From 43ebe6d943b517e84898d61a36077bbea6868527 Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Feb 21 2017 02:13:30 +0000
Subject: Merge #343 `Use an authorization header instead of cookie for OIDC authn.`


---

diff --git a/contrib/submit_build.py b/contrib/submit_build.py
index e8660ca..346a770 100644
--- a/contrib/submit_build.py
+++ b/contrib/submit_build.py
@@ -99,4 +99,4 @@ print "Using https://%s/module_build_service/module-builds/" % mbs_host
 print "NOTE: You need to be a Fedora packager for this to work"
 print
 
-os.system("curl -b 'oidc_token=%s' -k -H 'Content-Type: text/json' --data @submit-build.json https://%s/module-build-service/1/module-builds/ -v" % (token, mbs_host))
+os.system("curl -k -H 'Authorization: Bearer %s' -H 'Content-Type: text/json' --data @submit-build.json https://%s/module-build-service/1/module-builds/ -v" % (token, mbs_host))
diff --git a/module_build_service/auth.py b/module_build_service/auth.py
index 3f51888..1d6ade9 100644
--- a/module_build_service/auth.py
+++ b/module_build_service/auth.py
@@ -28,7 +28,6 @@ from module_build_service import app, log
 
 import requests
 import json
-from six.moves.urllib.parse import urlencode
 
 
 def _json_loads(content):
@@ -90,11 +89,15 @@ def get_user(request):
 
     _load_secrets()
 
-    if not "oidc_token" in request.cookies:
-        raise Unauthorized("Cannot verify OIDC token: No 'oidc_token' "
-            "cookie found.")
+    if not "authorization" in request.headers:
+        raise Unauthorized("No 'authorization' header found.")
 
-    token = request.cookies["oidc_token"]
+    header = request.headers['authorization'].strip()
+    prefix = 'Bearer '
+    if not header.startswith(prefix):
+        raise Unauthorized("Authorization headers must start with %r" % prefix)
+
+    token = header[len(prefix):].strip()
     try:
         data = _get_token_info(token)
     except Exception as e:
diff --git a/tests/test_views/test_views.py b/tests/test_views/test_views.py
index 6de9da8..2970e21 100644
--- a/tests/test_views/test_views.py
+++ b/tests/test_views/test_views.py
@@ -270,7 +270,7 @@ class TestViews(unittest.TestCase):
         data = json.loads(rv.data)
         self.assertEquals(
             data['message'],
-            "Cannot verify OIDC token: No 'oidc_token' cookie found."
+            "No 'authorization' header found."
         )
         self.assertEquals(data['status'], 401)
         self.assertEquals(data['error'], 'Unauthorized')