Send token via authorization header

metabrainz/decorators.py

@@ -3,7 +3,7 @@
 from flask import request, current_app, make_response
 import six
 import requests
-from metabrainz.errors import APIBadRequest, APIUnauthorized, APIForbidden
+from metabrainz.errors import APIUnauthorized, APIForbidden
 
 NOTIFICATION_SCOPE = 'notification'
 
@@ -80,7 +80,7 @@ def wrapped_function(*args, **kwargs):
 def ccg_token_required(f):
     """
     This decorator protects an endpoint by validating an access token.
-    Token should be provided as a query parameter.
+    Token should be provided in the Authorization header.
     Token must be generated by an official MeB project and must contain 'notification' scope.
 
     Raises:
@@ -90,10 +90,14 @@ def ccg_token_required(f):
 
     """
     @wraps(f)
-    def decorated(*args,**kwargs):
-        token = request.args.get('token')
+    def decorated(*args, **kwargs):
+        auth_header = request.headers.get("Authorization")
+        if not auth_header or not auth_header.startswith("Bearer "):
+            raise APIUnauthorized("Missing or invalid Authorization header.")
+        token = auth_header.split(" ", 1)[1]
         if not token:
-            raise APIBadRequest('Missing access token.')
+            raise APIUnauthorized("Missing access token.")
+
         data = {
             "client_id": current_app.config["MUSICBRAINZ_CLIENT_ID"],
             "client_secret": current_app.config["MUSICBRAINZ_CLIENT_SECRET"],

metabrainz/errors.py

@@ -1,4 +1,4 @@
-from flask import render_template, jsonify, Response
+from flask import render_template, jsonify
 
 
 def init_error_handlers(app):

metabrainz/notifications/views.py

@@ -18,8 +18,8 @@
 def get_notifications(user_id: int):
     """
     Fetch notifications for a user.
-    An access token must be provided as a query paramater.
-    
+    An access token must be provided in the Authorization header, formatted as `Bearer <token>`.
+
     If none of the optional parameters are specified, this endpoint returns the 
     :data:`~DEFAULT_NOTIFICATION_FETCH_COUNT` most recent notifications across all projects, including both read and unread.
 
@@ -108,8 +108,7 @@ def get_notifications(user_id: int):
 def mark_notifications(user_id: int):
     """
     Mark notifications as read or unread for a user.
-    An access token must be provided as a query paramater.
-
+    An access token must be provided in the Authorization header, formatted as `Bearer <token>`.
     The request must include a JSON body with at least one of the ``read`` or ``unread`` arrays containing notification ID's.
 
     Example request body:
@@ -128,7 +127,7 @@ def mark_notifications(user_id: int):
         {
             "status": "ok"
         }
-    
+
     :param token: Required. Access token for authentication.
     :reqheader Content-Type: *application/json*
     :statuscode 200: Notifications successfully updated.
@@ -179,7 +178,7 @@ def mark_notifications(user_id: int):
 def remove_notifications(user_id: int):
     """
     Delete notifications for a user.
-    An access token must be provided as a query paramater.
+    An access token must be provided in the Authorization header, formatted as `Bearer <token>`.
 
     The request must include a JSON array of notification IDs that belongs to the user.
 
@@ -234,7 +233,7 @@ def remove_notifications(user_id: int):
 def send_notifications():
     """
     Inserts batch of notifications for a project.
-    An access token must be provided as a query paramater.
+    An access token must be provided in the Authorization header, formatted as `Bearer <token>`.
 
     The request must include a JSON array of notifications.
 
@@ -340,7 +339,8 @@ def send_notifications():
 def set_digest_preference(user_id):
     """
     Get and update the digest preference of the user.
-
+    An access token must be provided in the Authorization header, formatted as `Bearer <token>`.
+
     **To get the digest preference of the user, a GET request must be made to this endpoint.**
     Returns JSON of the following format: