Header are not forwarded so just use a query param to choose the authentication mode

ja-openai · ja-openai · commit f1ee3aa31fe7 · 2025-09-29T10:00:51.000-07:00
diff --git a/docs/_docs/guides/002-install.md b/docs/_docs/guides/002-install.md
@@ -70,7 +70,7 @@ source <(curl -L -N -s http://localhost:8080/cli/install.sh?installDirectory=myd
 # When Cloudflare Zero Trust protects the endpoint, set the headers:
 export L10N_RESTTEMPLATE_HEADER_HEADERS_CF_ACCESS_CLIENT_ID=<client-id>
 export L10N_RESTTEMPLATE_HEADER_HEADERS_CF_ACCESS_CLIENT_SECRET=<client-secret>
-source /dev/stdin <<< "$(curl -L -N -s -H \"CF-Access-Client-Id: ${L10N_RESTTEMPLATE_HEADER_HEADERS_CF_ACCESS_CLIENT_ID}\" -H \"CF-Access-Client-Secret: ${L10N_RESTTEMPLATE_HEADER_HEADERS_CF_ACCESS_CLIENT_SECRET}\" http://localhost:8080/cli/install.sh)"
+source /dev/stdin <<< "$(curl -L -N -s -H \"CF-Access-Client-Id: ${L10N_RESTTEMPLATE_HEADER_HEADERS_CF_ACCESS_CLIENT_ID}\" -H \"CF-Access-Client-Secret: ${L10N_RESTTEMPLATE_HEADER_HEADERS_CF_ACCESS_CLIENT_SECRET}\" http://localhost:8080/cli/install.sh?authMode=CF_SERVICE_TOKEN)"
 
 The install script automatically exports `L10N_RESTTEMPLATE_AUTHENTICATION_MODE=HEADER` when these
 headers are present.
diff --git a/docs/_docs/guides/002-install_springboot3.md b/docs/_docs/guides/002-install_springboot3.md
@@ -53,7 +53,7 @@ source <(curl -L -N -s http://localhost:8080/cli/install.sh?installDirectory=myd
 # When Cloudflare Zero Trust protects the endpoint, set the headers:
 export L10N_RESTTEMPLATE_HEADER_HEADERS_CF_ACCESS_CLIENT_ID=<client-id>
 export L10N_RESTTEMPLATE_HEADER_HEADERS_CF_ACCESS_CLIENT_SECRET=<client-secret>
-source /dev/stdin <<< "$(curl -L -N -s -H \"CF-Access-Client-Id: ${L10N_RESTTEMPLATE_HEADER_HEADERS_CF_ACCESS_CLIENT_ID}\" -H \"CF-Access-Client-Secret: ${L10N_RESTTEMPLATE_HEADER_HEADERS_CF_ACCESS_CLIENT_SECRET}\" http://localhost:8080/cli/install.sh)"
+source /dev/stdin <<< "$(curl -L -N -s -H \"CF-Access-Client-Id: ${L10N_RESTTEMPLATE_HEADER_HEADERS_CF_ACCESS_CLIENT_ID}\" -H \"CF-Access-Client-Secret: ${L10N_RESTTEMPLATE_HEADER_HEADERS_CF_ACCESS_CLIENT_SECRET}\" http://localhost:8080/cli/install.sh?authMode=CF_SERVICE_TOKEN)"
 
 The install script automatically exports `L10N_RESTTEMPLATE_AUTHENTICATION_MODE=HEADER` when these
 headers are present.
diff --git a/restclient/src/main/java/com/box/l10n/mojito/rest/resttemplate/HeaderAuthenticationInterceptor.java b/restclient/src/main/java/com/box/l10n/mojito/rest/resttemplate/HeaderAuthenticationInterceptor.java
@@ -21,6 +21,8 @@ public ClientHttpResponse intercept(
     headers.forEach(
         (name, value) -> {
           if (name != null && value != null) {
+            name = name.replace(".", "-");
+
             request.getHeaders().set(name, value);
           }
         });
diff --git a/webapp/src/main/java/com/box/l10n/mojito/rest/cli/CliWS.java b/webapp/src/main/java/com/box/l10n/mojito/rest/cli/CliWS.java
@@ -4,9 +4,6 @@
 import jakarta.servlet.http.HttpServletRequest;
 import jakarta.servlet.http.HttpServletResponse;
 import java.io.IOException;
-import java.util.Collections;
-import java.util.LinkedHashMap;
-import java.util.Map;
 import java.util.Optional;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -29,20 +26,6 @@ public class CliWS {
 
   @Autowired CliService cliService;
 
-  public static final String CF_ACCESS_HEADER_CLIENT_ID = "CF-Access-Client-Id";
-  public static final String CF_ACCESS_HEADER_CLIENT_SECRET = "CF-Access-Client-Secret";
-
-  static final Map<String, String> SUPPORTED_HEADER_TO_ENV_VAR;
-
-  static {
-    Map<String, String> headerToEnvVar = new LinkedHashMap<>();
-    headerToEnvVar.put(
-        CF_ACCESS_HEADER_CLIENT_ID, "L10N_RESTTEMPLATE_HEADER_HEADERS_CF_ACCESS_CLIENT_ID");
-    headerToEnvVar.put(
-        CF_ACCESS_HEADER_CLIENT_SECRET, "L10N_RESTTEMPLATE_HEADER_HEADERS_CF_ACCESS_CLIENT_SECRET");
-    SUPPORTED_HEADER_TO_ENV_VAR = Collections.unmodifiableMap(headerToEnvVar);
-  }
-
   /**
    * Entry point do download the CLI that corresponds to this server version.
    *
@@ -89,25 +72,11 @@ void unsafeSendRedirect(HttpServletResponse httpServletResponse, String cliUrl)
   public String getInstallCliScript(
       HttpServletRequest httpServletRequest,
       @RequestParam(value = "installDirectory", defaultValue = "#{'$'}{PWD}/.mojito")
-          String installDirectory)
+          String installDirectory,
+      @RequestParam(value = "authMode", required = false) String authenticationMode)
       throws IOException {
     String requestUrl = httpServletRequest.getRequestURL().toString();
-    Map<String, String> authenticationHeaders = getAuthenticationHeaders(httpServletRequest);
-
-    return cliService.generateInstallCliScript(requestUrl, installDirectory, authenticationHeaders);
-  }
-
-  Map<String, String> getAuthenticationHeaders(HttpServletRequest httpServletRequest) {
-    Map<String, String> headers = new LinkedHashMap<>();
-
-    SUPPORTED_HEADER_TO_ENV_VAR.forEach(
-        (headerName, envVar) -> {
-          if (httpServletRequest.getHeader(headerName) != null) {
-            headers.put(headerName, envVar);
-          }
-        });
-
-    return headers;
+    return cliService.generateInstallCliScript(requestUrl, installDirectory, authenticationMode);
   }
 
   /**
diff --git a/webapp/src/main/java/com/box/l10n/mojito/service/cli/CliService.java b/webapp/src/main/java/com/box/l10n/mojito/service/cli/CliService.java
@@ -11,6 +11,7 @@
 import java.nio.file.Paths;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Optional;
@@ -31,6 +32,9 @@ public class CliService {
 
   static final String INSTALL_CLI_TEMPLATE = "cli/install.sh";
   static Logger logger = LoggerFactory.getLogger(CliService.class);
+  public static final String AUTHENTICATION_MODE_CF_SERVICE_TOKEN = "CF_SERVICE_TOKEN";
+
+  static final Map<String, String> CF_SERVICE_TOKEN_HEADER_TO_ENV_VAR = cfServiceTokenHeaders();
 
   @Value("${info.build.version}")
   String version;
@@ -87,28 +91,37 @@ public String getCliUrl() {
    * @throws IOException
    */
   public String generateInstallCliScript(
-      String requestUrl, String installDirectory, Map<String, String> headerNameToEnvVar) {
+      String requestUrl, String installDirectory, String authenticationMode) {
+    Map<String, String> headersToUse = resolveHeaders(authenticationMode);
+    String effectiveAuthenticationMode = headersToUse.isEmpty() ? null : "HEADER";
+
     InstallCliContext installCliContext =
-        getInstallCliContext(requestUrl, installDirectory, headerNameToEnvVar);
+        getInstallCliContext(
+            requestUrl, installDirectory, effectiveAuthenticationMode, headersToUse);
 
     return mustacheTemplateEngine.render(INSTALL_CLI_TEMPLATE, installCliContext);
   }
 
   InstallCliContext getInstallCliContext(
-      String requestUrl, String installDirectory, Map<String, String> headerNameToEnvVar) {
+      String requestUrl,
+      String installDirectory,
+      String authenticationMode,
+      Map<String, String> headerNameToEnvVar) {
     try {
       URL url = new URL(requestUrl);
       InstallCliContext installCliContext =
           new InstallCliContext(installDirectory, url.getProtocol(), url.getHost(), getPort(url));
 
-      if (headerNameToEnvVar != null && !headerNameToEnvVar.isEmpty()) {
+      if (authenticationMode != null
+          && headerNameToEnvVar != null
+          && !headerNameToEnvVar.isEmpty()) {
         List<InstallCliContext.Header> headers =
             headerNameToEnvVar.entrySet().stream()
                 .map(entry -> new InstallCliContext.Header(entry.getKey(), entry.getValue()))
                 .collect(Collectors.toList());
         installCliContext.headers = headers;
         installCliContext.hasHeaders = true;
-        installCliContext.authenticationMode = "HEADER";
+        installCliContext.authenticationMode = authenticationMode;
       } else {
         installCliContext.headers = Collections.emptyList();
         installCliContext.hasHeaders = false;
@@ -121,6 +134,23 @@ InstallCliContext getInstallCliContext(
     }
   }
 
+  Map<String, String> resolveHeaders(String authenticationMode) {
+    if (authenticationMode != null
+        && AUTHENTICATION_MODE_CF_SERVICE_TOKEN.equalsIgnoreCase(authenticationMode)) {
+      return CF_SERVICE_TOKEN_HEADER_TO_ENV_VAR;
+    }
+    return Collections.emptyMap();
+  }
+
+  private static Map<String, String> cfServiceTokenHeaders() {
+    Map<String, String> headerToEnvVar = new LinkedHashMap<>();
+    headerToEnvVar.put(
+        "CF-Access-Client-Id", "L10N_RESTTEMPLATE_HEADER_HEADERS_CF_ACCESS_CLIENT_ID");
+    headerToEnvVar.put(
+        "CF-Access-Client-Secret", "L10N_RESTTEMPLATE_HEADER_HEADERS_CF_ACCESS_CLIENT_SECRET");
+    return Collections.unmodifiableMap(headerToEnvVar);
+  }
+
   String getPort(URL url) {
     int port = url.getPort();
 
diff --git a/webapp/src/test/java/com/box/l10n/mojito/rest/cli/CliWSTest.java b/webapp/src/test/java/com/box/l10n/mojito/rest/cli/CliWSTest.java
diff --git a/webapp/src/test/java/com/box/l10n/mojito/service/cli/CliServiceTest.java b/webapp/src/test/java/com/box/l10n/mojito/service/cli/CliServiceTest.java
@@ -3,7 +3,6 @@
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 
-import com.box.l10n.mojito.rest.cli.CliWS;
 import com.box.l10n.mojito.rest.cli.GitInfo;
 import com.box.l10n.mojito.service.assetExtraction.ServiceTestBase;
 import com.box.l10n.mojito.service.repository.RepositoryNameAlreadyUsedException;
@@ -12,8 +11,6 @@
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.util.Collections;
-import java.util.LinkedHashMap;
-import java.util.Map;
 import java.util.Optional;
 import org.junit.Assert;
 import org.junit.Test;
@@ -55,6 +52,7 @@ public void testGetCliUrl() {
 
   @Test
   public void getLocalCliFileDefaultNoFile() {
+    cliService.cliConfig.setFile("target/nonexistent-" + System.nanoTime() + ".jar");
     Optional<FileSystemResource> localCliFile = cliService.getLocalCliFile();
     assertFalse(localCliFile.isPresent());
   }
@@ -63,7 +61,7 @@ public void getLocalCliFileDefaultNoFile() {
   public void generateInstallCliScript() throws IOException {
     String installScript =
         cliService.generateInstallCliScript(
-            "http://localhost:8080/cli/install.sh", "${PWD}/.mojito", Collections.emptyMap());
+            "http://localhost:8080/cli/install.sh", "${PWD}/.mojito", null);
     //        Files.write(installScript, new
     // File("src/test/resources/com/box/l10n/mojito/service/cli/install.sh"),
     // StandardCharsets.UTF_8);
@@ -76,16 +74,11 @@ public void generateInstallCliScript() throws IOException {
 
   @Test
   public void generateInstallCliScriptWithHeaders() throws IOException {
-    Map<String, String> headers = new LinkedHashMap<>();
-    headers.put(
-        CliWS.CF_ACCESS_HEADER_CLIENT_ID, "L10N_RESTTEMPLATE_HEADER_HEADERS_CF_ACCESS_CLIENT_ID");
-    headers.put(
-        CliWS.CF_ACCESS_HEADER_CLIENT_SECRET,
-        "L10N_RESTTEMPLATE_HEADER_HEADERS_CF_ACCESS_CLIENT_SECRET");
-
     String installScript =
         cliService.generateInstallCliScript(
-            "http://localhost:8080/cli/install.sh", "${PWD}/.mojito", headers);
+            "http://localhost:8080/cli/install.sh",
+            "${PWD}/.mojito",
+            CliService.AUTHENTICATION_MODE_CF_SERVICE_TOKEN);
 
     String expected =
         Resources.toString(
@@ -98,7 +91,7 @@ public void generateInstallCliScriptWithHeaders() throws IOException {
   public void getInstallCliContext() {
     InstallCliContext installCliContext =
         cliService.getInstallCliContext(
-            "https://someinstall.org/cli/install.sh", "someplace", Collections.emptyMap());
+            "https://someinstall.org/cli/install.sh", "someplace", null, Collections.emptyMap());
     assertEquals("https", installCliContext.scheme);
     assertEquals("someinstall.org", installCliContext.host);
     assertEquals("443", installCliContext.port);

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,8 @@ public ClientHttpResponse intercept(`
`21`	`21`	`headers.forEach(`
`22`	`22`	`(name, value) -> {`
`23`	`23`	`if (name != null && value != null) {`
	`24`	`+ name = name.replace(".", "-");`
	`25`	`+`
`24`	`26`	`request.getHeaders().set(name, value);`
`25`	`27`	`}`
`26`	`28`	`});`