MF-1469 - Indicate proper authentication scheme in Authorization header (#1523)

* MF-1469 - Indicate proper authentication scheme in Authorization header Signed-off-by: Stefan Kovacevic <jen2tri@gmail.com> * Fixing the remarks on the last push Signed-off-by: Stefan Kovacevic <jen2tri@gmail.com> * Remove Bearer prefix in all services and fix tests Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> * Fix remarks Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com> Co-authored-by: Manuel Imperiale <manuel.imperiale@gmail.com>
2022-02-18 14:56:01 +01:00 · 2022-02-18 14:56:01 +01:00 · 5ca8495f35
parent 9972d1d1a4
commit 5ca8495f35
24 changed files with 391 additions and 80 deletions
--- a/auth/api/http/groups/endpoint_test.go
+++ b/auth/api/http/groups/endpoint_test.go
@ -18,6 +18,7 @@ import (
 	httpapi "github.com/mainflux/mainflux/auth/api/http"
 	"github.com/mainflux/mainflux/auth/jwt"
 	"github.com/mainflux/mainflux/auth/mocks"
+	"github.com/mainflux/mainflux/internal/httputil"
 	"github.com/mainflux/mainflux/pkg/uuid"
 	"github.com/opentracing/opentracing-go/mocktracer"
 	"github.com/stretchr/testify/assert"
@ -46,7 +47,7 @@ func (tr testRequest) make() (*http.Response, error) {
 		return nil, err
 	}
 	if tr.token != "" {
-		req.Header.Set("Authorization", tr.token)
+		req.Header.Set("Authorization", httputil.BearerPrefix+tr.token)
 	}
 	if tr.contentType != "" {
 		req.Header.Set("Content-Type", tr.contentType)
--- a/auth/api/http/groups/transport.go
+++ b/auth/api/http/groups/transport.go
@ -127,13 +127,19 @@ func decodeShareGroupRequest(ctx context.Context, r *http.Request) (interface{},
 		return nil, errors.ErrUnsupportedContentType
 	}

-	var req shareGroupAccessReq
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
+	req := shareGroupAccessReq{
+		token:       t,
+		userGroupID: bone.GetValue(r, "subjectGroupID"),
+	}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
 	}

-	req.userGroupID = bone.GetValue(r, "subjectGroupID")
-	req.token = r.Header.Get("Authorization")
 	return req, nil
 }

@ -153,8 +159,13 @@ func decodeListGroupsRequest(_ context.Context, r *http.Request) (interface{}, e
 		return nil, err
 	}

+	to, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := listGroupsReq{
-		token:    r.Header.Get("Authorization"),
+		token:    to,
 		level:    l,
 		metadata: m,
 		tree:     t,
@ -189,8 +200,13 @@ func decodeListMembersRequest(_ context.Context, r *http.Request) (interface{},
 		return nil, err
 	}

+	to, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := listMembersReq{
-		token:     r.Header.Get("Authorization"),
+		token:     to,
 		id:        bone.GetValue(r, "groupID"),
 		groupType: t,
 		offset:    o,
@ -217,8 +233,13 @@ func decodeListMembershipsRequest(_ context.Context, r *http.Request) (interface
 		return nil, err
 	}

+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := listMembershipsReq{
-		token:    r.Header.Get("Authorization"),
+		token:    t,
 		id:       bone.GetValue(r, "memberID"),
 		offset:   o,
 		limit:    l,
@ -238,7 +259,12 @@ func decodeGroupCreate(_ context.Context, r *http.Request) (interface{}, error)
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
 	}

-	req.token = r.Header.Get("Authorization")
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
+	req.token = t
 	return req, nil
 }

@ -252,14 +278,24 @@ func decodeGroupUpdate(_ context.Context, r *http.Request) (interface{}, error)
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
 	}

+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req.id = bone.GetValue(r, "groupID")
-	req.token = r.Header.Get("Authorization")
+	req.token = t
 	return req, nil
 }

 func decodeGroupRequest(_ context.Context, r *http.Request) (interface{}, error) {
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := groupReq{
-		token: r.Header.Get("Authorization"),
+		token: t,
 		id:    bone.GetValue(r, "groupID"),
 	}

@ -267,8 +303,13 @@ func decodeGroupRequest(_ context.Context, r *http.Request) (interface{}, error)
 }

 func decodeAssignRequest(_ context.Context, r *http.Request) (interface{}, error) {
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := assignReq{
-		token:   r.Header.Get("Authorization"),
+		token:   t,
 		groupID: bone.GetValue(r, "groupID"),
 	}

@ -280,9 +321,14 @@ func decodeAssignRequest(_ context.Context, r *http.Request) (interface{}, error
 }

 func decodeUnassignRequest(_ context.Context, r *http.Request) (interface{}, error) {
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := unassignReq{
 		assignReq{
-			token:   r.Header.Get("Authorization"),
+			token:   t,
 			groupID: bone.GetValue(r, "groupID"),
 		},
 	}
--- a/auth/api/http/keys/endpoint_test.go
+++ b/auth/api/http/keys/endpoint_test.go
@ -18,6 +18,7 @@ import (
 	httpapi "github.com/mainflux/mainflux/auth/api/http"
 	"github.com/mainflux/mainflux/auth/jwt"
 	"github.com/mainflux/mainflux/auth/mocks"
+	"github.com/mainflux/mainflux/internal/httputil"
 	"github.com/mainflux/mainflux/pkg/uuid"
 	"github.com/opentracing/opentracing-go/mocktracer"
 	"github.com/stretchr/testify/assert"
@ -51,7 +52,7 @@ func (tr testRequest) make() (*http.Response, error) {
 		return nil, err
 	}
 	if tr.token != "" {
-		req.Header.Set("Authorization", tr.token)
+		req.Header.Set("Authorization", httputil.BearerPrefix+tr.token)
 	}
 	if tr.contentType != "" {
 		req.Header.Set("Content-Type", tr.contentType)
@ -157,21 +158,21 @@ func TestIssue(t *testing.T) {
 			desc:   "issue key with invalid request",
 			req:    "{",
 			ct:     contentType,
-			token:  "",
+			token:  loginSecret,
 			status: http.StatusBadRequest,
 		},
 		{
 			desc:   "issue key with invalid JSON",
 			req:    "{invalid}",
 			ct:     contentType,
-			token:  "",
+			token:  loginSecret,
 			status: http.StatusBadRequest,
 		},
 		{
 			desc:   "issue key with invalid JSON content",
 			req:    `{"Type":{"key":"value"}}`,
 			ct:     contentType,
-			token:  "",
+			token:  loginSecret,
 			status: http.StatusBadRequest,
 		},
 	}
--- a/auth/api/http/keys/transport.go
+++ b/auth/api/http/keys/transport.go
@ -54,8 +54,12 @@ func decodeIssue(_ context.Context, r *http.Request) (interface{}, error) {
 	if !strings.Contains(r.Header.Get("Content-Type"), contentType) {
 		return nil, errors.ErrUnsupportedContentType
 	}
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
 	req := issueKeyReq{
-		token: r.Header.Get("Authorization"),
+		token: t,
 	}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
@ -65,8 +69,12 @@ func decodeIssue(_ context.Context, r *http.Request) (interface{}, error) {
 }

 func decodeKeyReq(_ context.Context, r *http.Request) (interface{}, error) {
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
 	req := keyReq{
-		token: r.Header.Get("Authorization"),
+		token: t,
 		id:    bone.GetValue(r, "id"),
 	}
 	return req, nil
--- a/auth/api/http/policies/endpoint_test.go
+++ b/auth/api/http/policies/endpoint_test.go
@ -18,6 +18,7 @@ import (
 	httpapi "github.com/mainflux/mainflux/auth/api/http"
 	"github.com/mainflux/mainflux/auth/jwt"
 	"github.com/mainflux/mainflux/auth/mocks"
+	"github.com/mainflux/mainflux/internal/httputil"
 	"github.com/mainflux/mainflux/pkg/uuid"
 	"github.com/opentracing/opentracing-go/mocktracer"
 	"github.com/stretchr/testify/assert"
@ -48,7 +49,7 @@ func (tr testRequest) make() (*http.Response, error) {
 		return nil, err
 	}
 	if tr.token != "" {
-		req.Header.Set("Authorization", tr.token)
+		req.Header.Set("Authorization", httputil.BearerPrefix+tr.token)
 	}
 	if tr.contentType != "" {
 		req.Header.Set("Content-Type", tr.contentType)
--- a/auth/api/http/policies/transport.go
+++ b/auth/api/http/policies/transport.go
@ -46,12 +46,18 @@ func decodePoliciesRequest(ctx context.Context, r *http.Request) (interface{}, e
 		return nil, errors.ErrUnsupportedContentType
 	}

-	var req policiesReq
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
+	req := policiesReq{
+		token: t,
+	}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
 	}

-	req.token = r.Header.Get("Authorization")
 	return req, nil
 }

--- a/bootstrap/api/endpoint_test.go
+++ b/bootstrap/api/endpoint_test.go
@ -120,7 +120,7 @@ func (tr testRequest) make() (*http.Response, error) {
 	}

 	if tr.token != "" {
-		req.Header.Set("Authorization", tr.token)
+		req.Header.Set("Authorization", httputil.BearerPrefix+tr.token)
 	}

 	if tr.contentType != "" {
--- a/bootstrap/api/transport.go
+++ b/bootstrap/api/transport.go
@ -110,7 +110,12 @@ func decodeAddRequest(_ context.Context, r *http.Request) (interface{}, error) {
 		return nil, errors.ErrUnsupportedContentType
 	}

-	req := addReq{token: r.Header.Get("Authorization")}
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
+	req := addReq{token: t}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
 	}
@ -123,7 +128,12 @@ func decodeUpdateRequest(_ context.Context, r *http.Request) (interface{}, error
 		return nil, errors.ErrUnsupportedContentType
 	}

-	req := updateReq{key: r.Header.Get("Authorization")}
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
+	req := updateReq{key: t}
 	req.id = bone.GetValue(r, "id")
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
@ -137,8 +147,13 @@ func decodeUpdateCertRequest(_ context.Context, r *http.Request) (interface{}, e
 		return nil, errors.ErrUnsupportedContentType
 	}

+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := updateCertReq{
-		key:     r.Header.Get("Authorization"),
+		key:     t,
 		thingID: bone.GetValue(r, "id"),
 	}

@ -154,7 +169,12 @@ func decodeUpdateConnRequest(_ context.Context, r *http.Request) (interface{}, e
 		return nil, errors.ErrUnsupportedContentType
 	}

-	req := updateConnReq{key: r.Header.Get("Authorization")}
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
+	req := updateConnReq{key: t}
 	req.id = bone.GetValue(r, "id")
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
@ -181,8 +201,13 @@ func decodeListRequest(_ context.Context, r *http.Request) (interface{}, error)

 	filter := parseFilter(q)

+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := listReq{
-		key:    r.Header.Get("Authorization"),
+		key:    t,
 		filter: filter,
 		offset: o,
 		limit:  l,
@ -192,9 +217,14 @@ func decodeListRequest(_ context.Context, r *http.Request) (interface{}, error)
 }

 func decodeBootstrapRequest(_ context.Context, r *http.Request) (interface{}, error) {
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := bootstrapReq{
 		id:  bone.GetValue(r, "external_id"),
-		key: r.Header.Get("Authorization"),
+		key: t,
 	}

 	return req, nil
@ -205,7 +235,12 @@ func decodeStateRequest(_ context.Context, r *http.Request) (interface{}, error)
 		return nil, errors.ErrUnsupportedContentType
 	}

-	req := changeStateReq{key: r.Header.Get("Authorization")}
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
+	req := changeStateReq{key: t}
 	req.id = bone.GetValue(r, "id")
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
@ -215,8 +250,13 @@ func decodeStateRequest(_ context.Context, r *http.Request) (interface{}, error)
 }

 func decodeEntityRequest(_ context.Context, r *http.Request) (interface{}, error) {
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := entityReq{
-		key: r.Header.Get("Authorization"),
+		key: t,
 		id:  bone.GetValue(r, "id"),
 	}

--- a/certs/api/transport.go
+++ b/certs/api/transport.go
@ -94,8 +94,12 @@ func decodeListCerts(_ context.Context, r *http.Request) (interface{}, error) {
 	if err != nil {
 		return nil, err
 	}
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
 	req := listReq{
-		token:   r.Header.Get("Authorization"),
+		token:   t,
 		thingID: bone.GetValue(r, "thingId"),
 		limit:   l,
 		offset:  o,
@ -104,8 +108,13 @@ func decodeListCerts(_ context.Context, r *http.Request) (interface{}, error) {
 }

 func decodeViewCert(_ context.Context, r *http.Request) (interface{}, error) {
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := viewReq{
-		token:    r.Header.Get("Authorization"),
+		token:    t,
 		serialID: bone.GetValue(r, "certId"),
 	}

@ -116,8 +125,11 @@ func decodeCerts(_ context.Context, r *http.Request) (interface{}, error) {
 	if r.Header.Get("Content-Type") != contentType {
 		return nil, errors.ErrUnsupportedContentType
 	}
-
-	req := addCertsReq{token: r.Header.Get("Authorization")}
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+	req := addCertsReq{token: t}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		return nil, err
 	}
@ -126,8 +138,12 @@ func decodeCerts(_ context.Context, r *http.Request) (interface{}, error) {
 }

 func decodeRevokeCerts(_ context.Context, r *http.Request) (interface{}, error) {
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
 	req := revokeReq{
-		token:  r.Header.Get("Authorization"),
+		token:  t,
 		certID: bone.GetValue(r, "certId"),
 	}

--- a/consumers/notifiers/api/endpoint_test.go
+++ b/consumers/notifiers/api/endpoint_test.go
@ -56,7 +56,7 @@ func (tr testRequest) make() (*http.Response, error) {
 		return nil, err
 	}
 	if tr.token != "" {
-		req.Header.Set("Authorization", tr.token)
+		req.Header.Set("Authorization", httputil.BearerPrefix+tr.token)
 	}
 	if tr.contentType != "" {
 		req.Header.Set("Content-Type", tr.contentType)
--- a/consumers/notifiers/api/transport.go
+++ b/consumers/notifiers/api/transport.go
@ -72,23 +72,34 @@ func decodeCreate(_ context.Context, r *http.Request) (interface{}, error) {
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
 	}
-
-	req.token = r.Header.Get("Authorization")
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+	req.token = t
 	return req, nil
 }

 func decodeSubscription(_ context.Context, r *http.Request) (interface{}, error) {
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
 	req := subReq{
 		id:    bone.GetValue(r, "id"),
-		token: r.Header.Get("Authorization"),
+		token: t,
 	}

 	return req, nil
 }

 func decodeList(_ context.Context, r *http.Request) (interface{}, error) {
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
 	req := listSubsReq{
-		token: r.Header.Get("Authorization"),
+		token: t,
 	}
 	vals := bone.GetQuery(r, "topic")
 	if len(vals) > 0 {
--- a/http/api/endpoint_test.go
+++ b/http/api/endpoint_test.go
@ -17,6 +17,7 @@ import (
 	adapter "github.com/mainflux/mainflux/http"
 	"github.com/mainflux/mainflux/http/api"
 	"github.com/mainflux/mainflux/http/mocks"
+	"github.com/mainflux/mainflux/internal/httputil"
 	"github.com/stretchr/testify/assert"
 )

@ -47,7 +48,7 @@ func (tr testRequest) make() (*http.Response, error) {
 	}

 	if tr.token != "" {
-		req.Header.Set("Authorization", tr.token)
+		req.Header.Set("Authorization", httputil.BearerPrefix+tr.token)
 	}
 	if tr.basicAuth && tr.token != "" {
 		req.SetBasicAuth("", tr.token)
--- a/http/api/transport.go
+++ b/http/api/transport.go
@ -108,9 +108,17 @@ func decodeRequest(ctx context.Context, r *http.Request) (interface{}, error) {
 	if err != nil {
 		return nil, err
 	}
-	token := r.Header.Get("Authorization")
-	if _, pass, ok := r.BasicAuth(); ok {
+
+	var token string
+	_, pass, ok := r.BasicAuth()
+	switch {
+	case ok:
 		token = pass
+	case !ok:
+		token, err = httputil.ExtractAuthToken(r)
+		if err != nil {
+			return nil, err
+		}
 	}

 	payload, err := ioutil.ReadAll(r.Body)
--- a/internal/httputil/token.go
+++ b/internal/httputil/token.go
@ -0,0 +1,25 @@
+// Copyright (c) Mainflux
+// SPDX-License-Identifier: Apache-2.0
+
+package httputil
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/mainflux/mainflux/pkg/errors"
+)
+
+// BearerPrefix represents the token prefix for Bearer authentication scheme.
+const BearerPrefix = "Bearer "
+
+// ExtractAuthToken reads the value of request Authorization and removes the Bearer substring or returns error if it does not exist
+func ExtractAuthToken(r *http.Request) (string, error) {
+	token := r.Header.Get("Authorization")
+
+	if !strings.HasPrefix(token, BearerPrefix) {
+		return token, errors.ErrAuthentication
+	}
+
+	return strings.TrimPrefix(token, BearerPrefix), nil
+}
--- a/pkg/sdk/go/sdk.go
+++ b/pkg/sdk/go/sdk.go
@ -10,6 +10,7 @@ import (
 	"time"

 	"github.com/mainflux/mainflux"
+	"github.com/mainflux/mainflux/internal/httputil"
 )

 const (
@ -327,7 +328,7 @@ func NewSDK(conf Config) SDK {

 func (sdk mfSDK) sendRequest(req *http.Request, token, contentType string) (*http.Response, error) {
 	if token != "" {
-		req.Header.Set("Authorization", token)
+		req.Header.Set("Authorization", httputil.BearerPrefix+token)
 	}

 	if contentType != "" {
--- a/provision/api/transport.go
+++ b/provision/api/transport.go
@ -69,8 +69,11 @@ func decodeProvisionRequest(_ context.Context, r *http.Request) (interface{}, er
 	if r.Header.Get("Content-Type") != contentType {
 		return nil, errors.ErrUnsupportedContentType
 	}
-
-	req := provisionReq{token: r.Header.Get("Authorization")}
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+	req := provisionReq{token: t}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		return nil, err
 	}
@ -82,8 +85,11 @@ func decodeMappingRequest(_ context.Context, r *http.Request) (interface{}, erro
 	if r.Header.Get("Content-Type") != contentType {
 		return nil, errors.ErrUnsupportedContentType
 	}
-
-	req := mappingReq{token: r.Header.Get("Authorization")}
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+	req := mappingReq{token: t}

 	return req, nil
 }
--- a/readers/api/endpoint_test.go
+++ b/readers/api/endpoint_test.go
@ -13,6 +13,7 @@ import (
 	"time"

 	"github.com/mainflux/mainflux"
+	"github.com/mainflux/mainflux/internal/httputil"
 	"github.com/mainflux/mainflux/pkg/transformers/senml"
 	"github.com/mainflux/mainflux/pkg/uuid"
 	"github.com/mainflux/mainflux/readers"
@ -66,7 +67,7 @@ func (tr testRequest) make() (*http.Response, error) {
 		return nil, err
 	}
 	if tr.token != "" {
-		req.Header.Set("Authorization", tr.token)
+		req.Header.Set("Authorization", httputil.BearerPrefix+tr.token)
 	}

 	return tr.client.Do(req)
--- a/readers/api/transport.go
+++ b/readers/api/transport.go
@ -139,9 +139,14 @@ func decodeList(ctx context.Context, r *http.Request) (interface{}, error) {
 		return nil, err
 	}

+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := listMessagesReq{
 		chanID: bone.GetValue(r, "chanID"),
-		token:  r.Header.Get("Authorization"),
+		token:  t,
 		pageMeta: readers.PageMetadata{
 			Offset:      offset,
 			Limit:       limit,
--- a/things/api/things/http/endpoint_test.go
+++ b/things/api/things/http/endpoint_test.go
@ -75,7 +75,7 @@ func (tr testRequest) make() (*http.Response, error) {
 		return nil, err
 	}
 	if tr.token != "" {
-		req.Header.Set("Authorization", tr.token)
+		req.Header.Set("Authorization", httputil.BearerPrefix+tr.token)
 	}
 	if tr.contentType != "" {
 		req.Header.Set("Content-Type", tr.contentType)
--- a/things/api/things/http/transport.go
+++ b/things/api/things/http/transport.go
@ -208,7 +208,13 @@ func decodeThingCreation(_ context.Context, r *http.Request) (interface{}, error
 		return nil, errors.ErrUnsupportedContentType
 	}

-	req := createThingReq{token: r.Header.Get("Authorization")}
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
+	req := createThingReq{token: t}
+
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
 	}
@ -221,7 +227,12 @@ func decodeThingsCreation(_ context.Context, r *http.Request) (interface{}, erro
 		return nil, errors.ErrUnsupportedContentType
 	}

-	req := createThingsReq{token: r.Header.Get("Authorization")}
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
+	req := createThingsReq{token: t}
 	if err := json.NewDecoder(r.Body).Decode(&req.Things); err != nil {
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
 	}
@ -234,7 +245,15 @@ func decodeShareThing(ctx context.Context, r *http.Request) (interface{}, error)
 		return nil, errors.ErrUnsupportedContentType
 	}

-	req := shareThingReq{token: r.Header.Get("Authorization"), thingID: bone.GetValue(r, "id")}
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
+	req := shareThingReq{
+		token:   t,
+		thingID: bone.GetValue(r, "id"),
+	}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
 	}
@ -247,8 +266,13 @@ func decodeThingUpdate(_ context.Context, r *http.Request) (interface{}, error)
 		return nil, errors.ErrUnsupportedContentType
 	}

+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := updateThingReq{
-		token: r.Header.Get("Authorization"),
+		token: t,
 		id:    bone.GetValue(r, "id"),
 	}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
@ -263,8 +287,13 @@ func decodeKeyUpdate(_ context.Context, r *http.Request) (interface{}, error) {
 		return nil, errors.ErrUnsupportedContentType
 	}

+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := updateKeyReq{
-		token: r.Header.Get("Authorization"),
+		token: t,
 		id:    bone.GetValue(r, "id"),
 	}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
@ -279,7 +308,12 @@ func decodeChannelCreation(_ context.Context, r *http.Request) (interface{}, err
 		return nil, errors.ErrUnsupportedContentType
 	}

-	req := createChannelReq{token: r.Header.Get("Authorization")}
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
+	req := createChannelReq{token: t}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
 	}
@ -292,7 +326,12 @@ func decodeChannelsCreation(_ context.Context, r *http.Request) (interface{}, er
 		return nil, errors.ErrUnsupportedContentType
 	}

-	req := createChannelsReq{token: r.Header.Get("Authorization")}
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
+	req := createChannelsReq{token: t}

 	if err := json.NewDecoder(r.Body).Decode(&req.Channels); err != nil {
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
@ -306,8 +345,13 @@ func decodeChannelUpdate(_ context.Context, r *http.Request) (interface{}, error
 		return nil, errors.ErrUnsupportedContentType
 	}

+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := updateChannelReq{
-		token: r.Header.Get("Authorization"),
+		token: t,
 		id:    bone.GetValue(r, "id"),
 	}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
@ -318,8 +362,13 @@ func decodeChannelUpdate(_ context.Context, r *http.Request) (interface{}, error
 }

 func decodeView(_ context.Context, r *http.Request) (interface{}, error) {
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := viewResourceReq{
-		token: r.Header.Get("Authorization"),
+		token: t,
 		id:    bone.GetValue(r, "id"),
 	}

@ -361,8 +410,13 @@ func decodeList(_ context.Context, r *http.Request) (interface{}, error) {
 		return nil, err
 	}

+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := listResourcesReq{
-		token: r.Header.Get("Authorization"),
+		token: t,
 		pageMetadata: things.PageMetadata{
 			Offset:            o,
 			Limit:             l,
@ -378,7 +432,12 @@ func decodeList(_ context.Context, r *http.Request) (interface{}, error) {
 }

 func decodeListByMetadata(_ context.Context, r *http.Request) (interface{}, error) {
-	req := listResourcesReq{token: r.Header.Get("Authorization")}
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
+	req := listResourcesReq{token: t}
 	if err := json.NewDecoder(r.Body).Decode(&req.pageMetadata); err != nil {
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
 	}
@ -412,8 +471,13 @@ func decodeListByConnection(_ context.Context, r *http.Request) (interface{}, er
 		return nil, err
 	}

+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := listByConnectionReq{
-		token: r.Header.Get("Authorization"),
+		token: t,
 		id:    bone.GetValue(r, "id"),
 		pageMetadata: things.PageMetadata{
 			Offset:       o,
@ -428,8 +492,13 @@ func decodeListByConnection(_ context.Context, r *http.Request) (interface{}, er
 }

 func decodeConnectThing(_ context.Context, r *http.Request) (interface{}, error) {
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := connectThingReq{
-		token:   r.Header.Get("Authorization"),
+		token:   t,
 		chanID:  bone.GetValue(r, "chanId"),
 		thingID: bone.GetValue(r, "thingId"),
 	}
@ -442,7 +511,12 @@ func decodeConnectList(_ context.Context, r *http.Request) (interface{}, error)
 		return nil, errors.ErrUnsupportedContentType
 	}

-	req := connectReq{token: r.Header.Get("Authorization")}
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
+	req := connectReq{token: t}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
 	}
@ -466,8 +540,13 @@ func decodeListMembersRequest(_ context.Context, r *http.Request) (interface{},
 		return nil, err
 	}

+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	req := listThingsGroupReq{
-		token:   r.Header.Get("Authorization"),
+		token:   t,
 		groupID: bone.GetValue(r, "groupId"),
 		pageMetadata: things.PageMetadata{
 			Offset:   o,
--- a/twins/api/http/endpoint_twins_test.go
+++ b/twins/api/http/endpoint_twins_test.go
@ -14,6 +14,7 @@ import (
 	"strings"
 	"testing"

+	"github.com/mainflux/mainflux/internal/httputil"
 	"github.com/mainflux/mainflux/twins"
 	httpapi "github.com/mainflux/mainflux/twins/api/http"
 	"github.com/mainflux/mainflux/twins/mocks"
@ -75,7 +76,7 @@ func (tr testRequest) make() (*http.Response, error) {
 		return nil, err
 	}
 	if tr.token != "" {
-		req.Header.Set("Authorization", tr.token)
+		req.Header.Set("Authorization", httputil.BearerPrefix+tr.token)
 	}
 	if tr.contentType != "" {
 		req.Header.Set("Content-Type", tr.contentType)
--- a/twins/api/http/transport.go
+++ b/twins/api/http/transport.go
@ -91,7 +91,11 @@ func decodeTwinCreation(_ context.Context, r *http.Request) (interface{}, error)
 		return nil, errors.ErrUnsupportedContentType
 	}

-	req := addTwinReq{token: r.Header.Get("Authorization")}
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+	req := addTwinReq{token: t}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
 	}
@ -104,8 +108,12 @@ func decodeTwinUpdate(_ context.Context, r *http.Request) (interface{}, error) {
 		return nil, errors.ErrUnsupportedContentType
 	}

+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
 	req := updateTwinReq{
-		token: r.Header.Get("Authorization"),
+		token: t,
 		id:    bone.GetValue(r, "id"),
 	}
 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
@ -116,8 +124,12 @@ func decodeTwinUpdate(_ context.Context, r *http.Request) (interface{}, error) {
 }

 func decodeView(_ context.Context, r *http.Request) (interface{}, error) {
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
 	req := viewTwinReq{
-		token: r.Header.Get("Authorization"),
+		token: t,
 		id:    bone.GetValue(r, "id"),
 	}

@ -145,8 +157,12 @@ func decodeList(_ context.Context, r *http.Request) (interface{}, error) {
 		return nil, err
 	}

+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
 	req := listReq{
-		token:    r.Header.Get("Authorization"),
+		token:    t,
 		limit:    l,
 		offset:   o,
 		name:     n,
@ -167,8 +183,12 @@ func decodeListStates(_ context.Context, r *http.Request) (interface{}, error) {
 		return nil, err
 	}

+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
 	req := listStatesReq{
-		token:  r.Header.Get("Authorization"),
+		token:  t,
 		limit:  l,
 		offset: o,
 		id:     bone.GetValue(r, "id"),
--- a/users/api/endpoint_test.go
+++ b/users/api/endpoint_test.go
@ -64,7 +64,7 @@ func (tr testRequest) make() (*http.Response, error) {
 		return nil, err
 	}
 	if tr.token != "" {
-		req.Header.Set("Authorization", tr.token)
+		req.Header.Set("Authorization", httputil.BearerPrefix+tr.token)
 	}
 	if tr.contentType != "" {
 		req.Header.Set("Content-Type", tr.contentType)
--- a/users/api/transport.go
+++ b/users/api/transport.go
@ -116,16 +116,24 @@ func MakeHandler(svc users.Service, tracer opentracing.Tracer) http.Handler {
 }

 func decodeViewUser(_ context.Context, r *http.Request) (interface{}, error) {
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
 	req := viewUserReq{
-		token:  r.Header.Get("Authorization"),
+		token:  t,
 		userID: bone.GetValue(r, "userID"),
 	}
 	return req, nil
 }

 func decodeViewProfile(_ context.Context, r *http.Request) (interface{}, error) {
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
 	req := viewUserReq{
-		token: r.Header.Get("Authorization"),
+		token: t,
 	}
 	return req, nil
 }
@ -151,8 +159,12 @@ func decodeListUsers(_ context.Context, r *http.Request) (interface{}, error) {
 		return nil, err
 	}

+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
 	req := listUsersReq{
-		token:    r.Header.Get("Authorization"),
+		token:    t,
 		offset:   o,
 		limit:    l,
 		email:    e,
@ -167,7 +179,11 @@ func decodeUpdateUser(_ context.Context, r *http.Request) (interface{}, error) {
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
 	}

-	req.token = r.Header.Get("Authorization")
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+	req.token = t
 	return req, nil
 }

@ -189,12 +205,22 @@ func decodeCreateUserReq(_ context.Context, r *http.Request) (interface{}, error
 		return nil, errors.ErrUnsupportedContentType
 	}

+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+
 	var user users.User
 	if err := json.NewDecoder(r.Body).Decode(&user); err != nil {
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
 	}

-	return createUserReq{user, r.Header.Get("Authorization")}, nil
+	req := createUserReq{
+		user:  user,
+		token: t,
+	}
+
+	return req, nil
 }

 func decodePasswordResetRequest(_ context.Context, r *http.Request) (interface{}, error) {
@ -235,7 +261,11 @@ func decodePasswordChange(_ context.Context, r *http.Request) (interface{}, erro
 		return nil, errors.Wrap(errors.ErrMalformedEntity, err)
 	}

-	req.Token = r.Header.Get("Authorization")
+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
+	req.Token = t

 	return req, nil
 }
@ -256,8 +286,12 @@ func decodeListMembersRequest(_ context.Context, r *http.Request) (interface{},
 		return nil, err
 	}

+	t, err := httputil.ExtractAuthToken(r)
+	if err != nil {
+		return nil, err
+	}
 	req := listMemberGroupReq{
-		token:    r.Header.Get("Authorization"),
+		token:    t,
 		groupID:  bone.GetValue(r, "groupId"),
 		offset:   o,
 		limit:    l,