Accept cloud token as header (#1696)

MarceloRGonc · web-flow · commit 9b6afa3e511f · 2025-12-04T10:44:32.000Z
Part of OPS-3153
diff --git a/packages/server/api/src/app/helper/allow-all-origins-hook-handler.ts b/packages/server/api/src/app/helper/allow-all-origins-hook-handler.ts
@@ -15,7 +15,7 @@ export const allowAllOriginsHookHandler: onRequestHookHandler = (
 
   void reply.header(
     'Access-Control-Allow-Headers',
-    'Content-Type,Ops-Origin,Authorization',
+    'Content-Type,Ops-Origin,Authorization,Ops-Cloud-Token',
   );
 
   void reply.header('Access-Control-Allow-Credentials', 'true');
diff --git a/packages/server/api/src/app/user-info/cloud-auth.ts b/packages/server/api/src/app/user-info/cloud-auth.ts
@@ -4,11 +4,19 @@ import jwt, { JwtPayload } from 'jsonwebtoken';
 const CLOUD_TOKEN_COOKIE_NAME = 'cloud-token';
 
 const getCloudToken = (request: FastifyRequest): string | undefined => {
-  let token = request.headers.authorization?.replace('Bearer ', '');
-  if (!token) {
-    token = request.cookies[CLOUD_TOKEN_COOKIE_NAME];
+  const authorizationHeader = request.headers.authorization;
+  const cookieToken = request.cookies[CLOUD_TOKEN_COOKIE_NAME];
+  const headerToken = request.headers['ops-cloud-token'] as string | undefined;
+
+  if (authorizationHeader) {
+    return authorizationHeader.replace('Bearer ', '');
   }
-  return token;
+
+  if (cookieToken) {
+    return cookieToken;
+  }
+
+  return headerToken;
 };
 
 export function getVerifiedUser(
diff --git a/packages/server/api/test/integration/cloud/cloud/cloud-auth.test.ts b/packages/server/api/test/integration/cloud/cloud/cloud-auth.test.ts
@@ -85,6 +85,22 @@ describe('getVerifiedUser', () => {
     expect(result).toEqual(payload);
   });
 
+  it('should verify token from header when Authorization header and cookie are missing', () => {
+    const payload = { sub: 'abc' };
+    (jwt.verify as jest.Mock).mockReturnValue(payload);
+    const mockRequest = createMockRequest({
+      headers: { 'ops-cloud-token': 'cookie-header-token' },
+      cookies: {},
+    });
+
+    const result = getVerifiedUser(mockRequest, publicKey);
+
+    expect(jwt.verify).toHaveBeenCalledWith('cookie-header-token', publicKey, {
+      algorithms: ['RS256'],
+    });
+    expect(result).toEqual(payload);
+  });
+
   it('should return undefined when verification fails (throws)', () => {
     (jwt.verify as jest.Mock).mockImplementation(() => {
       throw new Error('invalid');
