Is it acceptable to support sys_api_key in HTTP header?

Added by fuminori ido about 1 month ago

Rest API key can be set at HTTP header while sys_api_key is NOT.

From the security point of view, sys_api_key should also be able to be passed via HTTP header as Rest API key is.

params[:key] is used for sys_api_key so that I think it's also OK to use X-Redmine-API-Key http header for sys_api_key as well.

As the result, can we refactor params[:key] in SysController#check_enabled with ApplicationController#api_key_from_request ?

(Actually SysController does NOT inherit ApplicationController so that "api_key_from_request" method would be better to be factored out to any Concern-ed module and include from the both controllers. )

If this is acceptable, let me post my patch with some testing code.