Org API prefers existing session cookie over Authorization header bearer token

[baszoetekouw]

Org API calls like this fail:

╰─▶ curl 'https://test.sram.surf.nl/api/organisations/v1' -H 'Accept: application/json' -H 'Referer: https://test.sram.surf.nl/apidocs/' -H 'Authorization: Bearer A7t4-GKLjt9a4T_2tbWwD7bBOd5lZzBHzK6aDjte6wfg' -H 'Cookie: subscription_id=78f94f7f-91b5-4f80-9582-0486d37c4eed; session=.eJw9j91OwkAQhV-F7K3YClTBXlEkmkiixkoM3jSzu7Ow0N3W_am2hHd3EXGuJplzvjNnT-7y1_u3aoeapCQb5G2--ZxnL77MFryZQbt67vhWduvlu3vcXtrFw2T5VNKGrUifFDUaBRq1I6kzHvuEo3VSg5OVLrwpA3LjXG3TOHbhElkDKrLeiEiXMdQyVgLiBo0U7VBAUZvquy3Au00X6N6iIemeAFcyPCegtCEBFcgjl4K9CIJGMvwVTLsKHe4q_xVpdMG-9iHx3yY5SYdhRn2iQWEAzMD25tjLT4zsyOh9nBnBb5FVmhcCmKtMEXYhjUJ-buqPRHI15De3YsyAjwQTNElogmNI4BqpoIwO6GAyQpHwKTB2ao_cOwRlo8qs_0oW4Yi1Qx6q1yf-4fAD16-PGg.ZQ18Xw.3gnWnWMs7N50p_mCpsE9OVBkh-c'
{"error":true,"message":"Forbidden: https://test.sram.surf.nl/api/organisations/v1. IP: 145.90.230.173, 10.24.0.20. Not a valid external API call"}

if the session user doesn't have access to the Org

It seems that the API first checks the sessions instead of preferring the Bearer token.

While this might seems like a strange thing to do, this happens when using the SBS /apidocs "Try it out" functionality, while already being logged into SBS. It seems the browser then automatically adds the session cookie.

[baszoetekouw]

Moved to icebox becasue this only occurs in the specific circumstance that the person who is logged in in SBS and who is using /apidocs does not have access to the Org corresponding to the API key.