core: handle error when ?for_user is not numberical

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

authentik/core/api/applications.py

@@ -122,7 +122,10 @@ class ApplicationViewSet(UsedByMixin, ModelViewSet):
         # If the current user is superuser, they can set `for_user`
         for_user = request.user
         if request.user.is_superuser and "for_user" in request.query_params:
+            try:
                 for_user = get_object_or_404(User, pk=request.query_params.get("for_user"))
+            except ValueError:
+                return HttpResponseBadRequest("for_user must be numerical")
         engine = PolicyEngine(application, for_user, request)
         engine.use_cache = False
         engine.build()

authentik/root/asgi/app.py

@@ -6,8 +6,6 @@ It exposes the ASGI callable as a module-level variable named ``application``.
 For more information on this file, see
 https://docs.djangoproject.com/en/3.0/howto/deployment/asgi/
 """
-from time import time
-
 import django
 from asgiref.compatibility import guarantee_single_callable
 from channels.routing import ProtocolTypeRouter, URLRouter

authentik/root/asgi/error_handler.py

@@ -17,11 +17,12 @@ class ASGIErrorHandler:
     async def __call__(self, scope: Scope, receive: Receive, send: Send) -> None:
         try:
             return await self.app(scope, receive, send)
-        except Exception as exc:  # pylint: disable=
+        except Exception as exc:  # pylint: disable=broad-except
             LOGGER.warning("Fatal ASGI exception", exc=exc)
             return await self.error_handler(send)
 
     async def error_handler(self, send: Send) -> None:
+        """Return a generic error message"""
         return await send(
             {
                 "type": "http.request",

authentik/root/asgi/types.py

@@ -1,3 +1,4 @@
+"""ASGI Types"""
 import typing
 
 # See https://github.com/encode/starlette/blob/master/starlette/types.py