Closed Bug 1139755 Opened 10 years ago Closed 10 years ago

Allow API authentication with X-Headers

Categories

(Bugzilla :: WebService, enhancement)

Product:
Bugzilla
Component:
WebService
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 6.0

People

(Reporter: Callek, Assigned: glob)

References

Details

(Keywords: relnote)

Attachments

(1 file)

1139755_1.patch
2.34 KB, patch
dkl
: review+
Details | Diff | Splinter Review
Would be great to allow Authentication in GET requests via something other than url-params. (the URL-params issue has been the root cause of a sec bug I'm dealing with right now) While API-Key login for the API exists, it still can get exposed in some apache logs or client software error messages. I propose we allow Http headers to do the login, such as: Header: X-Bugzilla-API-Key: <> If present we use that... etc.
Severity: normal → enhancement
OS: Windows 8.1 → All
Hardware: x86_64 → All
Assignee: webservice → glob
Summary: Allow Authentication with Headers in GET requests, rather than url-params → Allow API authentication with X-Headers
Attached patch 1139755_1.patchSplinter Review
- adds x-header auth support for login, password, api-key, and token - limited to REST and JSONRPC only
Attachment #8573717 - Flags: review?(dkl)
Comment on attachment 8573717 [details] [diff] [review] 1139755_1.patch Review of attachment 8573717 [details] [diff] [review]: ----------------------------------------------------------------- Works as expected and looks good to me. r=dkl
Attachment #8573717 - Flags: review?(dkl) → review+
Flags: approval?
Blocks: 1140458
To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git 243d66a..de0781f master -> master for the docs http://bugzilla.readthedocs.org/en/latest/api/core/v1/general.html#authentication : --8<-- Alternatively authentication credentials can be provided via one of the following X-Headers: X-BUGZILLA-LOGIN X-BUGZILLA-PASSWORD X-BUGZILLA-API-KEY X-BUGZILLA-TOKEN Credentials passed as part of the query string take precedence over X-header credentials. --8<--
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: documentation?
Flags: approval?
Flags: approval+
Resolution: --- → FIXED
Target Milestone: --- → Bugzilla 6.0
Fix 'Use of uninitialized value' warning To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git de0781f..1f54136 master -> master
Keywords: relnote
Depends on: 1141440
Blocks: 1141440
No longer depends on: 1141440
Depends on: 1143550
Blocks: 1143550
No longer depends on: 1143550
(In reply to Byron Jones ‹:glob› (Unavailable until 4th Jan) from comment #3) > for the docs > http://bugzilla.readthedocs.org/en/latest/api/core/v1/general. > html#authentication : > --8<-- > Alternatively authentication credentials can be provided via one of the > following X-Headers: > X-BUGZILLA-LOGIN > X-BUGZILLA-PASSWORD > X-BUGZILLA-API-KEY > X-BUGZILLA-TOKEN > > Credentials passed as part of the query string take precedence over X-header > credentials. > --8<-- To ssh://gitolite3@git.mozilla.org/bugzilla/bugzilla.git c80aed6..cd52bd0 master -> master
Flags: documentation? → documentation+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: