Fix #857: Support Basic Auth for the JBI Api Key (#860)

Author: leplatrem

jbi/router.py

@@ -8,7 +8,7 @@
 from fastapi import APIRouter, Body, Depends, HTTPException, Request, Response, status
 from fastapi.encoders import jsonable_encoder
 from fastapi.responses import HTMLResponse
-from fastapi.security import APIKeyHeader
+from fastapi.security import APIKeyHeader, HTTPBasic, HTTPBasicCredentials
 from fastapi.templating import Jinja2Templates
 
 from jbi import bugzilla, jira
@@ -75,15 +75,22 @@ def version(version_json: VersionDep):
     return version_json
 
 
-header_scheme = APIKeyHeader(name="X-Api-Key")
+header_scheme = APIKeyHeader(name="X-Api-Key", auto_error=False)
+basicauth_scheme = HTTPBasic(auto_error=False)
 
 
 def api_key_auth(
-    settings: SettingsDep, api_key: Annotated[str, Depends(header_scheme)]
+    settings: SettingsDep,
+    api_key: Annotated[str, Depends(header_scheme)],
+    basic_auth: Annotated[HTTPBasicCredentials, Depends(basicauth_scheme)],
 ):
-    if not secrets.compare_digest(api_key, settings.jbi_api_key):
+    if not api_key and basic_auth:
+        api_key = basic_auth.password
+    if not api_key or not secrets.compare_digest(api_key, settings.jbi_api_key):
         raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED, detail="Forbidden"
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Incorrect API Key",
+            headers={"WWW-Authenticate": "Basic"},
         )
 
 

tests/conftest.py

@@ -79,10 +79,15 @@ def anon_client():
 
 
 @pytest.fixture
-def authenticated_client():
-    """An test client with a valid API key."""
+def test_api_key():
     # api key for tests defined in .env.example
-    return TestClient(app, headers={"X-Api-Key": "fake_api_key"})
+    return "fake_api_key"
+
+
+@pytest.fixture
+def authenticated_client(test_api_key):
+    """An test client with a valid API key."""
+    return TestClient(app, headers={"X-Api-Key": test_api_key})
 
 
 @pytest.fixture

tests/unit/test_router.py

@@ -1,3 +1,4 @@
+import base64
 import json
 import os
 from datetime import datetime
@@ -26,10 +27,23 @@ def test_read_root(anon_client):
     ],
 )
 def test_get_protected_endpoints(
-    endpoint, webhook_request_factory, mocked_bugzilla, anon_client
+    endpoint, webhook_request_factory, mocked_bugzilla, anon_client, test_api_key
 ):
     resp = anon_client.get(endpoint)
-    assert resp.status_code == 403
+    assert resp.status_code == 401
+
+    # Supports authentication via `X-Api-Key` header
+    resp = anon_client.get(endpoint, headers={"X-Api-Key": test_api_key})
+    assert resp.status_code == 200
+
+    # Supports authentication via Basic Auth header
+    username_password = ":" + test_api_key
+    credentials_b64 = base64.b64encode(username_password.encode("utf8")).decode("utf8")
+    resp = anon_client.get(
+        endpoint,
+        headers={"Authorization": f"Basic {credentials_b64}"},
+    )
+    assert resp.status_code == 200
 
 
 def test_whiteboard_tags(authenticated_client):
@@ -148,7 +162,7 @@ def test_webhook_is_401_if_unathenticated(
         "/bugzilla_webhook",
         data={},
     )
-    assert response.status_code == 403
+    assert response.status_code == 401
 
 
 def test_webhook_is_401_if_wrong_key(