From de0781fdf4a15d824d880afb012d548a084f79b8 Mon Sep 17 00:00:00 2001
From: Byron Jones <glob@mozilla.com>
Date: Mon, 9 Mar 2015 14:29:44 +0800
Subject: Bug 1139755: Allow API authentication with X-Headers r=dkl,a=glob

---
 Bugzilla/WebService/Util.pm | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

(limited to 'Bugzilla/WebService/Util.pm')

diff --git a/Bugzilla/WebService/Util.pm b/Bugzilla/WebService/Util.pm
index a0a51a8de..5d7dd7dd6 100644
--- a/Bugzilla/WebService/Util.pm
+++ b/Bugzilla/WebService/Util.pm
@@ -16,6 +16,7 @@ use Bugzilla::FlagType;
 use Bugzilla::Error;
 
 use Storable qw(dclone);
+use URI::Escape qw(uri_unescape);
 
 use parent qw(Exporter);
 
@@ -260,8 +261,25 @@ sub params_to_objects {
     return \@objects;
 }
 
+use constant X_HEADERS => {
+    X_BUGZILLA_LOGIN    => 'Bugzilla_login',
+    X_BUGZILLA_PASSWORD => 'Bugzilla_password',
+    X_BUGZILLA_API_KEY  => 'Bugzilla_api_key',
+    X_BUGZILLA_TOKEN    => 'Bugzilla_token',
+};
+
 sub fix_credentials {
-    my ($params) = @_;
+    my ($params, $cgi) = @_;
+
+    # Allow user to pass in authentication details in X-Headers
+    # This allows callers to keep credentials out of GET request query-strings
+    if ($cgi) {
+        foreach my $field (keys %{ X_HEADERS() }) {
+            next if exists $params->{X_HEADERS->{$field}} || $cgi->http($field) eq '';
+            $params->{X_HEADERS->{$field}} = uri_unescape($cgi->http($field));
+        }
+    }
+
     # Allow user to pass in login=foo&password=bar as a convenience
     # even if not calling GET /login. We also do not delete them as
     # GET /login requires "login" and "password".
-- 
cgit v1.2.3-24-g4f1b