From f65ded4282d91470797b0e36dfd5e2d108954d98 Mon Sep 17 00:00:00 2001
From: adrinr <adria@budibase.com>
Date: Thu, 9 Mar 2023 14:02:55 +0100
Subject: [PATCH] Allow bearer token for auth

---
 packages/backend-core/src/constants/misc.ts           |  1 +
 packages/backend-core/src/middleware/authenticated.ts | 10 ++++++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/packages/backend-core/src/constants/misc.ts b/packages/backend-core/src/constants/misc.ts
index e25c90575f..a4a1806618 100644
--- a/packages/backend-core/src/constants/misc.ts
+++ b/packages/backend-core/src/constants/misc.ts
@@ -23,6 +23,7 @@ export enum Header {
   TOKEN = "x-budibase-token",
   CSRF_TOKEN = "x-csrf-token",
   CORRELATION_ID = "x-budibase-correlation-id",
+  AUTHORIZATION = "authorization",
 }
 
 export enum GlobalRole {
diff --git a/packages/backend-core/src/middleware/authenticated.ts b/packages/backend-core/src/middleware/authenticated.ts
index 8a97319586..f877985ee0 100644
--- a/packages/backend-core/src/middleware/authenticated.ts
+++ b/packages/backend-core/src/middleware/authenticated.ts
@@ -96,9 +96,15 @@ export default function (
     }
     try {
       // check the actual user is authenticated first, try header or cookie
-      const headerToken = ctx.request.headers[Header.TOKEN]
+      let headerToken = ctx.request.headers[Header.TOKEN]
+
       const authCookie = getCookie(ctx, Cookie.Auth) || openJwt(headerToken)
-      const apiKey = ctx.request.headers[Header.API_KEY]
+      let apiKey = ctx.request.headers[Header.API_KEY]
+
+      if (!apiKey && ctx.request.headers[Header.AUTHORIZATION]) {
+        apiKey = ctx.request.headers[Header.AUTHORIZATION].split(" ")[1]
+      }
+
       const tenantId = ctx.request.headers[Header.TENANT_ID]
       let authenticated = false,
         user = null,