From 4758165129c42722b8981e73d424d30189ca8700 Mon Sep 17 00:00:00 2001
From: Clement Verna <cverna@tutanota.com>
Date: Mar 30 2018 11:10:14 +0000
Subject: Allow use of pagure token and OIDC token in the same time


Signed-off-by: Clement Verna <cverna@tutanota.com>

---

diff --git a/pagure/api/__init__.py b/pagure/api/__init__.py
index edafa7c..9c45012 100644
--- a/pagure/api/__init__.py
+++ b/pagure/api/__init__.py
@@ -171,8 +171,8 @@ def check_oidc_token(scopes, optional=False):
     valid = False
     if 'Authorization' in flask.request.headers:
         token = flask.request.headers.get("Authorization").strip()
-        if token.startswith('token '):
-            token = token[len('token '):].strip()
+        if token.startswith('Bearer '):
+            token = token[len('Bearer '):].strip()
             valid = oidc.validate_token(token=token, scopes_required=scopes)
 
     if valid is True:
@@ -242,17 +242,20 @@ def api_login_required(acls=None, optional=False):
         def decorated_function(*args, **kwargs):
             ''' Actually does the job with the arguments provided. '''
 
-            if pagure_config.get('OIDC_API_TOKEN', False):
+            # First verify pagure's API token, if the token is not valid
+            # then check if this is an OIDC token.
+            response = check_api_acls(acls)
+            if response is not None:
+                if pagure_config.get('OIDC_API_TOKEN', False):
 
-                scopes = create_oidc_scopes(acls, kwargs)
-                response = check_oidc_token(scopes)
+                    scopes = create_oidc_scopes(acls, kwargs)
+                    oidc_response = check_oidc_token(scopes)
 
-                if response is not None:
-                    return response
-            else:
-                response = check_api_acls(acls)
-                if response:
+                    if oidc_response is not None:
+                        return oidc_response
+                else:
                     return response
+
             return function(*args, **kwargs)
 
         return decorated_function
@@ -271,15 +274,19 @@ def api_login_optional(acls=None):
         @functools.wraps(function)
         def decorated_function(*args, **kwargs):
             ''' Actually does the job with the arguments provided. '''
-            if pagure_config.get('OIDC_API_TOKEN', False):
-                scopes = ['openid']
-                response = check_oidc_token(scopes, optional=True)
-                if response is not None:
-                    return response
-            else:
-                response = check_api_acls(acls, optional=True)
-                if response:
+
+            # First verify pagure's API token, if the token is not valid
+            # then check if this is an OIDC token.
+            response = check_api_acls(acls, optional=True)
+            if response is not None:
+                if pagure_config.get('OIDC_API_TOKEN', False):
+                    scopes = ['openid']
+                    oidc_response = check_oidc_token(scopes, optional=True)
+                    if oidc_response is not None:
+                        return oidc_response
+                else:
                     return response
+
             return function(*args, **kwargs)
 
         return decorated_function