Comment 6 for bug 1121494

Nit on the grizzly patch: change the reference to "token.core.validate_auth_info" to just "token.validate_auth_info". The "core" module is only referenced directly from within the token package itself.

Although the grizzly patch is primarily a refactor, I'd be happy to argue that it's totally appropriate here as a security fix: the security vulnerability is ultimately that two code paths are not sharing code, when they should be.

On the folsom and essex patches, remove the msg from being passed to Unauthorized (only use it for logging), as you're actually creating a new security vulnerability there which we are protected from in Grizzly (unnecessarily exposing the reason for auth failure to the API). In Grizzly, the msg passed to exceptions.Unauthorized() is exposed to the API in debug mode, but suppressed otherwise. We don't have that feature in essex/folsom, so we can't allow the exception's message to be overridden.