From b5326c3526ec0a4352a39a0e9de334f9baa94b6c Mon Sep 17 00:00:00 2001
From: Ryan Cross <rcross@amsl.com>
Date: Fri, 9 Feb 2024 10:04:30 -0800
Subject: [PATCH] fix: use ApiKeyAuth instead of BearerAuth (#3684)

---
 api.yml                                     | 12 +++++-------
 backend/mlarchive/tests/archive/api.py      | 10 +++++-----
 backend/mlarchive/tests/utils/decorators.py |  6 +++---
 backend/mlarchive/utils/decorators.py       |  7 +++----
 4 files changed, 16 insertions(+), 19 deletions(-)

diff --git a/api.yml b/api.yml
index eabb7247..c1208bb1 100644
--- a/api.yml
+++ b/api.yml
@@ -162,7 +162,7 @@ paths:
           description: name of list
           example: quic
       security:
-        - bearerAuth: []
+        - ApiKeyAuth: []
       requestBody:
         description: raw email messasge
         required: true
@@ -177,11 +177,9 @@ paths:
         '400':
           description: Bad Request
 
-security:
-  - bearerAuth:
-
 components:
   securitySchemes:
-    bearerAuth:
-      type: http
-      scheme: bearer
+    ApiKeyAuth:
+      type: apiKey
+      in: header
+      name: X-API-KEY
diff --git a/backend/mlarchive/tests/archive/api.py b/backend/mlarchive/tests/archive/api.py
index 9ff7ab59..77160558 100644
--- a/backend/mlarchive/tests/archive/api.py
+++ b/backend/mlarchive/tests/archive/api.py
@@ -227,13 +227,13 @@ def test_import_message(client, settings):
         headers={},
         content_type='application/octet-stream')
     assert response.status_code == 400
-    assert get_error_message(response) == 'Missing apikey parameter'
+    assert get_error_message(response) == 'Missing apikey'
 
     # invalid api key
     response = client.post(
         url,
         data=data,
-        headers={'Authorization': 'Bearer bogus'},
+        headers={'X-API-Key': 'bogus'},
         content_type='application/octet-stream')
     assert response.status_code == 403
     assert get_error_message(response) == 'Invalid apikey'
@@ -242,7 +242,7 @@ def test_import_message(client, settings):
     response = client.post(
         url,
         data=data,
-        headers={'Authorization': 'Bearer abcdefg'},
+        headers={'X-API-Key': 'abcdefg'},
         content_type='application/octet-stream')
     print(response, response.content)
     assert response.status_code == 201
@@ -286,7 +286,7 @@ def test_import_message_private(client, settings):
     response = client.post(
         url,
         data=data,
-        headers={'Authorization': 'Bearer abcdefg'},
+        headers={'X-API-Key': 'abcdefg'},
         content_type='application/octet-stream')
     print(response, response.content)
     assert response.status_code == 201
@@ -325,7 +325,7 @@ def test_import_message_failure(client, settings):
     response = client.post(
         url,
         data=data,
-        headers={'Authorization': 'Bearer abcdefg'},
+        headers={'X-API-Key': 'abcdefg'},
         content_type='application/octet-stream')
     print(response, response.content)
     assert response.status_code == 400
diff --git a/backend/mlarchive/tests/utils/decorators.py b/backend/mlarchive/tests/utils/decorators.py
index 0646976d..7e98fc29 100644
--- a/backend/mlarchive/tests/utils/decorators.py
+++ b/backend/mlarchive/tests/utils/decorators.py
@@ -56,7 +56,7 @@ def test_require_api_key(settings):
     response = decorated_func(arequest)
     print(response, response.content)
     assert response.status_code == 400
-    assert get_error_message(response) == 'Missing apikey parameter'
+    assert get_error_message(response) == 'Missing apikey'
     # bad api key
     brequest = get_request(url + '?apikey=bogus')
     response = decorated_func(brequest)
@@ -74,12 +74,12 @@ def test_require_api_key(settings):
     print(response, response.content)
     assert response.status_code == 200
     # api key post header
-    erequest = rf.post(url, headers={'Authorization': 'Bearer abcdefg'})
+    erequest = rf.post(url, headers={'X-API-Key': 'abcdefg'})
     response = decorated_func(erequest)
     print(response, response.content)
     assert response.status_code == 200
     # api key post header, endpoint mismatch
-    frequest = rf.post('/api/v1/stats/', headers={'Authorization': 'Bearer abcdefg'})
+    frequest = rf.post('/api/v1/stats/', headers={'X-API-Key': 'abcdefg'})
     response = decorated_func(frequest)
     print(response, response.content)
     assert response.status_code == 400
diff --git a/backend/mlarchive/utils/decorators.py b/backend/mlarchive/utils/decorators.py
index f945a78b..7d3f4f89 100644
--- a/backend/mlarchive/utils/decorators.py
+++ b/backend/mlarchive/utils/decorators.py
@@ -180,15 +180,14 @@ def err(code, text):
         if request.method == 'POST':
             if 'apikey' in request.POST:
                 apikey = request.POST.get('apikey')
-            elif 'Authorization' in request.headers:
-                value = request.headers.get('Authorization')
-                _, apikey = value.split(' ', 1)
+            elif 'X-API-Key' in request.headers:
+                apikey = request.headers.get('X-API-Key')
         elif request.method == 'GET':
             apikey = request.GET.get('apikey')
         else:
             return err(405, "Method not allowed")
         if not apikey:
-            return err(400, "Missing apikey parameter")
+            return err(400, "Missing apikey")
 
         # Check apikey
         if apikey not in settings.API_KEYS: