From 183c8b74e9db56caf2d0f3ada5d909797db79891 Mon Sep 17 00:00:00 2001
From: "robin.hruska@teskalabs.com" <byewokko@seznam.cz>
Date: Tue, 3 Dec 2024 09:43:55 +0100
Subject: [PATCH 1/2] SECURITY: remove auth exception for HEAD requests

---
 asab/web/auth/service.py | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/asab/web/auth/service.py b/asab/web/auth/service.py
index bba20a81..5f8b3b7f 100644
--- a/asab/web/auth/service.py
+++ b/asab/web/auth/service.py
@@ -444,10 +444,6 @@ async def _wrap_handlers(self, aiohttp_app):
 			if not inspect.iscoroutinefunction(route.handler):
 				continue
 
-			# Skip auth for HEAD requests
-			if route.method == "HEAD":
-				continue
-
 			try:
 				self._wrap_handler(route)
 			except Exception as e:

From ddd8b2ff6f93dc718a2f5d4ed4890a075ce0913b Mon Sep 17 00:00:00 2001
From: "robin.hruska@teskalabs.com" <byewokko@seznam.cz>
Date: Tue, 3 Dec 2024 09:46:17 +0100
Subject: [PATCH 2/2] Tenant header fix

---
 asab/web/auth/service.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/asab/web/auth/service.py b/asab/web/auth/service.py
index 5f8b3b7f..bb0dc59b 100644
--- a/asab/web/auth/service.py
+++ b/asab/web/auth/service.py
@@ -758,7 +758,7 @@ def _set_tenant_context_from_url_query(handler):
 	@functools.wraps(handler)
 	async def wrapper(*args, **kwargs):
 		request = args[-1]
-		header_tenant = Tenant.get(None)
+		header_tenant = request.headers.get("X-Tenant")
 		tenant = request.query.get("tenant")
 
 		if tenant is None:
@@ -793,7 +793,7 @@ def _set_tenant_context_from_url_path(handler):
 	@functools.wraps(handler)
 	async def wrapper(*args, **kwargs):
 		request = args[-1]
-		header_tenant = Tenant.get(None)
+		header_tenant = request.headers.get("X-Tenant")
 		tenant = request.match_info.get("tenant")
 
 		if header_tenant is not None: