# HG changeset patch
# User Milka Kuzminski <milka@rhodecode.com>
# Date 2020-12-21 11:34:05
# Node ID 374a996c5ea69069f90a58731e9bfef305a8d37f
# Parent  41ef225e987815c778de64f6a6d6a653ee49c134

token-access: allow token in headers not only in GET/URL

diff --git a/rhodecode/lib/base.py b/rhodecode/lib/base.py
--- a/rhodecode/lib/base.py
+++ b/rhodecode/lib/base.py
@@ -469,7 +469,14 @@ def get_auth_user(request):
     ip_addr = get_ip_addr(environ)
 
     # make sure that we update permissions each time we call controller
-    _auth_token = (request.GET.get('auth_token', '') or request.GET.get('api_key', ''))
+    _auth_token = (
+            # ?auth_token=XXX
+            request.GET.get('auth_token', '')
+            # ?api_key=XXX !LEGACY
+            or request.GET.get('api_key', '')
+            # or headers....
+            or request.headers.get('X-Rc-Auth-Token', '')
+    )
     if not _auth_token and request.matchdict:
         url_auth_token = request.matchdict.get('_auth_token')
         _auth_token = url_auth_token
diff --git a/rhodecode/tweens.py b/rhodecode/tweens.py
--- a/rhodecode/tweens.py
+++ b/rhodecode/tweens.py
@@ -119,3 +119,4 @@ def includeme(config):
 
     # This needs to be the LAST item
     config.add_tween('rhodecode.lib.middleware.request_wrapper.RequestWrapperTween')
+    log.debug('configured all tweens')