Skip to content

Commit ebe93da

Browse files
tausmantausman
committed
Remove mutual exclusivity between PAT and API+App key auth
1 parent 2cdc7c8 commit ebe93da

3 files changed

Lines changed: 6 additions & 18 deletions

File tree

.generator/src/generator/templates/client.j2

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -84,16 +84,12 @@ func UseDelegatedTokenAuth(ctx context.Context, headerParams *map[string]string,
8484
}
8585

8686
// SetAuthKeys sets the appropriate values in the headers parameter.
87-
// When a bearer token is present in the context, only the
88-
// Authorization: Bearer header is sent. No API key or app key
89-
// headers are included — bearer auth is a standalone auth path.
9087
func SetAuthKeys(ctx context.Context, headerParams *map[string]string, keys ...[2]string) {
9188
if ctx == nil {
9289
return
9390
}
9491
if bearerToken, ok := ctx.Value(ContextBearerToken).(string); ok {
9592
(*headerParams)[authorizationHeader] = fmt.Sprintf(bearerTokenFormat, bearerToken)
96-
return
9793
}
9894
for _, key := range keys {
9995
if auth, ok := ctx.Value(ContextAPIKeys).(map[string]APIKey); ok {

api/datadog/client.go

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -86,16 +86,12 @@ func UseDelegatedTokenAuth(ctx context.Context, headerParams *map[string]string,
8686
}
8787

8888
// SetAuthKeys sets the appropriate values in the headers parameter.
89-
// When a bearer token is present in the context, only the
90-
// Authorization: Bearer header is sent. No API key or app key
91-
// headers are included — bearer auth is a standalone auth path.
9289
func SetAuthKeys(ctx context.Context, headerParams *map[string]string, keys ...[2]string) {
9390
if ctx == nil {
9491
return
9592
}
9693
if bearerToken, ok := ctx.Value(ContextBearerToken).(string); ok {
9794
(*headerParams)[authorizationHeader] = fmt.Sprintf(bearerTokenFormat, bearerToken)
98-
return
9995
}
10096
for _, key := range keys {
10197
if auth, ok := ctx.Value(ContextAPIKeys).(map[string]APIKey); ok {

tests/api/client_test.go

Lines changed: 6 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -161,7 +161,7 @@ func TestApiAppKeyAuthenticate(t *testing.T) {
161161
assert.Equal(t, headers["DD-APPLICATION-KEY"], appKey)
162162
}
163163

164-
func TestPATAuthentication(t *testing.T) {
164+
func TestBearerTokenAuthentication(t *testing.T) {
165165
pat := "ddapp_test-pat-token"
166166
keys := map[string]datadog.APIKey{
167167
"apiKeyAuth": {Key: "api-key"},
@@ -181,8 +181,7 @@ func TestPATAuthentication(t *testing.T) {
181181
[2]string{"appKeyAuth", "DD-APPLICATION-KEY"},
182182
)
183183
assert.Equal(t, "Bearer ddapp_test-pat-token", headers["Authorization"])
184-
assert.Empty(t, headers["DD-API-KEY"], "PAT auth should not send DD-API-KEY")
185-
assert.Empty(t, headers["DD-APPLICATION-KEY"], "PAT auth should not send DD-APPLICATION-KEY")
184+
assert.Equal(t, "api-key", headers["DD-API-KEY"], "API key should still be sent alongside bearer token")
186185
}
187186

188187
func TestNewDefaultContextWithBearerToken(t *testing.T) {
@@ -196,19 +195,18 @@ func TestNewDefaultContextWithBearerToken(t *testing.T) {
196195
assert.Equal(t, "ddapp_test-pat-token", bearerToken)
197196
}
198197

199-
func TestNewDefaultContextBearerTokenOverridesAppKey(t *testing.T) {
198+
func TestNewDefaultContextAllAuthHeadersSentTogether(t *testing.T) {
200199
t.Setenv("DD_API_KEY", "test-api-key")
201200
t.Setenv("DD_APP_KEY", "test-app-key")
202201
t.Setenv("DD_BEARER_TOKEN", "ddapp_test-pat-token")
203202

204203
ctx := datadog.NewDefaultContext(context.Background())
205-
// App key is still stored, but bearer token takes precedence in SetAuthKeys
206204
keys := ctx.Value(datadog.ContextAPIKeys).(map[string]datadog.APIKey)
207205
assert.Equal(t, "test-app-key", keys["appKeyAuth"].Key)
208206
bearerToken := ctx.Value(datadog.ContextBearerToken).(string)
209207
assert.Equal(t, "ddapp_test-pat-token", bearerToken)
210208

211-
// Verify bearer token is used — no API key or app key headers
209+
// All auth headers should be sent together
212210
headers := map[string]string{}
213211
datadog.SetAuthKeys(
214212
ctx,
@@ -217,8 +215,8 @@ func TestNewDefaultContextBearerTokenOverridesAppKey(t *testing.T) {
217215
[2]string{"appKeyAuth", "DD-APPLICATION-KEY"},
218216
)
219217
assert.Equal(t, "Bearer ddapp_test-pat-token", headers["Authorization"])
220-
assert.Empty(t, headers["DD-API-KEY"], "Bearer auth should not send DD-API-KEY")
221-
assert.Empty(t, headers["DD-APPLICATION-KEY"], "Bearer auth should not send DD-APPLICATION-KEY")
218+
assert.Equal(t, "test-api-key", headers["DD-API-KEY"], "API key should be sent alongside bearer token")
219+
assert.Equal(t, "test-app-key", headers["DD-APPLICATION-KEY"], "App key should be sent alongside bearer token")
222220
}
223221

224222
func TestNewDefaultContextAppKeyWithoutBearerToken(t *testing.T) {
@@ -257,6 +255,4 @@ func TestPATBearerHeaderSentViaHTTPClient(t *testing.T) {
257255

258256
assert.Equal(t, 200, httpResp.StatusCode)
259257
assert.Equal(t, "Bearer "+pat, capturedHeaders.Get("Authorization"))
260-
assert.Empty(t, capturedHeaders.Get("DD-API-KEY"), "PAT auth should not send DD-API-KEY")
261-
assert.Empty(t, capturedHeaders.Get("DD-APPLICATION-KEY"), "PAT auth should not send DD-APPLICATION-KEY")
262258
}

0 commit comments

Comments
 (0)