refactor: remove deprecated bearerToken option (#1816)

m-olko · web-flow · commit efda06aa6d4c · 2025-11-03T11:13:58.000+01:00
## This PR Removes deprecated `bearerToken` option from all references in code and in documentation. It also updates some tests, to use authHeader with `Bearer` type instead. ### Related Issues Fixes #1687 ### Notes This may be breaking change, as it removes field from Sync struct. I updated all local tests and resources, but let me know if there are any other resources that are maintained by flagd community, that might create Sync struct with that field. Signed-off-by: Marcin Olko <molko@google.com> Signed-off-by: m-olko <molko@google.com>
diff --git a/core/pkg/sync/builder/syncbuilder_test.go b/core/pkg/sync/builder/syncbuilder_test.go
@@ -216,11 +216,6 @@ func Test_SyncsFromFromConfig(t *testing.T) {
 						CertPath:   "/tmp/ca.cert",
 						Selector:   "source=database",
 					},
-					{
-						URI:         "https://host:port",
-						Provider:    syncProviderHTTP,
-						BearerToken: "token",
-					},
 					{
 						URI:        "https://host:port",
 						Provider:   syncProviderHTTP,
@@ -251,7 +246,6 @@ func Test_SyncsFromFromConfig(t *testing.T) {
 			wantSyncs: []sync.ISync{
 				&grpc.Sync{},
 				&http.Sync{},
-				&http.Sync{},
 				&file.Sync{},
 				&kubernetes.Sync{},
 				&blob.Sync{},
diff --git a/core/pkg/sync/builder/utils.go b/core/pkg/sync/builder/utils.go
@@ -22,11 +22,6 @@ func ParseSources(sourcesFlag string) ([]sync.SourceConfig, error) {
 		if sp.Provider == "" {
 			return syncProvidersParsed, errors.New("sync provider argument parse: provider is a required field")
 		}
-		if sp.AuthHeader != "" && sp.BearerToken != "" {
-			return syncProvidersParsed, errors.New(
-				"sync provider argument parse: both authHeader and bearerToken are defined, only one is allowed at a time",
-			)
-		}
 	}
 	return syncProvidersParsed, nil
 }
diff --git a/core/pkg/sync/builder/utils_test.go b/core/pkg/sync/builder/utils_test.go
@@ -26,7 +26,7 @@ func TestParseSource(t *testing.T) {
 		"multiple-syncs": {
 			in: `[
 					{"uri":"config/samples/example_flags.json","provider":"file"},
-					{"uri":"http://test.com","provider":"http","bearerToken":":)"},
+					{"uri":"http://test.com","provider":"http","authHeader":"Bearer :)"},
 					{"uri":"host:port","provider":"grpc"},
 					{"uri":"default/my-crd","provider":"kubernetes"},
 					{"uri":"gs://bucket-name/path/to/file","provider":"gcs"},
@@ -42,7 +42,7 @@ func TestParseSource(t *testing.T) {
 				{
 					URI:         "http://test.com",
 					Provider:    syncProviderHTTP,
-					BearerToken: ":)",
+					AuthHeader: "Bearer :)",
 				},
 				{
 					URI:      "host:port",
@@ -69,8 +69,6 @@ func TestParseSource(t *testing.T) {
 		"multiple-syncs-with-options": {
 			in: `[
 				{"uri":"config/samples/example_flags.json","provider":"file"},
-				{"uri":"http://my-flag-source.json","provider":"http","bearerToken":"bearer-dji34ld2l"},
-				{"uri":"https://secure-remote","provider":"http","bearerToken":"bearer-dji34ld2l"},
 				{"uri":"https://secure-remote","provider":"http","authHeader":"Bearer bearer-dji34ld2l"},
 				{"uri":"https://secure-remote","provider":"http","authHeader":"Basic dXNlcjpwYXNz"},
 				{"uri":"http://site.com","provider":"http","interval":77 },
@@ -84,16 +82,6 @@ func TestParseSource(t *testing.T) {
 					URI:      "config/samples/example_flags.json",
 					Provider: syncProviderFile,
 				},
-				{
-					URI:         "http://my-flag-source.json",
-					Provider:    syncProviderHTTP,
-					BearerToken: "bearer-dji34ld2l",
-				},
-				{
-					URI:         "https://secure-remote",
-					Provider:    syncProviderHTTP,
-					BearerToken: "bearer-dji34ld2l",
-				},
 				{
 					URI:        "https://secure-remote",
 					Provider:   syncProviderHTTP,
@@ -127,22 +115,6 @@ func TestParseSource(t *testing.T) {
 				},
 			},
 		},
-		"multiple-auth-options": {
-			in: `[
-				{"uri":"https://secure-remote","provider":"http","authHeader":"Bearer bearer-dji34ld2l","bearerToken":"bearer-dji34ld2l"}
-			]`,
-			expectErr: true,
-			out: []sync.SourceConfig{
-				{
-					URI:         "https://secure-remote",
-					Provider:    syncProviderHTTP,
-					AuthHeader:  "Bearer bearer-dji34ld2l",
-					BearerToken: "bearer-dji34ld2l",
-					TLS:         false,
-					Interval:    0,
-				},
-			},
-		},
 		"empty": {
 			in:        `[]`,
 			expectErr: false,
diff --git a/core/pkg/sync/http/http_sync.go b/core/pkg/sync/http/http_sync.go
@@ -29,7 +29,6 @@ type Sync struct {
 	cron        Cron
 	lastBodySHA string
 	logger      *logger.Logger
-	bearerToken string
 	authHeader  string
 	interval    uint32
 	ready       bool
@@ -107,9 +106,6 @@ func (hs *Sync) ReSync(ctx context.Context, dataSync chan<- sync.DataSync) error
 }
 
 func (hs *Sync) Init(_ context.Context) error {
-	if hs.bearerToken != "" {
-		hs.logger.Warn("Deprecation Alert: bearerToken option is deprecated, please use authHeader instead")
-	}
 	return nil
 }
 
@@ -176,9 +172,6 @@ func (hs *Sync) fetchBody(ctx context.Context, fetchAll bool) (string, bool, err
 
 	if hs.authHeader != "" {
 		req.Header.Set("Authorization", hs.authHeader)
-	} else if hs.bearerToken != "" {
-		bearer := fmt.Sprintf("Bearer %s", hs.bearerToken)
-		req.Header.Set("Authorization", bearer)
 	}
 
 	if hs.eTag != "" && !fetchAll {
@@ -299,7 +292,6 @@ func NewHTTP(config sync.SourceConfig, logger *logger.Logger) *Sync {
 			zap.String("component", "sync"),
 			zap.String("sync", "http"),
 		),
-		bearerToken:     config.BearerToken,
 		authHeader:      config.AuthHeader,
 		interval:        interval,
 		cron:            cron.New(),
diff --git a/core/pkg/sync/http/http_sync_test.go b/core/pkg/sync/http/http_sync_test.go
@@ -125,7 +125,6 @@ func TestHTTPSync_Fetch(t *testing.T) {
 	tests := map[string]struct {
 		setup          func(t *testing.T, client *syncmock.MockClient)
 		uri            string
-		bearerToken    string
 		authHeader     string
 		eTagHeader     string
 		lastBodySHA    string
@@ -181,37 +180,6 @@ func TestHTTPSync_Fetch(t *testing.T) {
 				}
 			},
 		},
-		"authorization with bearerToken": {
-			setup: func(t *testing.T, client *syncmock.MockClient) {
-				expectedToken := "bearer-1234"
-				client.EXPECT().Do(gomock.Any()).DoAndReturn(func(req *http.Request) (*http.Response, error) {
-					actualAuthHeader := req.Header.Get("Authorization")
-					if actualAuthHeader != "Bearer "+expectedToken {
-						t.Fatalf("expected Authorization header to be 'Bearer %s', got %s", expectedToken, actualAuthHeader)
-					}
-					return &http.Response{
-						Header:     buildHeaders(map[string][]string{"Content-Type": {"application/json"}}),
-						Body:       io.NopCloser(strings.NewReader("test response")),
-						StatusCode: http.StatusOK,
-					}, nil
-				})
-			},
-			uri:         "http://localhost",
-			bearerToken: "bearer-1234",
-			lastBodySHA: "",
-			handleResponse: func(t *testing.T, httpSync Sync, _ string, err error) {
-				if err != nil {
-					t.Fatalf("fetch: %v", err)
-				}
-
-				expectedLastBodySHA := "UjeJHtCU_wb7OHK-tbPoHycw0TqlHzkWJmH4y6cqg50="
-				if httpSync.lastBodySHA != expectedLastBodySHA {
-					t.Errorf(
-						"expected last body sha to be: '%s', got: '%s'", expectedLastBodySHA, httpSync.lastBodySHA,
-					)
-				}
-			},
-		},
 		"authorization with authHeader": {
 			setup: func(t *testing.T, client *syncmock.MockClient) {
 				expectedHeader := "Basic dXNlcjpwYXNz"
@@ -348,7 +316,6 @@ func TestHTTPSync_Fetch(t *testing.T) {
 			httpSync := Sync{
 				uri:         tt.uri,
 				client:      mockClient,
-				bearerToken: tt.bearerToken,
 				authHeader:  tt.authHeader,
 				lastBodySHA: tt.lastBodySHA,
 				logger:      logger.NewLogger(nil, false),
@@ -361,30 +328,6 @@ func TestHTTPSync_Fetch(t *testing.T) {
 	}
 }
 
-func TestSync_Init(t *testing.T) {
-	tests := []struct {
-		name        string
-		bearerToken string
-	}{
-		{"with bearerToken", "bearer-1234"},
-		{"without bearerToken", ""},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			httpSync := Sync{
-				bearerToken: tt.bearerToken,
-				logger:      logger.NewLogger(nil, false),
-			}
-
-			if err := httpSync.Init(context.Background()); err != nil {
-				t.Errorf("Init() error = %v", err)
-			}
-		})
-	}
-
-}
-
 func TestHTTPSync_Resync(t *testing.T) {
 	ctrl := gomock.NewController(t)
 	source := "http://localhost"
@@ -393,7 +336,6 @@ func TestHTTPSync_Resync(t *testing.T) {
 	tests := map[string]struct {
 		setup             func(t *testing.T, client *syncmock.MockClient)
 		uri               string
-		bearerToken       string
 		lastBodySHA       string
 		handleResponse    func(*testing.T, Sync, string, error)
 		wantErr           bool
@@ -448,7 +390,6 @@ func TestHTTPSync_Resync(t *testing.T) {
 			httpSync := Sync{
 				uri:         tt.uri,
 				client:      mockClient,
-				bearerToken: tt.bearerToken,
 				lastBodySHA: tt.lastBodySHA,
 				logger:      logger.NewLogger(nil, false),
 			}
@@ -617,7 +558,7 @@ func TestHTTPSync_OAuth(t *testing.T) {
 			l := logger.NewLogger(nil, false)
 			s := NewHTTP(sync.SourceConfig{
 				URI:         ts.URL,
-				BearerToken: "it_should_be_replaced_by_oauth",
+				AuthHeader: "Bearer it_should_be_replaced_by_oauth",
 				OAuth: &sync.OAuthCredentialHandler{
 					ClientID:     clientID,
 					ClientSecret: clientSecret,
@@ -710,7 +651,7 @@ func TestHTTPSync_OAuthFolderSecrets(t *testing.T) {
 	l := logger.NewLogger(nil, false)
 	s := NewHTTP(sync.SourceConfig{
 		URI:         ts.URL + flagsPath,
-		BearerToken: "it_should_be_replaced_by_oauth",
+		AuthHeader: "Bearer it_should_be_replaced_by_oauth",
 		OAuth: &sync.OAuthCredentialHandler{
 			ClientID:     clientID,
 			ClientSecret: clientSecret,
diff --git a/core/pkg/sync/isync.go b/core/pkg/sync/isync.go
@@ -39,7 +39,6 @@ type SourceConfig struct {
 	URI      string `json:"uri"`
 	Provider string `json:"provider"`
 
-	BearerToken string `json:"bearerToken,omitempty"`
 	AuthHeader  string `json:"authHeader,omitempty"`
 	CertPath    string `json:"certPath,omitempty"`
 	TLS         bool   `json:"tls,omitempty"`
diff --git a/docs/reference/sync-configuration.md b/docs/reference/sync-configuration.md
@@ -47,18 +47,17 @@ The flagd accepts a string argument, which should be a JSON representation of an
 
 Alternatively, these configurations can be passed to flagd via config file, specified using the `--config` flag.
 
-| Field       | Type               | Note                                                                                                                                                                                                             |
-| ----------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| uri         | required `string`  | Flag configuration source of the sync                                                                                                                                                                            |
-| provider    | required `string`  | Provider type - `file`, `fsnotify`, `fileinfo`, `kubernetes`, `http`, `grpc`, `gcs` or `azblob`                                                                                                                  |
-| authHeader  | optional `string`  | Used for http sync; set this to include the complete `Authorization` header value for any authentication scheme (e.g., "Bearer token_here", "Basic base64_credentials", etc.). Cannot be used with `bearerToken` |
-| bearerToken | optional `string`  | (Deprecated) Used for http sync; token gets appended to `Authorization` header with [bearer schema](https://www.rfc-editor.org/rfc/rfc6750#section-2.1). Cannot be used with `authHeader`                        |
-| interval    | optional `uint32`  | Used for http, gcs and azblob syncs; requests will be made at this interval. Defaults to 5 seconds.                                                                                                              |
-| tls         | optional `boolean` | Enable/Disable secure TLS connectivity. Currently used only by gRPC sync. Default (ex: if unset) is false, which will use an insecure connection                                                                 |
-| providerID  | optional `string`  | Value binds to grpc connection's providerID field. gRPC server implementations may use this to identify connecting flagd instance                                                                                |
-| selector    | optional `string`  | Value binds to grpc connection's selector field. gRPC server implementations may use this to filter flag configurations                                                                                          |
-| certPath    | optional `string`  | Used for grpcs sync when TLS certificate is needed. If not provided, system certificates will be used for TLS connection                                                                                         |
-| maxMsgSize  | optional `int`     | Used for gRPC sync to set max receive message size (in bytes) e.g. 5242880 for 5MB. If not provided, the default is [4MB](https://pkg.go.dev/google.golang.org#grpc#MaxCallRecvMsgSize)                          |
+| Field       | Type               | Note                                                                                                                                                                                    |
+| ----------- | ------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| uri         | required `string`  | Flag configuration source of the sync                                                                                                                                                   |
+| provider    | required `string`  | Provider type - `file`, `fsnotify`, `fileinfo`, `kubernetes`, `http`, `grpc`, `gcs` or `azblob`                                                                                         |
+| authHeader  | optional `string`  | Used for http sync; set this to include the complete `Authorization` header value for any authentication scheme (e.g., "Bearer token_here", "Basic base64_credentials", etc.).          |
+| interval    | optional `uint32`  | Used for http, gcs and azblob syncs; requests will be made at this interval. Defaults to 5 seconds.                                                                                     |
+| tls         | optional `boolean` | Enable/Disable secure TLS connectivity. Currently used only by gRPC sync. Default (ex: if unset) is false, which will use an insecure connection                                        |
+| providerID  | optional `string`  | Value binds to grpc connection's providerID field. gRPC server implementations may use this to identify connecting flagd instance                                                       |
+| selector    | optional `string`  | Value binds to grpc connection's selector field. gRPC server implementations may use this to filter flag configurations                                                                 |
+| certPath    | optional `string`  | Used for grpcs sync when TLS certificate is needed. If not provided, system certificates will be used for TLS connection                                                                |
+| maxMsgSize  | optional `int`     | Used for gRPC sync to set max receive message size (in bytes) e.g. 5242880 for 5MB. If not provided, the default is [4MB](https://pkg.go.dev/google.golang.org#grpc#MaxCallRecvMsgSize) |
 
 The `uri` field values **do not** follow the [URI patterns](#uri-patterns). The provider type is instead derived
 from the `provider` field. Only exception is the remote provider where `http(s)://` is expected by default. Incorrect
@@ -94,7 +93,7 @@ Startup command:
 --sources='[{"uri":"config/samples/example_flags.json","provider":"file"},
             {"uri":"config/samples/example_flags.json","provider":"fsnotify"},
             {"uri":"config/samples/example_flags.json","provider":"fileinfo"},
-            {"uri":"http://my-flag-source/flags.json","provider":"http","bearerToken":"bearer-dji34ld2l"},
+            {"uri":"http://my-flag-source/flags.json","provider":"http","authHeader":"Bearer bearer-dji34ld2l"},
             {"uri":"https://secure-remote/bearer-auth/flags.json","provider":"http","authHeader":"Bearer bearer-dji34ld2l"},
             {"uri":"https://secure-remote/basic-auth/flags.json","provider":"http","authHeader":"Basic dXNlcjpwYXNz"},
             {"uri":"default/my-flag-config","provider":"kubernetes"},
@@ -118,7 +117,7 @@ sources:
     provider: fileinfo
   - uri: http://my-flag-source/flags.json
     provider: http
-    bearerToken: bearer-dji34ld2l
+    authHeader: "Bearer bearer-dji34ld2l"
   - uri: default/my-flag-config
     provider: kubernetes
   - uri: my-flag-source:8080

Original file line number	Diff line number	Diff line change
`@@ -22,11 +22,6 @@ func ParseSources(sourcesFlag string) ([]sync.SourceConfig, error) {`
`22`	`22`	`if sp.Provider == "" {`
`23`	`23`	`return syncProvidersParsed, errors.New("sync provider argument parse: provider is a required field")`
`24`	`24`	`}`
`25`		`- if sp.AuthHeader != "" && sp.BearerToken != "" {`
`26`		`- return syncProvidersParsed, errors.New(`
`27`		`- "sync provider argument parse: both authHeader and bearerToken are defined, only one is allowed at a time",`
`28`		`- )`
`29`		`- }`
`30`	`25`	`}`
`31`	`26`	`return syncProvidersParsed, nil`
`32`	`27`	`}`