Pass Bugzilla API key in request header instead of query param (#396)

leplatrem · web-flow · commit 1f81b0206a1f · 2023-02-09T18:06:48.000+01:00
See https://bmo.readthedocs.io/en/latest/api/core/v1/general.html?highlight=x-bugzilla-api-key#authentication While trying the new Webhooks endpoint, I realized that passing the API key in query params didn't work. The endpoint was expecting the `"x-bugzilla-api-key"` header.
diff --git a/jbi/services/bugzilla.py b/jbi/services/bugzilla.py
@@ -33,8 +33,10 @@ def __init__(self, base_url, api_key):
 
     def _call(self, verb, url, *args, **kwargs):
         """Send HTTP requests with API key in querystring parameters."""
-        # Send API key as querystring parameter.
-        kwargs.setdefault("params", {}).setdefault("api_key", self.api_key)
+        # Send API key in headers.
+        # https://bmo.readthedocs.io/en/latest/api/core/v1/general.html?highlight=x-bugzilla-api-key#authentication
+        headers = kwargs.setdefault("headers", {})
+        headers.setdefault("x-bugzilla-api-key", self.api_key)
         resp = self._client.request(verb, url, *args, **kwargs)
         resp.raise_for_status()
         parsed = resp.json()
diff --git a/tests/unit/services/test_bugzilla.py b/tests/unit/services/test_bugzilla.py
@@ -2,6 +2,7 @@
 
 import pytest
 import responses
+from responses import matchers
 
 from jbi.environment import get_settings
 from jbi.services.bugzilla import BugzillaClientError, get_client
@@ -35,14 +36,23 @@ def test_bugzilla_methods_are_retried_if_raising(mocked_responses):
 
 
 @pytest.mark.no_mocked_bugzilla
-def test_bugzilla_key_is_passed_in_querystring(mocked_responses):
-    url = (
-        f"{get_settings().bugzilla_base_url}/rest/whoami?api_key=fake_bugzilla_api_key"
+def test_bugzilla_key_is_passed_in_header(mocked_responses):
+    url = f"{get_settings().bugzilla_base_url}/rest/whoami"
+    mocked_responses.add(
+        responses.GET,
+        url,
+        json={"id": "you"},
+        match=[
+            matchers.header_matcher({"x-bugzilla-api-key": "fake_bugzilla_api_key"})
+        ],
     )
-    mocked_responses.add(responses.GET, url, json={"id": "you"})
 
     assert get_client().logged_in
 
+    assert len(mocked_responses.calls) == 1
+    # The following assertion is redundant with matchers but also more explicit.
+    assert "x-bugzilla-api-key" in mocked_responses.calls[0].request.headers
+
 
 @pytest.mark.no_mocked_bugzilla
 def test_bugzilla_raises_if_response_has_error(mocked_responses):
