From d74a0d12aaf9a5fd0a5d5cbf6b45bdbf0a30355e Mon Sep 17 00:00:00 2001
From: Ross Whitfield <whitfieldre1@ornl.gov>
Date: Mon, 8 Jul 2024 10:32:25 +1000
Subject: [PATCH] Remove ability to send key via query string

---
 src/live_data_server/plots/view_util.py |  5 -----
 tests/test_post_get.py                  | 19 ++++++++-----------
 2 files changed, 8 insertions(+), 16 deletions(-)

diff --git a/src/live_data_server/plots/view_util.py b/src/live_data_server/plots/view_util.py
index 2d128a9..8480f73 100644
--- a/src/live_data_server/plots/view_util.py
+++ b/src/live_data_server/plots/view_util.py
@@ -47,11 +47,6 @@ def request_processor(request, instrument, run_id):
 
             client_key = request.META.get("HTTP_AUTHORIZATION")
 
-            # getting the client_key from request.GET.get("key") should be
-            # removed after WebMon/WebRef supports Authorization request header
-            if client_key is None:
-                client_key = request.GET.get("key")
-
             if client_key == server_key:
                 return fn(request, instrument, run_id)
             return HttpResponse(status=401)
diff --git a/tests/test_post_get.py b/tests/test_post_get.py
index 43f3256..4a352d5 100644
--- a/tests/test_post_get.py
+++ b/tests/test_post_get.py
@@ -88,34 +88,31 @@ def test_get_request(self, data_server):
         )
         assert http_request.status_code == HTTP_OK
 
-        base_url = f"{TEST_URL}/plots/{instrument}/{run_number}/update/html/"
+        url = f"{TEST_URL}/plots/{instrument}/{run_number}/update/html/"
 
         # test GET request - authenticate with secret key
-        url = f"{base_url}?key={_generate_key(instrument, run_number)}"
-        http_request = requests.get(url)
+        http_request = requests.get(
+            url,
+            headers={"Authorization": _generate_key(instrument, run_number)},
+        )
         assert http_request.status_code == HTTP_OK
         assert http_request.text == files["file"]
 
         # test that getting the json should return not found
         http_request = requests.get(
-            f"{TEST_URL}/plots/{instrument}/{run_number}/update/json/?key={_generate_key(instrument, run_number)}"
+            f"{TEST_URL}/plots/{instrument}/{run_number}/update/json/",
+            headers={"Authorization": _generate_key(instrument, run_number)},
         )
         assert http_request.status_code == HTTP_NOT_FOUND
         assert http_request.text == "No data available for REF_M 12346"
 
         # test GET request - no key
-        url = base_url
-        http_request = requests.get(url)
-        assert http_request.status_code == HTTP_UNAUTHORIZED
-
-        # test GET request - wrong key
-        url = f"{base_url}?key=WRONG-KEY"
         http_request = requests.get(url)
         assert http_request.status_code == HTTP_UNAUTHORIZED
 
         # test GET request - wrong key
         http_request = requests.get(
-            base_url,
+            url,
             headers={"Authorization": "WRONG-KEY"},
         )
         assert http_request.status_code == HTTP_UNAUTHORIZED