arangodb
diff --git a/‎CHANGELOG
Lines changed: 4 additions & 0 deletions b/‎CHANGELOG
Lines changed: 4 additions & 0 deletions
diff --git a/‎CMakeLists.txt
Lines changed: 0 additions & 1 deletion b/‎CMakeLists.txt
Lines changed: 0 additions & 1 deletion
diff --git a/‎arangod/Auth/TokenCache.cpp
Lines changed: 8 additions & 2 deletions b/‎arangod/Auth/TokenCache.cpp
Lines changed: 8 additions & 2 deletions
@@ -10,6 +10,10 @@ devel
 * Fix vector index comparison in maintenance, which causes loop with agency and
   dbservers.
 
+* Added support for access tokens. Access token can be used instead of
+  a password. However, the recommended way is to generate a JWT token
+  using /_open/auth.
+
 * Fix a bug in the index API /_api/index?withHidden=true, which can lead to
   two problems: (1) A newly created index is potentially not shown in
   the very moment when it is finished. (2) A newly created index is
 
@@ -1081,7 +1081,6 @@ add_subdirectory(3rdParty/faiss EXCLUDE_FROM_ALL)
 
 set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS_ORIG}")
 
-
 # ------------------------------------------------------------------------------
 # RocksDB
 # ------------------------------------------------------------------------------
 
@@ -158,7 +158,8 @@ auth::TokenCache::Entry auth::TokenCache::checkAuthenticationBasic(
   std::string up;
   absl::Base64Unescape(secret, &up);
   std::string::size_type n = up.find(':', 0);
-  if (n == std::string::npos || n == 0 || n + 1 > up.size()) {
+  // if password is an access token then username might be empty
+  if (n == std::string::npos || /* n == 0 || */ n + 1 > up.size()) {
     LOG_TOPIC("2a529", TRACE, arangodb::Logger::AUTHENTICATION)
         << "invalid authentication data found, cannot extract "
            "username/password";
@@ -167,8 +168,13 @@ auth::TokenCache::Entry auth::TokenCache::checkAuthenticationBasic(
 
   std::string username = up.substr(0, n);
   std::string password = up.substr(n + 1);
+  std::string un;
+  bool authorized = _userManager->checkCredentials(username, password, un);
+
+  if (authorized) {
+    username = un;
+  }
 
-  bool authorized = _userManager->checkPassword(username, password);
   double expiry = _authTimeout;
   if (expiry > 0) {
     expiry += TRI_microtime();