From 8d5feabb79142f1c8e477279d72b710ae31f41b2 Mon Sep 17 00:00:00 2001
From: Tim Otten <totten@civicrm.org>
Date: Fri, 4 Feb 2022 16:23:15 -0800
Subject: [PATCH] authx - Extend support for legacy-auth to APIv4

---
 ext/authx/authx.php | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/ext/authx/authx.php b/ext/authx/authx.php
index 81b25c11df64..220be9577aee 100644
--- a/ext/authx/authx.php
+++ b/ext/authx/authx.php
@@ -37,8 +37,12 @@
     }
   }
 
-  if (count($e->args) > 2 && $e->args[1] === 'ajax' && $e->args[2] === 'rest' && (!empty($_REQUEST['api_key']) || !empty($_REQUEST['key']))) {
-    return (new \Civi\Authx\LegacyRestAuthenticator())->auth($e, ['flow' => 'legacyrest', 'cred' => 'Bearer ' . $_REQUEST['api_key'] ?? '', 'siteKey' => $_REQUEST['key'] ?? NULL]);
+  // Accept legacy auth (?key=...&api_key=...) for 'civicrm/ajax/rest' and 'civicrm/ajax/api4/*'.
+  // The use of `?key=` could clash on some endpoints. Only accept on a small list of endpoints that are compatible with it.
+  if (count($e->args) > 2 && $e->args[1] === 'ajax' && in_array($e->args[2], ['rest', 'api4'])) {
+    if ((!empty($_REQUEST['api_key']) || !empty($_REQUEST['key']))) {
+      return (new \Civi\Authx\LegacyRestAuthenticator())->auth($e, ['flow' => 'legacyrest', 'cred' => 'Bearer ' . $_REQUEST['api_key'] ?? '', 'siteKey' => $_REQUEST['key'] ?? NULL]);
+    }
   }
 });