BREAKING: use Authorization: Bearer token scheme (see #8)

project_amber/const.py

@@ -2,7 +2,8 @@
 
 EMPTY_RESP = dumps({})  # Empty response, to be used in requests.
 
-AUTH_TOKEN_HEADER = "X-Auth-Token"
+AUTH_TOKEN_HEADER = "Authorization"
+AUTH_TOKEN_SCHEME = "Bearer"
 
 DAY_SECONDS = 60 * 60 * 24
 MATURE_SESSION = DAY_SECONDS * 2  # The difference in times between the login
@@ -11,7 +12,7 @@
 
 MSG_INVALID_JSON = "Payload needs to contain valid JSON"
 MSG_MISSING_AUTH_INFO = "Missing 'username' or 'password'"
-MSG_NO_TOKEN = f"No {AUTH_TOKEN_HEADER} present"
+MSG_NO_TOKEN = f"No {AUTH_TOKEN_HEADER} header present"
 MSG_INVALID_TOKEN = "Invalid token"
 MSG_USER_NOT_FOUND = "This user does not exist"
 MSG_USER_EXISTS = "The user with this name already exists"

project_amber/handlers/__init__.py

@@ -5,7 +5,7 @@
 
 from project_amber.db import db
 from project_amber.const import MSG_NO_TOKEN, MSG_INVALID_TOKEN, MSG_USER_NOT_FOUND, \
-    MSG_USER_EXISTS, MSG_INVALID_JSON, AUTH_TOKEN_HEADER
+    MSG_USER_EXISTS, MSG_INVALID_JSON, AUTH_TOKEN_HEADER, AUTH_TOKEN_SCHEME
 from project_amber.errors import Unauthorized, BadRequest, InternalServerError
 from project_amber.models.auth import User, Session
 
@@ -46,9 +46,15 @@ def login_required(f):
     """
     @wraps(f)
     def decorated_login_function(*args, **kwargs):
-        token = request.headers.get(AUTH_TOKEN_HEADER)
-        if token is None:
+        token_header = request.headers.get(AUTH_TOKEN_HEADER)
+        if token_header is None:
             raise Unauthorized(MSG_NO_TOKEN)
+        token_data = token_header.split(" ")
+        if len(token_data) < 2:
+            raise Unauthorized(MSG_INVALID_TOKEN)
+        if token_data[0] != AUTH_TOKEN_SCHEME:
+            raise Unauthorized(MSG_INVALID_TOKEN)
+        token = token_data[1]
         user_s = db.session.query(Session).filter_by(token=token).one_or_none()
         if user_s is None:
             raise Unauthorized(MSG_INVALID_TOKEN)