From 587c4981ece32a7967907f4731a1c1984bcfff2a Mon Sep 17 00:00:00 2001
From: Daisie Huang <daisieh@gmail.com>
Date: Mon, 1 May 2023 20:44:49 -0700
Subject: [PATCH] consolidate TEST_KEY into Authorization

---
 htsget_server/authz.py      | 6 +++---
 tests/test_htsget_server.py | 5 ++---
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/htsget_server/authz.py b/htsget_server/authz.py
index 6161e11a..7fe8ae51 100644
--- a/htsget_server/authz.py
+++ b/htsget_server/authz.py
@@ -11,7 +11,7 @@
 def is_authed(id_, request):
     if request is None:
         return 401
-    if request.headers.get("Test_Key") == TEST_KEY:
+    if request.headers.get("Authorization") == f"Bearer {TEST_KEY}":
         print("WARNING: TEST MODE, AUTHORIZATION IS DISABLED")
         app.logger.warning("WARNING: TEST MODE, AUTHORIZATION IS DISABLED")
         return 200 # no auth
@@ -30,7 +30,7 @@ def is_authed(id_, request):
 
 
 def is_testing(request):
-    if request.headers.get("Test_Key") == TEST_KEY:
+    if request.headers.get("Authorization") == f"Bearer {TEST_KEY}":
         print("WARNING: TEST MODE, AUTHORIZATION IS DISABLED")
         app.logger.warning("WARNING: TEST MODE, AUTHORIZATION IS DISABLED")
         return True
@@ -49,7 +49,7 @@ def is_site_admin(request):
     """
     Is the user associated with the token a site admin?
     """
-    if request.headers.get("Test_Key") == TEST_KEY:
+    if request.headers.get("Authorization") == f"Bearer {TEST_KEY}":
         print("WARNING: TEST MODE, AUTHORIZATION IS DISABLED")
         app.logger.warning("WARNING: TEST MODE, AUTHORIZATION IS DISABLED")
         return True # no auth
diff --git a/tests/test_htsget_server.py b/tests/test_htsget_server.py
index 9677094c..df5c5e48 100644
--- a/tests/test_htsget_server.py
+++ b/tests/test_htsget_server.py
@@ -24,12 +24,11 @@
 
 
 def get_headers(username=USERNAME, password=PASSWORD):
-    headers={"Test_Key": TEST_KEY}
     try:
         token = get_access_token(username=username, password=password)
         headers["Authorization"] = f"Bearer {token}"
     except Exception as e:
-        headers["Authorization"] = "Bearer testtest"
+        headers["Authorization"] = f"Bearer {TEST_KEY}"
     return headers
 
 
@@ -354,7 +353,7 @@ def test_beacon_get_search():
 
     # for an unauthorized user, the request should not contain a full response, just a count
     headers = get_headers(username="test", password="test")
-    headers.pop("Test_Key")
+    headers["Authorization"] = "Bearer unauthorized"
     response = requests.get(url, headers=headers)
     print(response.text)
     assert 'response' not in response.json()