Skip to content

lib/api: Allow Bearer authentication style with API key #9002

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
calmh merged 3 commits into from
Jul 26, 2023
Merged

lib/api: Allow Bearer authentication style with API key #9002

calmh merged 3 commits into from
Jul 26, 2023

Conversation

@calmh
Copy link
Member

@calmh calmh commented Jul 25, 2023

Currently, historically, we look for the X-API-Key header to authenticate with an API key. There's nothing wrong with this, but in some scenarios it's easier to produce an Authorization header with a Bearer $token content, which is nowadays more common. This change adds support for both, so that we will accept an API key either in our custom header or as a bearer token.

@calmh
lib/api: Allow Bearer authentication style with API key
bbc00a0 
Currently, historically, we look for the `X-API-Key` header to
authenticate with an API key. There's nothing wrong with this, but in
some scenarios it's easier to produce an `Authorization` header with a
`Bearer $token` content, which is nowadays more common. This change adds
support for both, so that we will accept an API key either in our custom
header or as a bearer token.
AudriusButkevicius
AudriusButkevicius reviewed Jul 25, 2023
View reviewed changes
acolomb
acolomb reviewed Jul 25, 2023
View reviewed changes
lib/api/api_test.go Outdated
t.Fatal("Getting /rest/system/config with API key should succeed, not", resp.Status)
}

// Calling on /rest with the API key as a bearer token should succeed
Copy link
Member

@acolomb acolomb Jul 25, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should have tests for wrong API keys? As this changes what is accepted, we should make sure nothing creeps in later that accepts too much.

Copy link
Member Author

@calmh calmh Jul 26, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added, and also improved & modernized the tests a little

@calmh calmh merged commit 855c6dc into syncthing:main Jul 26, 2023
calmh added a commit to syncthing/docs that referenced this pull request Jul 26, 2023
@calmh
dev/rest: Document bearer tokens (ref syncthing/syncthing#9002)
a73d6f6
@calmh calmh deleted the bearerauth branch July 27, 2023 05:45
calmh added a commit to calmh/syncthing that referenced this pull request Jul 27, 2023
@calmh
Merge branch 'main' into multicon
73ef46b 
* main:
  cmd/strelaysrv: Handle accept error with debug set (fixes syncthing#9001) (syncthing#9004)
  lib/api: Fix data race in TestCSRFRequired (syncthing#9006)
  gui: Show full error for failed items (syncthing#9005)
  lib/api: Allow `Bearer` authentication style with API key (syncthing#9002)
@calmh calmh added this to the v1.23.7 milestone Jul 31, 2023
calmh added a commit to calmh/syncthing that referenced this pull request Aug 3, 2023
@calmh
Merge branch 'main' into prometheus
9c2f1ef 
* main:
  build: Increase Go version to 1.20.7
  lib/config: Allow sharing already encrypted folder with untrusted devices (fixes syncthing#8965) (syncthing#9012)
  gui: Use case-insensive and backslash-agnostic versions filter (fixes syncthing#7973) (syncthing#8995)
  gui, man, authors: Update docs, translations, and contributors
  build: Run govulncheck (fixes syncthing#8983)
  build: Run build & tests on main branch nightly
  build: Send test logs to Grafana Loki for statistics
  all: Refactor the protocol/model interface a bit (ref syncthing#8981) (syncthing#9007)
  lib/connections: Fix building with `-tags noquic` (syncthing#9009)
  gui: Fix tooltips on buttons inside button groups (ref syncthing#7984) (syncthing#9008)
  cmd/strelaysrv: Handle accept error with debug set (fixes syncthing#9001) (syncthing#9004)
  lib/api: Fix data race in TestCSRFRequired (syncthing#9006)
  gui: Show full error for failed items (syncthing#9005)
  lib/api: Allow `Bearer` authentication style with API key (syncthing#9002)
@st-review st-review added the frozen-due-to-age Issues closed and untouched for a long time, together with being locked for discussion label Jul 25, 2024
@syncthing syncthing locked and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@acolomb acolomb acolomb left review comments

@AudriusButkevicius AudriusButkevicius AudriusButkevicius approved these changes

Assignees

No one assigned

Labels

frozen-due-to-age Issues closed and untouched for a long time, together with being locked for discussion

Projects

None yet

Milestone

v1.23.7

Development

Successfully merging this pull request may close these issues.

4 participants

@calmh @AudriusButkevicius @acolomb @st-review