1140458 - backport upstream bug 1139755 to bmo/master to allow API authentication with X-Headers

Status: RESOLVED FIXED

(bugzilla.mozilla.org :: API, enhancement)

Description

[David Lawrence [:dkl]]

+++ This bug was initially created as a clone of Bug #1139755 +++

Would be great to allow Authentication in GET requests via something other than url-params.

(the URL-params issue has been the root cause of a sec bug I'm dealing with right now)

While API-Key login for the API exists, it still can get exposed in some apache logs or client software error messages.

I propose we allow Http headers to do the login, such as:

Header:
X-Bugzilla-API-Key: <>

If present we use that... etc.

Comment 1

[David Lawrence [:dkl]]

Attachment: 1140458_1.patch

save you the trouble and to get this in next weeks push.

Comment 2

[:glob ✱]

Comment on attachment 8574023 [details] [diff] [review]
1140458_1.patch

Review of attachment 8574023 [details] [diff] [review]:
-----------------------------------------------------------------

r=glob

Comment 3

[:glob ✱]

To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   66a30b6..1049c71  master -> master

Comment 4

[Kohei Yoshino [:kohei]]

Will Bug 1141440 be backported to BMO this week?

Comment 5

[:glob ✱]

(In reply to Kohei Yoshino [:kohei] from comment #4)
> Will Bug 1141440 be backported to BMO this week?

we pushed out a CORS fix for this to bmo last week (https://github.com/mozilla/webtools-bmo-bugzilla/commit/394c986139de2d75016c465b1280353acae9e615), so it should be working for you right now.

bug 1141440 fixed it in a different way, and that's already be committed to bmo and will be pushed to prod this week (however this won't impact the headers we return; it's internal refactoring).

Comment 6

[Kohei Yoshino [:kohei]]

I should have check the commit log first. Yes it's working. I just updated BzDeck to use the X-header. Thanks!