Include client key in a header, not the URL

Since this value is used both for identification and authentication, it
shouldn't be in the URL where it might be logged or otherwise
discovered.

sync-server/src/api/mod.rs

@@ -1,5 +1,6 @@
+use crate::server::ClientKey;
 use crate::storage::Storage;
-use actix_web::{error, http::StatusCode, web, Scope};
+use actix_web::{error, http::StatusCode, web, HttpRequest, Result, Scope};
 use std::sync::Arc;
 
 mod add_version;
@@ -9,10 +10,13 @@ mod get_child_version;
 pub(crate) const HISTORY_SEGMENT_CONTENT_TYPE: &str =
     "application/vnd.taskchampion.history-segment";
 
-/// The header names for version ID
+/// The header name for version ID
 pub(crate) const VERSION_ID_HEADER: &str = "X-Version-Id";
 
-/// The header names for parent version ID
+/// The header name for client key
+pub(crate) const CLIENT_KEY_HEADER: &str = "X-Client-Key";
+
+/// The header name for parent version ID
 pub(crate) const PARENT_VERSION_ID_HEADER: &str = "X-Parent-Version-Id";
 
 /// The type containing a reference to the Storage object in the Actix state.
@@ -28,3 +32,17 @@ pub(crate) fn api_scope() -> Scope {
 fn failure_to_ise(err: failure::Error) -> impl actix_web::ResponseError {
     error::InternalError::new(err, StatusCode::INTERNAL_SERVER_ERROR)
 }
+
+/// Get the client key
+fn client_key_header(req: &HttpRequest) -> Result<ClientKey> {
+    fn badrequest() -> error::Error {
+        error::ErrorBadRequest("bad x-client-id")
+    }
+    if let Some(client_key_hdr) = req.headers().get(CLIENT_KEY_HEADER) {
+        let client_key = client_key_hdr.to_str().map_err(|_| badrequest())?;
+        let client_key = ClientKey::parse_str(client_key).map_err(|_| badrequest())?;
+        Ok(client_key)
+    } else {
+        Err(badrequest())
+    }
+}