Merge pull request #432 from Ecwid/authorization-header

use headers for auth instead of parameters

Author: ChesterEcwid

src/main/kotlin/com/ecwid/apiclient/v3/ApiClientHelper.kt

@@ -30,9 +30,8 @@ import java.util.logging.Logger
 import kotlin.random.Random
 import kotlin.reflect.KClass
 
-const val API_TOKEN_PARAM_NAME = "token"
-private const val APP_CLIENT_ID_PARAM_NAME = "appClientId"
-const val APP_CLIENT_SECRET_PARAM_NAME = "appSecretKey"
+private const val APP_CLIENT_ID_HEADER_NAME = "X-Ecwid-App-Client-Id"
+private const val APP_CLIENT_SECRET_HEADER_NAME = "X-Ecwid-App-Secret-Key"
 private const val RESPONSE_FIELDS_PARAM_NAME = "responseFields"
 private const val REQUEST_ID_HEADER_NAME = "X-Ecwid-Api-Request-Id"
 
@@ -238,7 +237,7 @@ class ApiClientHelper private constructor(
 			return
 		}
 
-		val securePatterns = createSecurePatterns(loggingSettings)
+		val securePatterns = createSecurePatterns()
 		logEntry(
 			prefix = "Request",
 			logLevel = Level.INFO,
@@ -259,10 +258,8 @@ class ApiClientHelper private constructor(
 	@PublishedApi
 	internal fun RequestInfo.toHttpRequest(requestId: String, responseFieldsOverride: ResponseFields?): HttpRequest {
 		val uri = createApiEndpointUri(pathSegments)
-		val params = params
-			.withCredentialsParams(credentials)
-			.let { if (responseFieldsOverride != null) it.withResponseFieldsParam(responseFieldsOverride) else it }
-		val headers = headers.withRequestId(requestId)
+		val params = if (responseFieldsOverride != null) params.withResponseFieldsParam(responseFieldsOverride) else params
+		val headers = headers.withRequestId(requestId).withCredentials(credentials)
 
 		return when (method) {
 			HttpMethod.GET -> HttpRequest.HttpGetRequest(
@@ -313,7 +310,7 @@ class ApiClientHelper private constructor(
 			return
 		}
 
-		val securePatterns = createSecurePatterns(loggingSettings)
+		val securePatterns = createSecurePatterns()
 		logEntry(
 			prefix = "Response",
 			logLevel = Level.INFO,
@@ -440,9 +437,9 @@ internal fun generateRequestId(): String {
 }
 
 @PublishedApi
-internal fun Map<String, String>.withCredentialsParams(credentials: ApiCredentials) = when (credentials) {
-	is ApiStoreCredentials -> this.withApiTokenParam(credentials.apiToken)
-	is ApiAppCredentials -> withAppCredentialsParams(credentials)
+internal fun Map<String, String>.withCredentials(credentials: ApiCredentials) = when (credentials) {
+	is ApiStoreCredentials -> this.withApiTokenHeader(credentials.apiToken)
+	is ApiAppCredentials -> withAppCredentialsHeaders(credentials)
 }
 
 internal fun Map<String, String>.withResponseFieldsParam(responseFields: ResponseFields): Map<String, String> {
@@ -454,20 +451,20 @@ internal fun Map<String, String>.withResponseFieldsParam(responseFields: Respons
 }
 
 @PublishedApi
-internal fun Map<String, String>.withApiTokenParam(apiToken: String): Map<String, String> {
+internal fun Map<String, String>.withApiTokenHeader(apiToken: String): Map<String, String> {
 	return toMutableMap()
 		.apply {
-			put(API_TOKEN_PARAM_NAME, apiToken)
+			put("Authorization", "Bearer $apiToken")
 		}
 		.toMap()
 }
 
 @PublishedApi
-internal fun Map<String, String>.withAppCredentialsParams(appCredentials: ApiAppCredentials): Map<String, String> {
+internal fun Map<String, String>.withAppCredentialsHeaders(appCredentials: ApiAppCredentials): Map<String, String> {
 	return toMutableMap()
 		.apply {
-			put(APP_CLIENT_ID_PARAM_NAME, appCredentials.clientId)
-			put(APP_CLIENT_SECRET_PARAM_NAME, appCredentials.clientSecret)
+			put(APP_CLIENT_ID_HEADER_NAME, appCredentials.clientId)
+			put(APP_CLIENT_SECRET_HEADER_NAME, appCredentials.clientSecret)
 		}
 		.toMap()
 }

src/main/kotlin/com/ecwid/apiclient/v3/config/LoggingSettings.kt

@@ -4,10 +4,6 @@ data class LoggingSettings(
 	val logRequest: Boolean = true,
 	val logRequestParams: Boolean = true,
 	val logRequestBody: Boolean = false,
-	/* DISABLE FOR DEBUG PURPOSES ONLY! */
-	val maskRequestApiToken: Boolean = true,
-	/* DISABLE FOR DEBUG PURPOSES ONLY! */
-	val maskRequestApiSecretKey: Boolean = true,
 
 	val logResponse: Boolean = true,
 	val logSuccessfulResponseBody: Boolean = false,

src/main/kotlin/com/ecwid/apiclient/v3/httptransport/impl/ApacheCommonsHttpClientTransport.kt

@@ -128,6 +128,7 @@ open class ApacheCommonsHttpClientTransport(
 			val httpClientBuilder = HttpClientBuilder.create()
 				.setConnectionManager(connectionManager)
 				.setDefaultRequestConfig(requestConfig)
+				.setRedirectStrategy(RemoveDisallowedHeadersRedirectStrategy())
 			// TODO .setRetryHandler()
 			// TODO .setServiceUnavailableRetryStrategy()
 			if (defaultHeaders.isNotEmpty()) {
@@ -137,3 +138,4 @@ open class ApacheCommonsHttpClientTransport(
 		}
 	}
 }
+

src/main/kotlin/com/ecwid/apiclient/v3/httptransport/impl/RemoveDisallowedHeadersRedirectStrategy.kt

@@ -0,0 +1,75 @@
+package com.ecwid.apiclient.v3.httptransport.impl
+
+import org.apache.http.Header
+import org.apache.http.HttpStatus
+import org.apache.http.client.methods.HttpGet
+import org.apache.http.client.methods.HttpHead
+import org.apache.http.client.methods.HttpUriRequest
+import org.apache.http.client.methods.RequestBuilder
+import org.apache.http.impl.client.DefaultRedirectStrategy
+import org.apache.http.protocol.HttpContext
+
+/**
+ * List of headers that can be passed to a redirect location.
+ * We should NOT expose any custom headers and Authorization header to external sources
+ */
+private val allowedHeaders = setOf(
+	"Accept",
+	"Accept-Charset",
+	"Accept-Encoding",
+	"Accept-Language",
+	"Access-Control-Request-Method",
+	"Access-Control-Request-Headers",
+	"Cache-Control",
+	"Connection",
+	"Content-Encoding",
+	"Content-Length",
+	"Content-Type",
+	"Date",
+	"Host",
+	"HTTP2-Settings",
+	"If-Match",
+	"If-Modified-Since",
+	"If-None-Match",
+	"If-Unmodified-Since",
+	"Origin",
+	"Referer",
+	"User-Agent",
+	"X-Forwarded-For",
+	"X-Forwarded-Host",
+	"X-Forwarded-Proto"
+)
+
+class RemoveDisallowedHeadersRedirectStrategy : DefaultRedirectStrategy() {
+	override fun getRedirect(
+		request: org.apache.http.HttpRequest,
+		response: org.apache.http.HttpResponse,
+		context: HttpContext?
+	): HttpUriRequest {
+		val uri = getLocationURI(request, response, context)
+		val method = request.requestLine.method
+		return if (method.equals(HttpHead.METHOD_NAME, ignoreCase = true)) {
+			object : HttpHead(uri) {
+				override fun setHeaders(headers: Array<out Header>) {
+					super.setHeaders(headers.filter { it.name in allowedHeaders }.toTypedArray())
+				}
+			}
+		} else {
+			val httpGet = object : HttpGet(uri) {
+				override fun setHeaders(headers: Array<out Header>) {
+					super.setHeaders(headers.filter { it.name in allowedHeaders }.toTypedArray())
+				}
+			}
+			if (method.equals(HttpGet.METHOD_NAME, ignoreCase = true)) {
+				httpGet
+			} else {
+				val status = response.statusLine.statusCode
+				if (status == HttpStatus.SC_TEMPORARY_REDIRECT || status == SC_PERMANENT_REDIRECT) {
+					RequestBuilder.copy(request).setUri(uri).build()
+				} else {
+					httpGet
+				}
+			}
+		}
+	}
+}

src/main/kotlin/com/ecwid/apiclient/v3/util/SecurePatterns.kt

@@ -1,18 +1,7 @@
 package com.ecwid.apiclient.v3.util
 
-import com.ecwid.apiclient.v3.API_TOKEN_PARAM_NAME
-import com.ecwid.apiclient.v3.APP_CLIENT_SECRET_PARAM_NAME
-import com.ecwid.apiclient.v3.config.LoggingSettings
-
 private const val PARAM_VALUE_PATTERN = "([^;,)]+)"
 
-private val API_TOKEN_SECURE_PATTERN = SecurePattern(
-	regex = Regex("$API_TOKEN_PARAM_NAME=(?:secret_|public_|)$PARAM_VALUE_PATTERN"),
-	unmaskedLength = 6
-)
-
-private val API_SECRET_KEY_SECURE_PATTERN = createKeyValueSecurePattern(APP_CLIENT_SECRET_PARAM_NAME)
-
 private val GLOBAL_SECURE_PATTERNS = listOf(
 	createKeyValueSecurePattern("email"),
 	createJsonSecurePattern("email"),
@@ -35,12 +24,6 @@ fun createJsonSecurePattern(paramName: String) = SecurePattern(
 	unmaskedLength = 6
 )
 
-fun createSecurePatterns(loggingSettings: LoggingSettings) = mutableListOf<SecurePattern>().apply {
-	if (loggingSettings.maskRequestApiToken) {
-		add(API_TOKEN_SECURE_PATTERN)
-	}
-	if (loggingSettings.maskRequestApiSecretKey) {
-		add(API_SECRET_KEY_SECURE_PATTERN)
-	}
+fun createSecurePatterns() = mutableListOf<SecurePattern>().apply {
 	addAll(GLOBAL_SECURE_PATTERNS)
 }.toList()