feat: Update API token handling to use API-TOKEN header and improve related tests

2025-07-27 22:15:23 +02:00
parent 3dc21337f9
commit 58030914e6
5 changed files with 80 additions and 85 deletions
--- a/app/core/dependencies.py
+++ b/app/core/dependencies.py
@@ -94,26 +94,19 @@ async def get_current_active_user(

 async def get_current_user_api_token(
    auth_service: Annotated[AuthService, Depends(get_auth_service)],
-    authorization: Annotated[str | None, Header()] = None,
+    api_token_header: Annotated[str | None, Header(alias="API-TOKEN")] = None,
 ) -> User:
-    """Get the current authenticated user from API token in Authorization header."""
+    """Get the current authenticated user from API token in API-TOKEN header."""
    try:
-        # Check if Authorization header exists
-        if not authorization:
+        # Check if API-TOKEN header exists
+        if not api_token_header:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
-                detail="Authorization header required",
+                detail="API-TOKEN header required",
            )

-        # Check if it's a Bearer token
-        if not authorization.startswith("Bearer "):
-            raise HTTPException(
-                status_code=status.HTTP_401_UNAUTHORIZED,
-                detail="Invalid authorization header format",
-            )
-
-        # Extract the API token
-        api_token = authorization[7:]  # Remove "Bearer " prefix
+        # Use the API token directly
+        api_token = api_token_header.strip()
        if not api_token:
            raise HTTPException(
                status_code=status.HTTP_401_UNAUTHORIZED,
@@ -158,12 +151,12 @@ async def get_current_user_api_token(
 async def get_current_user_flexible(
    auth_service: Annotated[AuthService, Depends(get_auth_service)],
    access_token: Annotated[str | None, Cookie()] = None,
-    authorization: Annotated[str | None, Header()] = None,
+    api_token_header: Annotated[str | None, Header(alias="API-TOKEN")] = None,
 ) -> User:
    """Get the current authenticated user from either JWT cookie or API token."""
-    # Try API token first if Authorization header is present
-    if authorization:
-        return await get_current_user_api_token(auth_service, authorization)
+    # Try API token first if API-TOKEN header is present
+    if api_token_header:
+        return await get_current_user_api_token(auth_service, api_token_header)

    # Fall back to JWT cookie authentication
    return await get_current_user(auth_service, access_token)