Read authorization from cookie as well as header

tpoliaw · tpoliaw · commit 910d91b012f4 · 2026-03-12T16:39:56.000Z
diff --git a/src/blueapi/service/authentication.py b/src/blueapi/service/authentication.py
@@ -14,6 +14,7 @@
 import httpx
 import jwt
 import requests
+from fastapi import Cookie, Header
 from fastapi.requests import HTTPConnection
 from fastapi.security import OAuth2AuthorizationCodeBearer
 from fastapi.security.utils import get_authorization_scheme_param
@@ -274,8 +275,13 @@ def sync_auth_flow(self, request):
 class CommonHttpOAuth(OAuth2AuthorizationCodeBearer):
     """Extended version of OAuth2 Auth to work with both WebSockets and HTTP Requests"""
 
-    async def __call__(self, request: HTTPConnection) -> str | None:
-        authorization = request.headers.get("Authorization")
+    async def __call__(
+        self,
+        request: HTTPConnection,
+        auth_header: str | None = Header(alias="Authorization", default=None),
+        auth_cookie: str | None = Cookie(alias="Authorization", default=None),
+    ) -> str | None:
+        authorization = auth_header or auth_cookie
         scheme, param = get_authorization_scheme_param(authorization)
         if not authorization or scheme.lower() != "bearer":
             if self.auto_error:
