Remove key check bypass and add ability to pass key in Authorization header

src/live_data_server/plots/view_util.py

@@ -24,10 +24,8 @@
     secret_key = settings.LIVE_PLOT_SECRET_KEY
     if len(secret_key) == 0:
         return None
-    else:
-        h = hashlib.sha1()
-        h.update(("%s%s%s" % (instrument.upper(), secret_key, run_id)).encode("utf-8"))
-        return h.hexdigest()
+
+    return hashlib.sha1(f"{instrument.upper()}{secret_key}{run_id}".encode("utf-8")).hexdigest()
 
 
 def check_key(fn):
@@ -43,11 +41,18 @@
         Decorator function
         """
         try:
-            client_key = request.GET.get("key", None)
             server_key = generate_key(instrument, run_id)
-            # Temporary bypass during testing
-            # Remove client_key is None condition when we deploy
-            if client_key is None or server_key is None or client_key == server_key:
+            if server_key is None:
+                return fn(request, instrument, run_id)
+
+            client_key = request.META.get("HTTP_AUTHORIZATION")
+
+            # getting the client_key from request.GET.get("key") should be
+            # removed after WebMon/WebRef supports Authorization request header
+            if client_key is None:
+                client_key = request.GET.get("key")
+
+            if client_key == server_key:
                 return fn(request, instrument, run_id)
             return HttpResponse(status=401)
         except:  # noqa: E722

tests/test_post_get.py

@@ -104,16 +104,22 @@ def test_get_request(self, data_server):
         assert http_request.text == "No data available for REF_M 12346"
 
         # test GET request - no key
-        # TODO: this should return 401 unauthorized
         url = base_url
         http_request = requests.get(url)
-        assert http_request.status_code == HTTP_OK
+        assert http_request.status_code == HTTP_UNAUTHORIZED
 
         # test GET request - wrong key
         url = f"{base_url}?key=WRONG-KEY"
         http_request = requests.get(url)
         assert http_request.status_code == HTTP_UNAUTHORIZED
 
+        # test GET request - wrong key
+        http_request = requests.get(
+            base_url,
+            headers={"Authorization": "WRONG-KEY"},
+        )
+        assert http_request.status_code == HTTP_UNAUTHORIZED
+
     def test_upload_plot_data_json(self):
         # test that when you upload json you can get back the same stuff
         instrument = "instrument0"
@@ -146,15 +152,17 @@ def test_upload_plot_data_json(self):
 
         # now get the data as json
         response = requests.get(
-            f"{TEST_URL}/plots/{instrument}/{run_number}/update/json/?key={_generate_key(instrument, run_number)}"
+            f"{TEST_URL}/plots/{instrument}/{run_number}/update/json/",
+            headers={"Authorization": _generate_key(instrument, run_number)},
         )
         assert response.status_code == HTTP_OK
         assert response.headers["Content-Type"] == "application/json"
         assert response.json() == data
 
         # now try getting it as html, should fail
         response = requests.get(
-            f"{TEST_URL}/plots/{instrument}/{run_number}/update/html/?key={_generate_key(instrument, run_number)}"
+            f"{TEST_URL}/plots/{instrument}/{run_number}/update/html/",
+            headers={"Authorization": _generate_key(instrument, run_number)},
         )
         assert response.status_code == HTTP_NOT_FOUND
         assert response.text == "No data available for instrument0 123"
@@ -235,9 +243,7 @@ def _generate_key(instrument, run_id):
     @param run_id: run number
     """
     secret_key = os.environ.get("LIVE_PLOT_SECRET_KEY")
-    if len(secret_key) == 0:
+    if secret_key is None or len(secret_key) == 0:
         return None
-    else:
-        h = hashlib.sha1()
-        h.update(("%s%s%s" % (instrument.upper(), secret_key, run_id)).encode("utf-8"))
-        return h.hexdigest()
+
+    return hashlib.sha1(f"{instrument.upper()}{secret_key}{run_id}".encode("utf-8")).hexdigest()