diff --git a/api/libretime_api/permissions.py b/api/libretime_api/permissions.py index bf89ebb21..abc5d93f5 100644 --- a/api/libretime_api/permissions.py +++ b/api/libretime_api/permissions.py @@ -2,6 +2,7 @@ from secrets import compare_digest from django.conf import settings from rest_framework.permissions import BasePermission +from rest_framework.request import Request from .core.models import Role @@ -48,11 +49,8 @@ def get_permission_for_view(request, view): return None -def check_authorization_header(request): - auth_header = request.META.get("Authorization") - if not auth_header: - auth_header = request.META.get("HTTP_AUTHORIZATION", "") - +def check_authorization_header(request: Request): + auth_header = request.headers.get("authorization", "") if auth_header.startswith("Api-Key"): token = auth_header.split()[1] return compare_digest(token, settings.CONFIG.general.api_key) diff --git a/api/libretime_api/tests/test_permissions.py b/api/libretime_api/tests/test_permissions.py index e386f47f2..74bad363a 100644 --- a/api/libretime_api/tests/test_permissions.py +++ b/api/libretime_api/tests/test_permissions.py @@ -19,17 +19,21 @@ class TestIsSystemTokenOrUser(APITestCase): def test_token_incorrect(self): token = "doesnotexist" - request = APIRequestFactory().get(self.path) + request = APIRequestFactory().get( + self.path, + headers={"Authorization": f"Api-Key {token}"}, + ) request.user = AnonymousUser() - request.META["Authorization"] = f"Api-Key {token}" allowed = IsSystemTokenOrUser().has_permission(request, None) self.assertFalse(allowed) def test_token_correct(self): token = settings.CONFIG.general.api_key - request = APIRequestFactory().get(self.path) + request = APIRequestFactory().get( + self.path, + headers={"Authorization": f"Api-Key {token}"}, + ) request.user = AnonymousUser() - request.META["Authorization"] = f"Api-Key {token}" allowed = IsSystemTokenOrUser().has_permission(request, None) self.assertTrue(allowed)