From a3fc6dc83071d919418ba03ef7d72af70ea362c5 Mon Sep 17 00:00:00 2001
From: Maxime Alves LIRMM <maxime.alves@lirmm.fr>
Date: Fri, 3 Feb 2023 12:43:16 +0100
Subject: [PATCH] [authMiddleware] UN-Breaking uses either the cookie or the
 header names "Authorization"

---
 halfapi/lib/jwt_middleware.py |  6 +++++-
 tests/test_jwt_middleware.py  | 29 +++++++++++++++++++++++++++--
 2 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/halfapi/lib/jwt_middleware.py b/halfapi/lib/jwt_middleware.py
index 436ab9e..5faa48b 100644
--- a/halfapi/lib/jwt_middleware.py
+++ b/halfapi/lib/jwt_middleware.py
@@ -62,8 +62,12 @@ class JWTAuthenticationBackend(AuthenticationBackend):
         self, conn: HTTPConnection
     ) -> typing.Optional[typing.Tuple['AuthCredentials', 'BaseUser']]:
 
+        # Standard way to authenticate via API
+        # https://datatracker.ietf.org/doc/html/rfc7235#section-4.2
+        token = conn.headers.get('Authorization')
 
-        token = cookies_from_scope(conn.scope).get('JWTToken')
+        if not token:
+            token = cookies_from_scope(conn.scope).get('Authorization')
 
         is_check_call = 'check' in conn.query_params
         is_fake_user_id = is_check_call and 'user_id' in conn.query_params
diff --git a/tests/test_jwt_middleware.py b/tests/test_jwt_middleware.py
index b2979a8..ebe0d8b 100644
--- a/tests/test_jwt_middleware.py
+++ b/tests/test_jwt_middleware.py
@@ -50,6 +50,12 @@ def test_jwt_Token(dummy_app, token_builder):
     dummy_app.add_route('/test', test_route)
     test_client = TestClient(dummy_app)
 
+    resp = test_client.request('get', '/test',
+        cookies={
+            'Authorization': token_builder
+        })
+    assert resp.status_code == 200
+
     resp = test_client.request('get', '/test',
         headers={
             'Authorization': token_builder
@@ -57,6 +63,7 @@ def test_jwt_Token(dummy_app, token_builder):
     assert resp.status_code == 200
 
 
+
 def test_jwt_DebugFalse(dummy_app, token_debug_false_builder):
     async def test_route(request):
         assert isinstance(request.user, JWTUser)
@@ -65,6 +72,12 @@ def test_jwt_DebugFalse(dummy_app, token_debug_false_builder):
     dummy_app.add_route('/test', test_route)
     test_client = TestClient(dummy_app)
 
+    resp = test_client.request('get', '/test',
+        cookies={
+            'Authorization': token_debug_false_builder
+        })
+    assert resp.status_code == 200
+
     resp = test_client.request('get', '/test',
         headers={
             'Authorization': token_debug_false_builder
@@ -82,6 +95,12 @@ def test_jwt_DebugTrue(dummy_app, token_debug_true_builder):
     dummy_app.add_route('/test', test_route)
     test_client = TestClient(dummy_app)
 
+    resp = test_client.request('get', '/test',
+        cookies={
+            'Authorization': token_debug_true_builder
+        })
+    assert resp.status_code == 400
+
     resp = test_client.request('get', '/test',
         headers={
             'Authorization': token_debug_true_builder
@@ -101,7 +120,13 @@ def test_jwt_DebugTrue_DebugApp(dummy_debug_app, token_debug_true_builder):
     test_client = TestClient(dummy_debug_app)
 
     resp = test_client.request('get', '/test',
-        headers={
-            'Authorization': token_debug_true_builder
+        cookies={
+              'Authorization': token_debug_true_builder
+        })
+    assert resp.status_code == 200
+
+    resp = test_client.request('get', '/test',
+        headers={
+              'Authorization': token_debug_true_builder
         })
     assert resp.status_code == 200