HTTP Basic authentication is deprecated in the Jamf Classic API

[UniversalSuperBox]

According to Basic Authentication - Classic API Authentication Changes on the Jamf API documentation, HTTP Basic authentication to the Classic API is deprecated and could be removed from Jamf as early as August.

There appear to be a couple of places where JAWA uses Basic authentication:

JAWA/views/jamf_webhook.py

Lines 383 to 390 in fbfdaf1

	full_url = f"{session['url']}/JSSResource/webhooks/id/{each_webhook.get('jamf_id')}"
	jawa_logger().info(f"{session.get('username')} editing the JPS webhook {name}.")
	try:
	webhook_response = requests.put(full_url,
	auth=(session['username'], session['password']),
	headers={'Content-Type': 'application/xml'}, data=data,
	verify=verify_ssl)

JAWA/views/webhook_view.py

Lines 49 to 53 in fbfdaf1

	full_url = f"{session['url']}/JSSResource/webhooks/name/{each_webhook['name']}"
	webhook_response = requests.put(full_url,
	auth=(session['username'], session['password']),
	headers={'Content-Type': 'application/xml'},
	data=data)

For JAMF versions >=10.35.0, JAWA can use a bearer token instead. The login route should be changed to post to /v1/auth/token. The generated token and its expiry time can be stored in the client-side session cookie (which is how the username and password are stored right now). The wrinkle, then, is getting JAWA to renew the token when needed. Either on every request or when the token is close to expiring, request /v1/auth/keep-alive to get a new token and store it in the cookie.

[ball42]

Resolved in PR #37