http: allow header for auth token [GH-124]

CHANGELOG.md

@@ -4,7 +4,7 @@ FEATURES:
 
   * **New physical backend: `zookeeper`**: store physical data in Zookeeper.
       HA not supported yet.
-  * ** New credential backend: `ldap`**: authenticate using LDAP credentials.
+  * **New credential backend: `ldap`**: authenticate using LDAP credentials.
 
 IMPROVEMENTS:
 
@@ -13,6 +13,7 @@ IMPROVEMENTS:
   * command/*: `VAULT_TOKEN` overrides local stored auth [GH-162]
   * command/server: environment variables are copy-pastable
   * credential/app-id: hash of app and user ID are in metadata [GH-176]
+  * http: HTTP API accepts `X-Vault-Token` as auth header [GH-124]
   * logical/*: Generate help output even if no synopsis specified
 
 BUG FIXES:

http/handler.go

@@ -14,6 +14,9 @@ import (
 // AuthCookieName is the name of the cookie containing the token.
 const AuthCookieName = "token"
 
+// AuthHeaderName is the name of the header containing the token.
+const AuthHeaderName = "X-Vault-Token"
+
 // Handler returns an http.Handler for the API. This can be used on
 // its own to mount the Vault API within another web server.
 func Handler(core *vault.Core) http.Handler {
@@ -135,6 +138,11 @@ func requestAuth(r *http.Request, req *logical.Request) *logical.Request {
 		req.ClientToken = cookie.Value
 	}
 
+	// Attach the header value if we have it
+	if v := r.Header.Get(AuthHeaderName); v != "" {
+		req.ClientToken = v
+	}
+
 	return req
 }
 

http/handler_test.go

@@ -0,0 +1,45 @@
+package http
+
+import (
+	"net/http"
+	"reflect"
+	"testing"
+
+	"github.com/hashicorp/vault/vault"
+)
+
+// We use this test to verify header auth
+func TestSysMounts_headerAuth(t *testing.T) {
+	core, _, token := vault.TestCoreUnsealed(t)
+	ln, addr := TestServer(t, core)
+	defer ln.Close()
+
+	req, err := http.NewRequest("GET", addr+"/v1/sys/mounts", nil)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+	req.Header.Set(AuthHeaderName, token)
+
+	client := &http.Client{}
+	resp, err := client.Do(req)
+	if err != nil {
+		t.Fatalf("err: %s", err)
+	}
+
+	var actual map[string]interface{}
+	expected := map[string]interface{}{
+		"secret/": map[string]interface{}{
+			"description": "generic secret storage",
+			"type":        "generic",
+		},
+		"sys/": map[string]interface{}{
+			"description": "system endpoints used for control, policy and debugging",
+			"type":        "system",
+		},
+	}
+	testResponseStatus(t, resp, 200)
+	testResponseBody(t, resp, &actual)
+	if !reflect.DeepEqual(actual, expected) {
+		t.Fatalf("bad: %#v", actual)
+	}
+}

website/source/docs/http/index.html.md

@@ -35,7 +35,8 @@ depending on user settings.
 
 Once the Vault is unsealed, every other operation requires
 a _client token_. A user may have a client token explicitly.
-The client token must be sent as the `token` cookie.
+The client token must be sent as the `token` cookie or the
+`X-Vault-Token` HTTP header.
 
 Otherwise, a client token can be retrieved via
 [authentication backends](#).
@@ -46,7 +47,7 @@ and are used for authentication itself. These endpoints are specific
 to each authentication backend.
 
 Login endpoints for authentication backends that generate an identity
-will be sent down with a `Set-Cookie` header. If you are using a
+will be sent down with a `Set-Cookie` header as well as via JSON. If you have a
 well-behaved HTTP client, then authentication information will
 automatically be saved and sent to the Vault API.