From 55a19b65e0d2e9bcb6e168139ee1af0f8770d6f9 Mon Sep 17 00:00:00 2001
From: Josh Wulf <josh.wulf@camunda.com>
Date: Wed, 5 Feb 2025 19:34:31 +1300
Subject: [PATCH] fix(oauth): pass out full auth header from getToken method

fixes #367
---
 src/__tests__/oauth/OAuthProvider.unit.spec.ts |  8 ++++----
 src/admin/lib/AdminApiClient.ts                |  2 +-
 src/c8/lib/CamundaRestClient.ts                |  2 +-
 src/modeler/lib/ModelerAPIClient.ts            |  3 +--
 src/oauth/lib/BasicAuthProvider.ts             |  2 +-
 src/oauth/lib/BearerAuthProvider.ts            |  2 +-
 src/oauth/lib/OAuthProvider.ts                 | 10 +++++++---
 src/operate/lib/OperateApiClient.ts            |  4 ++--
 src/optimize/lib/OptimizeApiClient.ts          |  4 ++--
 src/tasklist/lib/TasklistApiClient.ts          |  4 ++--
 src/zeebe/lib/GrpcClient.ts                    |  4 ++--
 src/zeebe/zb/ZeebeRESTClient.ts                |  4 ++--
 12 files changed, 26 insertions(+), 23 deletions(-)

diff --git a/src/__tests__/oauth/OAuthProvider.unit.spec.ts b/src/__tests__/oauth/OAuthProvider.unit.spec.ts
index fbee122b..e78bb4a4 100644
--- a/src/__tests__/oauth/OAuthProvider.unit.spec.ts
+++ b/src/__tests__/oauth/OAuthProvider.unit.spec.ts
@@ -601,11 +601,11 @@ describe('OAuthProvider', () => {
 			CAMUNDA_BASIC_AUTH_USERNAME: 'admin',
 			// eslint-disable-next-line @typescript-eslint/no-explicit-any
 		} as any)
-		const token = await oAuthProvider.getToken('ZEEBE')
+		const Authorization = await oAuthProvider.getToken('ZEEBE')
 		await got
 			.get('http://localhost:3033', {
 				headers: {
-					Authorization: 'Basic ' + token,
+					Authorization,
 				},
 			})
 			.then((res) => {
@@ -634,11 +634,11 @@ describe('OAuthProvider', () => {
 			CAMUNDA_OAUTH_TOKEN: 'mysecrettoken',
 			// eslint-disable-next-line @typescript-eslint/no-explicit-any
 		} as any)
-		const token = await oAuthProvider.getToken('ZEEBE')
+		const Authorization = await oAuthProvider.getToken('ZEEBE')
 		await got
 			.get('http://localhost:3033', {
 				headers: {
-					Authorization: 'Bearer ' + token,
+					Authorization,
 				},
 			})
 			.then((res) => {
diff --git a/src/admin/lib/AdminApiClient.ts b/src/admin/lib/AdminApiClient.ts
index 8a75f860..acf48c69 100644
--- a/src/admin/lib/AdminApiClient.ts
+++ b/src/admin/lib/AdminApiClient.ts
@@ -72,7 +72,7 @@ export class AdminApiClient {
 		const token = await this.oAuthProvider.getToken('CONSOLE')
 		const headers = {
 			'content-type': 'application/json',
-			authorization: `Bearer ${token}`,
+			authorization: token,
 			'user-agent': this.userAgentString,
 			accept: '*/*',
 		}
diff --git a/src/c8/lib/CamundaRestClient.ts b/src/c8/lib/CamundaRestClient.ts
index 56d6f4d8..dd4e8e48 100644
--- a/src/c8/lib/CamundaRestClient.ts
+++ b/src/c8/lib/CamundaRestClient.ts
@@ -149,7 +149,7 @@ export class CamundaRestClient {
 
 		const headers = {
 			'content-type': 'application/json',
-			authorization: `Bearer ${token}`,
+			authorization: token,
 			'user-agent': this.userAgentString,
 			accept: '*/*',
 		}
diff --git a/src/modeler/lib/ModelerAPIClient.ts b/src/modeler/lib/ModelerAPIClient.ts
index becbf89a..e8215cca 100644
--- a/src/modeler/lib/ModelerAPIClient.ts
+++ b/src/modeler/lib/ModelerAPIClient.ts
@@ -63,8 +63,7 @@ export class ModelerApiClient {
 	}
 
 	private async getHeaders() {
-		const token = await this.oAuthProvider.getToken('MODELER')
-		const authorization = `Bearer ${token}`
+		const authorization = await this.oAuthProvider.getToken('MODELER')
 		const headers = {
 			'content-type': 'application/json',
 			authorization,
diff --git a/src/oauth/lib/BasicAuthProvider.ts b/src/oauth/lib/BasicAuthProvider.ts
index 925c90a2..1cacf321 100644
--- a/src/oauth/lib/BasicAuthProvider.ts
+++ b/src/oauth/lib/BasicAuthProvider.ts
@@ -34,6 +34,6 @@ export class BasicAuthProvider implements IOAuthProvider {
 		const token = Buffer.from(`${this.username}:${this.password}`).toString(
 			'base64'
 		)
-		return Promise.resolve(token)
+		return Promise.resolve(`Basic ${token}`)
 	}
 }
diff --git a/src/oauth/lib/BearerAuthProvider.ts b/src/oauth/lib/BearerAuthProvider.ts
index e29d8068..d313519c 100644
--- a/src/oauth/lib/BearerAuthProvider.ts
+++ b/src/oauth/lib/BearerAuthProvider.ts
@@ -29,6 +29,6 @@ export class BearerAuthProvider implements IOAuthProvider {
 	public async getToken(audienceType: TokenGrantAudienceType): Promise<string> {
 		debug(`Token request for ${audienceType}`)
 
-		return Promise.resolve(this.bearerToken)
+		return Promise.resolve(`Bearer ${this.bearerToken}`)
 	}
 }
diff --git a/src/oauth/lib/OAuthProvider.ts b/src/oauth/lib/OAuthProvider.ts
index 4ed27369..83c1c4d4 100644
--- a/src/oauth/lib/OAuthProvider.ts
+++ b/src/oauth/lib/OAuthProvider.ts
@@ -188,7 +188,7 @@ export class OAuthProvider implements IOAuthProvider {
 				trace(`In-memory token ${token.audience} is expired`)
 			} else {
 				trace(`Using in-memory cached token ${token.audience}`)
-				return this.tokenCache[key].access_token
+				return this.addBearer(this.tokenCache[key].access_token)
 			}
 		}
 		if (this.useFileCache) {
@@ -203,7 +203,7 @@ export class OAuthProvider implements IOAuthProvider {
 					trace(`File cached token ${cachedToken.audience} is expired`)
 				} else {
 					trace(`Using file cached token ${cachedToken.audience}`)
-					return cachedToken.access_token
+					return this.addBearer(cachedToken.access_token)
 				}
 			}
 		}
@@ -344,7 +344,7 @@ export class OAuthProvider implements IOAuthProvider {
 						})
 					}
 					this.sendToMemoryCache({ audience: audienceType, token })
-					return token.access_token
+					return this.addBearer(token.access_token)
 				})
 		)
 	}
@@ -475,4 +475,8 @@ export class OAuthProvider implements IOAuthProvider {
 	private getAudience(audience: TokenGrantAudienceType) {
 		return this.audienceMap[audience]
 	}
+
+	private addBearer(token: string) {
+		return `Bearer ${token}`
+	}
 }
diff --git a/src/operate/lib/OperateApiClient.ts b/src/operate/lib/OperateApiClient.ts
index f8da941f..f372ec72 100644
--- a/src/operate/lib/OperateApiClient.ts
+++ b/src/operate/lib/OperateApiClient.ts
@@ -120,11 +120,11 @@ export class OperateApiClient {
 	}
 
 	private async getHeaders() {
-		const token = await this.oAuthProvider.getToken('OPERATE')
+		const authorization = await this.oAuthProvider.getToken('OPERATE')
 
 		return {
 			'content-type': 'application/json',
-			authorization: `Bearer ${token}`,
+			authorization,
 			'user-agent': this.userAgentString,
 			accept: '*/*',
 		}
diff --git a/src/optimize/lib/OptimizeApiClient.ts b/src/optimize/lib/OptimizeApiClient.ts
index defea64a..1d253bfe 100644
--- a/src/optimize/lib/OptimizeApiClient.ts
+++ b/src/optimize/lib/OptimizeApiClient.ts
@@ -96,11 +96,11 @@ export class OptimizeApiClient {
 	}
 
 	private async getHeaders(auth = true) {
-		const token = await this.oAuthProvider.getToken('OPTIMIZE')
+		const authorization = await this.oAuthProvider.getToken('OPTIMIZE')
 
 		const authHeader: { authorization: string } | Record<string, never> = auth
 			? {
-					authorization: `Bearer ${token}`,
+					authorization,
 				}
 			: {}
 
diff --git a/src/tasklist/lib/TasklistApiClient.ts b/src/tasklist/lib/TasklistApiClient.ts
index cfdeaf0c..f900051c 100644
--- a/src/tasklist/lib/TasklistApiClient.ts
+++ b/src/tasklist/lib/TasklistApiClient.ts
@@ -98,10 +98,10 @@ export class TasklistApiClient {
 	}
 
 	private async getHeaders() {
-		const token = await this.oAuthProvider.getToken('TASKLIST')
+		const authorization = await this.oAuthProvider.getToken('TASKLIST')
 		return {
 			'content-type': 'application/json',
-			authorization: `Bearer ${token}`,
+			authorization,
 			'user-agent': this.userAgentString,
 			accept: '*/*',
 		}
diff --git a/src/zeebe/lib/GrpcClient.ts b/src/zeebe/lib/GrpcClient.ts
index 40273768..5461eb44 100644
--- a/src/zeebe/lib/GrpcClient.ts
+++ b/src/zeebe/lib/GrpcClient.ts
@@ -538,8 +538,8 @@ export class GrpcClient extends EventEmitter {
 		const metadata = new Metadata({ waitForReady: false })
 		metadata.add('user-agent', this.userAgentString)
 		if (this.oAuth) {
-			const token = await this.oAuth.getToken('ZEEBE')
-			metadata.add('Authorization', `Bearer ${token}`)
+			const authorization = await this.oAuth.getToken('ZEEBE')
+			metadata.add('Authorization', authorization)
 		}
 		return metadata
 	}
diff --git a/src/zeebe/zb/ZeebeRESTClient.ts b/src/zeebe/zb/ZeebeRESTClient.ts
index 28d73093..b49757e1 100644
--- a/src/zeebe/zb/ZeebeRESTClient.ts
+++ b/src/zeebe/zb/ZeebeRESTClient.ts
@@ -87,11 +87,11 @@ export class ZeebeRestClient {
 	}
 
 	private async getHeaders() {
-		const token = await this.oAuthProvider.getToken('ZEEBE')
+		const authorization = await this.oAuthProvider.getToken('ZEEBE')
 
 		const headers = {
 			'content-type': 'application/json',
-			authorization: `Bearer ${token}`,
+			authorization,
 			'user-agent': this.userAgentString,
 			accept: '*/*',
 		}