Use header authentication instead of query parameter

author: Tuomo Ala-Vannesluoma <tuomoav@gmail.com> 2018-06-18 19:43:44 +0300
committer: Tuomo Ala-Vannesluoma <tuomoav@gmail.com> 2018-06-30 22:51:43 +0300
commit: 1b2c9bec53272e1f757015dcb28c835492b25ad0 (patch)
tree: 1865707567487d4eb716128c2010a0be83d0a03e /internal/auth
parent: 5828ffbece3a751198a2f9a0c7c8b144d13179c4 (diff)
2 files changed, 15 insertions, 7 deletions
diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index a3d44dc6..407de0c3 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -16,7 +16,7 @@ import (
 )
 
 const (
-	apiURLTemplate       = "%s/api/v4/projects/%d?access_token=%s"
+	apiURLTemplate       = "%s/api/v4/projects/%d"
 	authorizeURLTemplate = "%s/oauth/authorize?client_id=%s&redirect_uri=%s&response_type=code&state=%s"
 	tokenURLTemplate     = "%s/oauth/token"
 	tokenContentTemplate = "client_id=%s&client_secret=%s&code=%s&grant_type=authorization_code&redirect_uri=%s"
@@ -214,8 +214,16 @@ func (a *Auth) CheckAuthentication(w http.ResponseWriter, r *http.Request, proje
 	}
 
 	// Access token exists, authorize request
-	url := fmt.Sprintf(apiURLTemplate, a.gitLabServer, projectID, session.Values["access_token"].(string))
-	resp, err := a.apiClient.Get(url)
+	url := fmt.Sprintf(apiURLTemplate, a.gitLabServer, projectID)
+	req, err := http.NewRequest("GET", url, nil)
+
+	if err != nil {
+		httperrors.Serve500(w)
+		return true
+	}
+
+	req.Header.Add("Authorization", "Bearer "+session.Values["access_token"].(string))
+	resp, err := a.apiClient.Do(req)
 
 	if checkResponseForInvalidToken(resp, err) {
 
diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go
index e8a95662..60ff6223 100644
--- a/internal/auth/auth_test.go
+++ b/internal/auth/auth_test.go
@@ -76,7 +76,7 @@ func TestTryAuthenticateWithCodeAndState(t *testing.T) {
 			w.WriteHeader(http.StatusOK)
 			fmt.Fprint(w, "{\"access_token\":\"abc\"}")
 		case "/api/v4/projects/1000":
-			assert.Equal(t, "abc", r.URL.Query().Get("access_token"))
+			assert.Equal(t, "Bearer abc", r.Header.Get("Authorization"))
 			w.WriteHeader(http.StatusOK)
 		default:
 			t.Logf("Unexpected r.URL.RawPath: %q", r.URL.Path)
@@ -115,7 +115,7 @@ func TestCheckAuthenticationWhenAccess(t *testing.T) {
 	apiServer := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch r.URL.Path {
 		case "/api/v4/projects/1000":
-			assert.Equal(t, "abc", r.URL.Query().Get("access_token"))
+			assert.Equal(t, "Bearer abc", r.Header.Get("Authorization"))
 			w.WriteHeader(http.StatusOK)
 		default:
 			t.Logf("Unexpected r.URL.RawPath: %q", r.URL.Path)
@@ -152,7 +152,7 @@ func TestCheckAuthenticationWhenNoAccess(t *testing.T) {
 	apiServer := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch r.URL.Path {
 		case "/api/v4/projects/1000":
-			assert.Equal(t, "abc", r.URL.Query().Get("access_token"))
+			assert.Equal(t, "Bearer abc", r.Header.Get("Authorization"))
 			w.WriteHeader(http.StatusUnauthorized)
 		default:
 			t.Logf("Unexpected r.URL.RawPath: %q", r.URL.Path)
@@ -189,7 +189,7 @@ func TestCheckAuthenticationWhenInvalidToken(t *testing.T) {
 	apiServer := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		switch r.URL.Path {
 		case "/api/v4/projects/1000":
-			assert.Equal(t, "abc", r.URL.Query().Get("access_token"))
+			assert.Equal(t, "Bearer abc", r.Header.Get("Authorization"))
 			w.WriteHeader(http.StatusUnauthorized)
 			fmt.Fprint(w, "{\"error\":\"invalid_token\"}")
 		default:
author	Tuomo Ala-Vannesluoma <tuomoav@gmail.com>	2018-06-18 19:43:44 +0300
committer	Tuomo Ala-Vannesluoma <tuomoav@gmail.com>	2018-06-30 22:51:43 +0300
commit	1b2c9bec53272e1f757015dcb28c835492b25ad0 (patch)
tree	1865707567487d4eb716128c2010a0be83d0a03e /internal/auth
parent	5828ffbece3a751198a2f9a0c7c8b144d13179c4 (diff)