fix: use ApiKeyAuth instead of BearerAuth (#3684)

ietf-tools · Feb 9, 2024 · b5326c3 · b5326c3
1 parent 622d61c
commit b5326c3
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 19 deletions.
diff --git a/api.yml b/api.yml
@@ -162,7 +162,7 @@ paths:
           description: name of list
           example: quic
       security:
-        - bearerAuth: []
+        - ApiKeyAuth: []
       requestBody:
         description: raw email messasge
         required: true
@@ -177,11 +177,9 @@ paths:
         '400':
           description: Bad Request
 
-security:
-  - bearerAuth:
-
 components:
   securitySchemes:
-    bearerAuth:
-      type: http
-      scheme: bearer
+    ApiKeyAuth:
+      type: apiKey
+      in: header
+      name: X-API-KEY
diff --git a/backend/mlarchive/tests/archive/api.py b/backend/mlarchive/tests/archive/api.py
@@ -227,13 +227,13 @@ def test_import_message(client, settings):
         headers={},
         content_type='application/octet-stream')
     assert response.status_code == 400
-    assert get_error_message(response) == 'Missing apikey parameter'
+    assert get_error_message(response) == 'Missing apikey'
 
     # invalid api key
     response = client.post(
         url,
         data=data,
-        headers={'Authorization': 'Bearer bogus'},
+        headers={'X-API-Key': 'bogus'},
         content_type='application/octet-stream')
     assert response.status_code == 403
     assert get_error_message(response) == 'Invalid apikey'
@@ -242,7 +242,7 @@ def test_import_message(client, settings):
     response = client.post(
         url,
         data=data,
-        headers={'Authorization': 'Bearer abcdefg'},
+        headers={'X-API-Key': 'abcdefg'},
         content_type='application/octet-stream')
     print(response, response.content)
     assert response.status_code == 201
@@ -286,7 +286,7 @@ def test_import_message_private(client, settings):
     response = client.post(
         url,
         data=data,
-        headers={'Authorization': 'Bearer abcdefg'},
+        headers={'X-API-Key': 'abcdefg'},
         content_type='application/octet-stream')
     print(response, response.content)
     assert response.status_code == 201
@@ -325,7 +325,7 @@ def test_import_message_failure(client, settings):
     response = client.post(
         url,
         data=data,
-        headers={'Authorization': 'Bearer abcdefg'},
+        headers={'X-API-Key': 'abcdefg'},
         content_type='application/octet-stream')
     print(response, response.content)
     assert response.status_code == 400

diff --git a/backend/mlarchive/tests/utils/decorators.py b/backend/mlarchive/tests/utils/decorators.py
@@ -56,7 +56,7 @@ def test_require_api_key(settings):
     response = decorated_func(arequest)
     print(response, response.content)
     assert response.status_code == 400
-    assert get_error_message(response) == 'Missing apikey parameter'
+    assert get_error_message(response) == 'Missing apikey'
     # bad api key
     brequest = get_request(url + '?apikey=bogus')
     response = decorated_func(brequest)
@@ -74,12 +74,12 @@ def test_require_api_key(settings):
     print(response, response.content)
     assert response.status_code == 200
     # api key post header
-    erequest = rf.post(url, headers={'Authorization': 'Bearer abcdefg'})
+    erequest = rf.post(url, headers={'X-API-Key': 'abcdefg'})
     response = decorated_func(erequest)
     print(response, response.content)
     assert response.status_code == 200
     # api key post header, endpoint mismatch
-    frequest = rf.post('/api/v1/stats/', headers={'Authorization': 'Bearer abcdefg'})
+    frequest = rf.post('/api/v1/stats/', headers={'X-API-Key': 'abcdefg'})
     response = decorated_func(frequest)
     print(response, response.content)
     assert response.status_code == 400

diff --git a/backend/mlarchive/utils/decorators.py b/backend/mlarchive/utils/decorators.py
@@ -180,15 +180,14 @@ def err(code, text):
         if request.method == 'POST':
             if 'apikey' in request.POST:
                 apikey = request.POST.get('apikey')
-            elif 'Authorization' in request.headers:
-                value = request.headers.get('Authorization')
-                _, apikey = value.split(' ', 1)
+            elif 'X-API-Key' in request.headers:
+                apikey = request.headers.get('X-API-Key')
         elif request.method == 'GET':
             apikey = request.GET.get('apikey')
         else:
             return err(405, "Method not allowed")
         if not apikey:
-            return err(400, "Missing apikey parameter")
+            return err(400, "Missing apikey")
 
         # Check apikey
         if apikey not in settings.API_KEYS: