From 0c7d20c943b9d57ae339be19855b6c8744fc19b8 Mon Sep 17 00:00:00 2001
From: Andy <scene@scene.com>
Date: Fri, 23 Jan 2026 17:20:22 -0700
Subject: [PATCH] fix(api): validate Bearer prefix before extracting API key

The replace("Bearer ", "") approach returned the full Authorization header value when the prefix was not present, incorrectly treating other auth schemes (e.g., "Basic xyz") as API keys.
---
 unshackle/core/api/api_keys.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/unshackle/core/api/api_keys.py b/unshackle/core/api/api_keys.py
index 255a45c..8d868b9 100644
--- a/unshackle/core/api/api_keys.py
+++ b/unshackle/core/api/api_keys.py
@@ -18,7 +18,15 @@ def get_api_key_from_request(request: web.Request) -> Optional[str]:
     Returns:
         API key string or None
     """
-    return request.headers.get("X-API-Key") or request.headers.get("Authorization", "").replace("Bearer ", "")
+    api_key = request.headers.get("X-API-Key")
+    if api_key:
+        return api_key
+
+    auth_header = request.headers.get("Authorization", "")
+    if auth_header.startswith("Bearer "):
+        return auth_header[7:]  # len("Bearer ") == 7
+
+    return None
 
 
 def get_api_key_config(app: web.Application, api_key: str) -> Optional[Dict[str, Any]]: