functools import wraps +from uuid import UUID from datetime import datetime from flask import request, session from flask.ext.principal import identity_changed, Identity @@ -23,6 +24,12 @@ logger = logging.getLogger(__name__) def _load_user_from_cookie(): if not current_user.is_anonymous(): + try: + # Attempt to parse the user uuid to make sure the cookie has the right value type + UUID(current_user.get_id()) + except ValueError: + return None + logger.debug('Loading user from cookie: %s', current_user.get_id()) set_authenticated_user_deferred(current_user.get_id()) loaded = QuayDeferredPermissionUser(current_user.get_id(), 'user_uuid', {scopes.DIRECT_LOGIN})