From 20f17a5f783d85480f1164c05443bfb820c63358 Mon Sep 17 00:00:00 2001
From: Bernd Wachter <bernd.wachter@jollamobile.com>
Date: Wed, 6 Apr 2016 16:56:15 +0300
Subject: [PATCH 1/2] don't pass password to functions not using it

---
 rally-mode.el | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/rally-mode.el b/rally-mode.el
index d35d562..f950f90 100644
--- a/rally-mode.el
+++ b/rally-mode.el
@@ -93,23 +93,23 @@
        (buffer-string)
        )))
 
-(defun rally-make-url-lst (username password)
+(defun rally-make-url-lst (username)
   `(
     (query ,(format "((Owner.Name = %s ) AND (( Iteration.StartDate <= today ) AND (Iteration.EndDate >= today)) )" username ) )
     (order Rank)
     (fetch "true,WorkProduct,Tasks,Iteration,Estimate,State,ToDo,Name,Description,Type")
     ))
 
-(defun rally-make-query (username password)
+(defun rally-make-query (username)
    (rally-build-url
 	      "https://rally1.rallydev.com/slm/webservice/v2.0/task"
-	      (rally-make-url-lst username password)
+	      (rally-make-url-lst username)
 	       ))
 
 (defun rally-current-iteration-info (username password)
   (rally-basic-auth
-   (rally-make-query username password) 
-	       username 
+   (rally-make-query username)
+	       username
 	       password))
 
 (defun rally-extract-info (lst)

From d8e94309328cb329e5209f5ca6a3d0f195830a83 Mon Sep 17 00:00:00 2001
From: Bernd Wachter <bernd.wachter@jollamobile.com>
Date: Wed, 6 Apr 2016 17:23:04 +0300
Subject: [PATCH 2/2] allow authentication with API key instead of password

---
 rally-mode.el | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/rally-mode.el b/rally-mode.el
index f950f90..8859ca1 100644
--- a/rally-mode.el
+++ b/rally-mode.el
@@ -33,6 +33,7 @@
 
 (defvar rally-user)
 (defvar rally-password)
+(defvar rally-api-key)
 (defvar rally-tasks-cache nil)
 
 (define-derived-mode rally-mode special-mode "rally-mode"
@@ -78,6 +79,13 @@
   (concat url-server-string "?"
 	  (url-build-query-string params)))
 
+(defun rally--auth-header (user pass)
+  (if (boundp 'rally-api-key)
+      (cons "zsessionid" rally-api-key)
+    (cons "Authorization" (concat "Basic "
+                                  (base64-encode-string
+                                   (concat user ":" pass))))))
+
 (defun rally-basic-auth (url user pass)
   ;;(princ url) 
   (let ((xyz-block-authorisation t)
@@ -85,9 +93,7 @@
 	(url-queue-timeout 60)
 	(url-request-extra-headers 
 	 `(("Content-Type" . "application/xml")
-	   ("Authorization" . ,(concat "Basic "
-				       (base64-encode-string
-					(concat user ":" pass)))))))
+           ,(rally--auth-header user pass))))
      (with-current-buffer (url-retrieve-synchronously url t)
        (delete-region 1 url-http-end-of-headers)
        (buffer-string)