Merge branch 'pull/5141'

2024-09-03 01:03:13 +03:00 · 2024-09-03 01:03:13 +03:00 · b816bad726
commit b816bad726
parent 423ae5f8e0 973d62a25e
22 changed files with 231 additions and 336 deletions
--- a/app/controllers/api/permissions_controller.rb
+++ b/app/controllers/api/permissions_controller.rb
@ -9,13 +9,10 @@ module Api
    # External apps that use the api are able to query which permissions
    # they have. This currently returns a list of permissions granted to the current user:
    # * if authenticated via OAuth, this list will contain all permissions granted by the user to the access_token.
    # * if authenticated via basic auth all permissions are granted, so the list will contain all permissions.
    # * unauthenticated users have no permissions, so the list will be empty.
    def show
      @permissions = if doorkeeper_token.present?
                       doorkeeper_token.scopes.map { |s| :"allow_#{s}" }
                     elsif current_user
                       Oauth.scopes.map { |s| :"allow_#{s.name}" }
                     else
                       []
                     end
--- a/app/controllers/api_controller.rb
+++ b/app/controllers/api_controller.rb
@ -47,19 +47,14 @@ class ApiController < ApplicationController
    end
  end
-  def authorize(realm = "Web Password", errormessage = "Couldn't authenticate you")
+  def authorize(errormessage = "Couldn't authenticate you")
    # make the current_user object from any auth sources we have
    setup_user_auth
    # handle authenticate pass/fail
    unless current_user
      # no auth, the user does not exist or the password was wrong
      if Settings.basic_auth_support
        response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
      render :plain => errormessage, :status => :unauthorized
      else
        render :plain => errormessage, :status => :forbidden
      end
      false
    end
@ -80,13 +75,8 @@ class ApiController < ApplicationController
      report_error t("oauth.permissions.missing"), :forbidden
    elsif current_user
      head :forbidden
    elsif Settings.basic_auth_support
      realm = "Web Password"
      errormessage = "Couldn't authenticate you"
      response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
      render :plain => errormessage, :status => :unauthorized
    else
-      render :plain => errormessage, :status => :forbidden
+      head :unauthorized
    end
  end
@ -103,25 +93,7 @@ class ApiController < ApplicationController
  def setup_user_auth
    logger.info " setup_user_auth"
    # try and setup using OAuth
-    if doorkeeper_token&.accessible?
+    self.current_user = User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token&.accessible?
      self.current_user = User.find(doorkeeper_token.resource_owner_id)
    else
      username, passwd = auth_data # parse from headers
      # authenticate per-scheme
      self.current_user = if username.nil?
                            nil # no authentication provided - perhaps first connect (client should retry after 401)
                          else
                            User.authenticate(:username => username, :password => passwd) # basic auth
                          end
      if username && current_user
        if Settings.basic_auth_support
          # log if we have authenticated using basic auth
          logger.info "Authenticated as user #{current_user.id} using basic authentication"
        else
          report_error t("application.basic_auth_disabled", :link => t("application.auth_disabled_link")), :forbidden
        end
      end
    end
    # have we identified the user?
    if current_user
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -323,20 +323,6 @@ class ApplicationController < ActionController::Base
    end
  end
  # extract authorisation credentials from headers, returns user = nil if none
  def auth_data
    if request.env.key? "X-HTTP_AUTHORIZATION" # where mod_rewrite might have put it
      authdata = request.env["X-HTTP_AUTHORIZATION"].to_s.split
    elsif request.env.key? "REDIRECT_X_HTTP_AUTHORIZATION" # mod_fcgi
      authdata = request.env["REDIRECT_X_HTTP_AUTHORIZATION"].to_s.split
    elsif request.env.key? "HTTP_AUTHORIZATION" # regular location
      authdata = request.env["HTTP_AUTHORIZATION"].to_s.split
    end
    # only basic authentication supported
    user, pass = Base64.decode64(authdata[1]).split(":", 2) if authdata && authdata[0] == "Basic"
    [user, pass]
  end
  # clean any referer parameter
  def safe_referer(referer)
    begin
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -2573,8 +2573,6 @@ en:
        other: "GPX file with %{count} points from %{user}"
      description_without_count: "GPX file from %{user}"
  application:
    basic_auth_disabled: "HTTP Basic Authentication is disabled: %{link}"
    auth_disabled_link: "https://wiki.openstreetmap.org/wiki/2024_authentication_update"
    permission_denied: You do not have permission to access that action
    require_cookies:
      cookies_needed: "You appear to have cookies disabled - please enable cookies in your browser before continuing."
--- a/config/settings.yml
+++ b/config/settings.yml
@ -106,8 +106,6 @@ attachments_dir: ":rails_root/public/attachments"
 #logstash_path: ""
 # List of memcache servers to use for caching
 #memcache_servers: []
 # Enable HTTP basic authentication support
 basic_auth_support: true
 # URL of Nominatim instance to use for geocoding
 nominatim_url: "https://nominatim.openstreetmap.org/"
 # Default editor
--- a/test/controllers/api/changeset_comments_controller_test.rb
+++ b/test/controllers/api/changeset_comments_controller_test.rb
@ -41,7 +41,7 @@ module Api
      deleted_user = create(:user, :deleted)
      private_user_closed_changeset = create(:changeset, :closed, :user => private_user)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      assert_difference "ChangesetComment.count", 1 do
        assert_no_difference "ActionMailer::Base.deliveries.size" do
@ -74,7 +74,7 @@ module Api
      ActionMailer::Base.deliveries.clear
-      auth_header = basic_authorization_header user2.email, "test"
+      auth_header = bearer_authorization_header user2
      assert_difference "ChangesetComment.count", 1 do
        assert_difference "ActionMailer::Base.deliveries.size", 2 do
@ -105,7 +105,7 @@ module Api
      post changeset_comment_path(create(:changeset, :closed), :text => "This is a comment")
      assert_response :unauthorized
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      # bad changeset id
      assert_no_difference "ChangesetComment.count" do
@ -138,7 +138,7 @@ module Api
      changeset = create(:changeset, :closed)
      user = create(:user)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      assert_difference "ChangesetComment.count", Settings.initial_changeset_comments_per_hour do
        1.upto(Settings.initial_changeset_comments_per_hour) do |count|
@ -160,7 +160,7 @@ module Api
      user = create(:user)
      create_list(:changeset_comment, 200, :author_id => user.id, :created_at => Time.now.utc - 1.day)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      assert_difference "ChangesetComment.count", Settings.max_changeset_comments_per_hour do
        1.upto(Settings.max_changeset_comments_per_hour) do |count|
@ -182,7 +182,7 @@ module Api
      user = create(:user)
      create(:issue_with_reports, :reportable => user, :reported_user => user)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      assert_difference "ChangesetComment.count", Settings.initial_changeset_comments_per_hour / 2 do
        1.upto(Settings.initial_changeset_comments_per_hour / 2) do |count|
@ -203,7 +203,7 @@ module Api
      changeset = create(:changeset, :closed)
      user = create(:moderator_user)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      assert_difference "ChangesetComment.count", Settings.moderator_changeset_comments_per_hour do
        1.upto(Settings.moderator_changeset_comments_per_hour) do |count|
@ -229,14 +229,14 @@ module Api
      assert_response :unauthorized
      assert comment.reload.visible
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      # not a moderator
      post changeset_comment_hide_path(comment), :headers => auth_header
      assert_response :forbidden
      assert comment.reload.visible
-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)
      # bad comment id
      post changeset_comment_hide_path(999111), :headers => auth_header
@ -250,7 +250,7 @@ module Api
      comment = create(:changeset_comment)
      assert comment.visible
-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)
      post changeset_comment_hide_path(comment), :headers => auth_header
      assert_response :success
@ -268,14 +268,14 @@ module Api
      assert_response :unauthorized
      assert_not comment.reload.visible
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      # not a moderator
      post changeset_comment_unhide_path(comment), :headers => auth_header
      assert_response :forbidden
      assert_not comment.reload.visible
-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)
      # bad comment id
      post changeset_comment_unhide_path(999111), :headers => auth_header
@ -289,7 +289,7 @@ module Api
      comment = create(:changeset_comment, :visible => false)
      assert_not comment.visible
-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)
      post changeset_comment_unhide_path(comment), :headers => auth_header
      assert_response :success
@ -320,28 +320,5 @@ module Api
      end
      assert_response :success
    end
    # This test does the same as above, but with basic auth, to similarly test that the
    # abilities take into account terms agreement too.
    def test_api_write_and_terms_agreed_via_basic_auth
      user = create(:user, :terms_agreed => nil)
      changeset = create(:changeset, :closed)
      auth_header = basic_authorization_header user.email, "test"
      assert_difference "ChangesetComment.count", 0 do
        post changeset_comment_path(changeset, :text => "This is a comment"), :headers => auth_header
      end
      assert_response :forbidden
      # Try again, after agreement with the terms
      user.terms_agreed = Time.now.utc
      user.save!
      assert_difference "ChangesetComment.count", 1 do
        post changeset_comment_path(changeset, :text => "This is a comment"), :headers => auth_header
      end
      assert_response :success
    end
  end
 end
--- a/test/controllers/api/changesets_controller_test.rb
+++ b/test/controllers/api/changesets_controller_test.rb
@ -64,7 +64,7 @@ module Api
    # -----------------------
    def test_create
-      auth_header = basic_authorization_header create(:user, :data_public => false).email, "test"
+      auth_header = bearer_authorization_header create(:user, :data_public => false)
      # Create the first user's changeset
      xml = "<osm><changeset>" \
            "<tag k='created_by' v='osm test suite checking changesets'/>" \
@ -72,7 +72,7 @@ module Api
      put changeset_create_path, :params => xml, :headers => auth_header
      assert_require_public_data
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      # Create the first user's changeset
      xml = "<osm><changeset>" \
            "<tag k='created_by' v='osm test suite checking changesets'/>" \
@ -99,13 +99,13 @@ module Api
    end
    def test_create_invalid
-      auth_header = basic_authorization_header create(:user, :data_public => false).email, "test"
+      auth_header = bearer_authorization_header create(:user, :data_public => false)
      xml = "<osm><changeset></osm>"
      put changeset_create_path, :params => xml, :headers => auth_header
      assert_require_public_data
      ## Try the public user
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      xml = "<osm><changeset></osm>"
      put changeset_create_path, :params => xml, :headers => auth_header
      assert_response :bad_request, "creating a invalid changeset should fail"
@ -117,23 +117,23 @@ module Api
      assert_response :unauthorized, "shouldn't be able to create a changeset with no auth"
      ## Now try to with a non-public user
-      auth_header = basic_authorization_header create(:user, :data_public => false).email, "test"
+      auth_header = bearer_authorization_header create(:user, :data_public => false)
      put changeset_create_path, :headers => auth_header
      assert_require_public_data
      ## Try an inactive user
-      auth_header = basic_authorization_header create(:user, :pending).email, "test"
+      auth_header = bearer_authorization_header create(:user, :pending)
      put changeset_create_path, :headers => auth_header
      assert_inactive_user
      ## Now try to use a normal user
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      put changeset_create_path, :headers => auth_header
      assert_response :bad_request, "creating a changeset with no content should fail"
    end
    def test_create_wrong_method
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      get changeset_create_path, :headers => auth_header
      assert_response :not_found
@ -216,7 +216,7 @@ module Api
      # one hidden comment shown to moderators
      moderator_user = create(:moderator_user)
-      auth_header = basic_authorization_header moderator_user.email, "test"
+      auth_header = bearer_authorization_header moderator_user
      get changeset_show_path(changeset), :params => { :include_discussion => true, :show_hidden_comments => true },
                                          :headers => auth_header
      assert_response :success, "cannot get closed changeset with comments"
@ -322,7 +322,7 @@ module Api
      # one hidden comment shown to moderators
      moderator_user = create(:moderator_user)
-      auth_header = basic_authorization_header moderator_user.email, "test"
+      auth_header = bearer_authorization_header moderator_user
      get changeset_show_path(changeset), :params => { :format => "json", :include_discussion => true, :show_hidden_comments => true },
                                          :headers => auth_header
      assert_response :success, "cannot get closed changeset with comments"
@ -416,12 +416,12 @@ module Api
      assert_response :unauthorized
      ## Try using the non-public user
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      put changeset_close_path(private_changeset), :headers => auth_header
      assert_require_public_data
      ## The try with the public user
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      cs_id = changeset.id
      put changeset_close_path(cs_id), :headers => auth_header
@ -439,7 +439,7 @@ module Api
      user = create(:user)
      changeset = create(:changeset)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      put changeset_close_path(changeset), :headers => auth_header
      assert_response :conflict
@ -452,7 +452,7 @@ module Api
      user = create(:user)
      changeset = create(:changeset, :user => user)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      get changeset_close_path(changeset), :headers => auth_header
      assert_response :not_found
@ -477,7 +477,7 @@ module Api
      end
      # Now try with auth
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      cs_ids.each do |id|
        put changeset_close_path(id), :headers => auth_header
        assert_response :not_found, "The changeset #{id} doesn't exist, so can't be closed"
@ -534,7 +534,7 @@ module Api
                      "shouldn't be able to upload a simple valid diff to changeset: #{@response.body}"
      ## Now try with a private user
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      changeset_id = private_changeset.id
      # simple diff to change a node, way and relation by removing
@ -563,7 +563,7 @@ module Api
                      "can't upload a simple valid diff to changeset: #{@response.body}"
      ## Now try with the public user
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      changeset_id = changeset.id
      # simple diff to change a node, way and relation by removing
@ -606,7 +606,7 @@ module Api
      way = create(:way_with_nodes, :nodes_count => 2)
      relation = create(:relation)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # simple diff to create a node way and relation using placeholders
      diff = <<~CHANGESET
@ -677,7 +677,7 @@ module Api
      create(:relation_member, :relation => super_relation, :member => used_way)
      create(:relation_member, :relation => super_relation, :member => used_node)
-      auth_header = basic_authorization_header changeset.user.display_name, "test"
+      auth_header = bearer_authorization_header changeset.user
      diff = XML::Document.new
      diff.root = XML::Node.new "osmChange"
@ -719,7 +719,7 @@ module Api
      node = create(:node)
      changeset = create(:changeset)
-      auth_header = basic_authorization_header changeset.user.display_name, "test"
+      auth_header = bearer_authorization_header changeset.user
      diff = "<osmChange><delete><node id='#{node.id}' version='#{node.version}' changeset='#{changeset.id}'/></delete></osmChange>"
      # upload it
@ -736,7 +736,7 @@ module Api
    def test_repeated_changeset_create
      3.times do
-        auth_header = basic_authorization_header create(:user).email, "test"
+        auth_header = bearer_authorization_header
        # create a temporary changeset
        xml = "<osm><changeset>" \
@ -751,7 +751,7 @@ module Api
    def test_upload_large_changeset
      user = create(:user)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # create an old changeset to ensure we have the maximum rate limit
      create(:changeset, :user => user, :created_at => Time.now.utc - 28.days)
@ -813,7 +813,7 @@ module Api
      create(:relation_member, :relation => relation, :member => used_way)
      create(:relation_member, :relation => relation, :member => used_node)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      diff = XML::Document.new
      diff.root = XML::Node.new "osmChange"
@ -855,7 +855,7 @@ module Api
      create(:relation_member, :relation => super_relation, :member => used_way)
      create(:relation_member, :relation => super_relation, :member => used_node)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      diff = XML::Document.new
      diff.root = XML::Node.new "osmChange"
@ -911,7 +911,7 @@ module Api
    def test_upload_invalid_too_long_tag
      changeset = create(:changeset)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      # simple diff to create a node way and relation using placeholders
      diff = <<~CHANGESET
@ -941,7 +941,7 @@ module Api
      changeset = create(:changeset)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      # simple diff to create a node way and relation using placeholders
      diff = <<~CHANGESET
@ -1000,7 +1000,7 @@ module Api
      relation = create(:relation)
      other_relation = create(:relation)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      # simple diff to create a node way and relation using placeholders
      diff = <<~CHANGESET
@ -1043,7 +1043,7 @@ module Api
    def test_upload_multiple_valid
      node = create(:node)
      changeset = create(:changeset)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      # change the location of a node multiple times, each time referencing
      # the last version. doesn't this depend on version numbers being
@ -1081,7 +1081,7 @@ module Api
      node = create(:node)
      changeset = create(:changeset)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      diff = <<~CHANGESET
        <osmChange>
@ -1103,7 +1103,7 @@ module Api
    def test_upload_missing_version
      changeset = create(:changeset)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      diff = <<~CHANGESET
        <osmChange>
@ -1124,7 +1124,7 @@ module Api
    def test_action_upload_invalid
      changeset = create(:changeset)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      diff = <<~CHANGESET
        <osmChange>
@ -1149,7 +1149,7 @@ module Api
      other_relation = create(:relation)
      create(:relation_tag, :relation => relation)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      diff = <<~CHANGESET
        <osmChange>
@ -1184,7 +1184,7 @@ module Api
    def test_upload_reuse_placeholder_valid
      changeset = create(:changeset)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      diff = <<~CHANGESET
        <osmChange>
@ -1218,7 +1218,7 @@ module Api
    def test_upload_placeholder_invalid
      changeset = create(:changeset)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      diff = <<~CHANGESET
        <osmChange>
@ -1256,7 +1256,7 @@ module Api
    def test_upload_process_order
      changeset = create(:changeset)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      diff = <<~CHANGESET
        <osmChange>
@ -1280,7 +1280,7 @@ module Api
    def test_upload_duplicate_delete
      changeset = create(:changeset)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      diff = <<~CHANGESET
        <osmChange>
@ -1327,7 +1327,7 @@ module Api
      changeset = create(:changeset)
      way = create(:way)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      diff = <<~CHANGESET
        <osmChange>
@ -1382,7 +1382,7 @@ module Api
      changeset = create(:changeset)
      relation = create(:relation)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      diff = <<~CHANGESET
        <osmChange>
@ -1434,7 +1434,7 @@ module Api
    # test what happens if a diff is uploaded containing only a node
    # move.
    def test_upload_node_move
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      xml = "<osm><changeset>" \
            "<tag k='created_by' v='osm test suite checking changesets'/>" \
@ -1471,7 +1471,7 @@ module Api
    ##
    # test what happens if a diff is uploaded adding a node to a way.
    def test_upload_way_extend
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      xml = "<osm><changeset>" \
            "<tag k='created_by' v='osm test suite checking changesets'/>" \
@ -1512,7 +1512,7 @@ module Api
    def test_upload_empty_invalid
      changeset = create(:changeset)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      ["<osmChange/>",
       "<osmChange></osmChange>",
@ -1532,7 +1532,7 @@ module Api
      node = create(:node)
      create(:relation_member, :member => node)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      # try and delete a node that is in use
      diff = XML::Document.new
@ -1556,7 +1556,7 @@ module Api
    def test_upload_not_found
      changeset = create(:changeset)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      # modify node
      diff = <<~CHANGESET
@ -1640,7 +1640,7 @@ module Api
    def test_upload_relation_placeholder_not_fix
      changeset = create(:changeset)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      # modify node
      diff = <<~CHANGESET
@ -1674,7 +1674,7 @@ module Api
    def test_upload_multiple_delete_block
      changeset = create(:changeset)
-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user
      node = create(:node)
      way = create(:way)
@ -1717,7 +1717,7 @@ module Api
                                     :num_changes => Settings.initial_changes_per_hour - 2)
      # create authentication header
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # simple diff to create a node way and relation using placeholders
      diff = <<~CHANGESET
@ -1772,7 +1772,7 @@ module Api
      end
      # create authentication header
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # simple diff to create a node way and relation using placeholders
      diff = <<~CHANGESET
@ -1813,7 +1813,7 @@ module Api
                                     :max_lat => (0.5 * GeoRecord::SCALE).round, :max_lon => (2.5 * GeoRecord::SCALE).round)
      # create authentication header
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # simple diff to create a node
      diff = <<~CHANGESET
@ -1847,7 +1847,7 @@ module Api
                                     :max_lat => (0.5 * GeoRecord::SCALE).round, :max_lon => (2.5 * GeoRecord::SCALE).round)
      # create authentication header
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # simple diff to create a node way and relation using placeholders
      diff = <<~CHANGESET
@ -1873,7 +1873,7 @@ module Api
      node = create(:node)
      ## First try with a non-public user, which should get a forbidden
-      auth_header = basic_authorization_header create(:user, :data_public => false).email, "test"
+      auth_header = bearer_authorization_header create(:user, :data_public => false)
      # create a temporary changeset
      xml = "<osm><changeset>" \
@ -1883,7 +1883,7 @@ module Api
      assert_response :forbidden
      ## Now try with a normal user
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      # create a temporary changeset
      xml = "<osm><changeset>" \
@ -1928,7 +1928,7 @@ module Api
    #
    # NOTE: the error turned out to be something else completely!
    def test_josm_upload
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      # create a temporary changeset
      xml = "<osm><changeset>" \
@ -1989,7 +1989,7 @@ module Api
      node = create(:node)
      node2 = create(:node)
      way = create(:way)
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      # create a temporary changeset
      xml = "<osm><changeset>" \
@ -2104,7 +2104,7 @@ module Api
      way = create(:way)
      create(:way_node, :way => way, :node => create(:node, :lat => 0.3, :lon => 0.3))
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      # create a new changeset
      xml = "<osm><changeset/></osm>"
@ -2193,7 +2193,7 @@ module Api
      assert_response :not_found, "shouldn't be able to get changesets by non-public user (name)"
      # but this should work
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      get changesets_path(:user => private_user.id), :headers => auth_header
      assert_response :success, "can't get changesets by user ID"
      assert_changesets_in_order [private_user_changeset, private_user_closed_changeset]
@ -2421,12 +2421,12 @@ module Api
      assert_response :unauthorized
      # try with the wrong authorization
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      put changeset_show_path(private_changeset), :params => new_changeset.to_s, :headers => auth_header
      assert_response :conflict
      # now this should get an unauthorized
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      put changeset_show_path(private_changeset), :params => new_changeset.to_s, :headers => auth_header
      assert_require_public_data "user with their data non-public, shouldn't be able to edit their changeset"
@ -2442,12 +2442,12 @@ module Api
      assert_response :unauthorized
      # try with the wrong authorization
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      put changeset_show_path(changeset), :params => new_changeset.to_s, :headers => auth_header
      assert_response :conflict
      # now this should work...
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      put changeset_show_path(changeset), :params => new_changeset.to_s, :headers => auth_header
      assert_response :success
@ -2460,7 +2460,7 @@ module Api
    # check that a user different from the one who opened the changeset
    # can't modify it.
    def test_changeset_update_invalid
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      changeset = create(:changeset)
      new_changeset = create_changeset_xml(:user => changeset.user, :id => changeset.id)
@ -2478,7 +2478,7 @@ module Api
    ## FIXME should be changed to an integration test due to the with_controller
    def test_changeset_limits
      user = create(:user)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # create an old changeset to ensure we have the maximum rate limit
      create(:changeset, :user => user, :created_at => Time.now.utc - 28.days)
@ -2559,7 +2559,7 @@ module Api
    ##
    # test subscribe success
    def test_subscribe_success
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      changeset = create(:changeset, :closed)
      assert_difference "changeset.subscribers.count", 1 do
@ -2587,7 +2587,7 @@ module Api
      end
      assert_response :unauthorized
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # bad changeset id
      assert_no_difference "changeset.subscribers.count" do
@ -2608,7 +2608,7 @@ module Api
    # test unsubscribe success
    def test_unsubscribe_success
      user = create(:user)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      changeset = create(:changeset, :closed)
      changeset.subscribers.push(user)
@ -2637,7 +2637,7 @@ module Api
      end
      assert_response :unauthorized
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      # bad changeset id
      assert_no_difference "changeset.subscribers.count" do
--- a/test/controllers/api/nodes_controller_test.rb
+++ b/test/controllers/api/nodes_controller_test.rb
@ -55,7 +55,7 @@ module Api
      assert_response :unauthorized, "node upload did not return unauthorized status"
      ## Now try with the user which doesn't have their data public
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      # create a minimal xml file
      xml = "<osm><node lat='#{lat}' lon='#{lon}' changeset='#{private_changeset.id}'/></osm>"
@ -66,7 +66,7 @@ module Api
      assert_require_public_data "node create did not return forbidden status"
      ## Now try with the user that has the public data
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # create a minimal xml file
      xml = "<osm><node lat='#{lat}' lon='#{lon}' changeset='#{changeset.id}'/></osm>"
@ -92,7 +92,7 @@ module Api
      user = create(:user)
      changeset = create(:changeset, :user => user)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      lat = 3.434
      lon = 3.23
@ -178,7 +178,7 @@ module Api
      assert_response :unauthorized
      ## now set auth for the non-data public user
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      # try to delete with an invalid (closed) changeset
      xml = update_changeset(xml_for_node(private_node), private_user_closed_changeset.id)
@ -226,7 +226,7 @@ module Api
      changeset = create(:changeset, :user => user)
      closed_changeset = create(:changeset, :closed, :user => user)
      node = create(:node, :changeset => changeset)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # try to delete with an invalid (closed) changeset
      xml = update_changeset(xml_for_node(node), closed_changeset.id)
@ -314,7 +314,7 @@ module Api
      ## Second test with the private user
      # setup auth
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      ## trying to break changesets
@ -356,7 +356,7 @@ module Api
      assert_response :forbidden
      # setup auth
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      ## trying to break changesets
@ -477,7 +477,7 @@ module Api
      existing_tag = create(:node_tag)
      assert existing_tag.node.changeset.user.data_public
      # setup auth
-      auth_header = basic_authorization_header existing_tag.node.changeset.user.email, "test"
+      auth_header = bearer_authorization_header existing_tag.node.changeset.user
      # add an identical tag to the node
      tag_xml = XML::Node.new("tag")
@ -503,7 +503,7 @@ module Api
      changeset = create(:changeset, :user => user)
      ## First try with the non-data public user
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      # try and put something into a string that the API might
      # use unquoted and therefore allow code injection...
@ -514,7 +514,7 @@ module Api
      assert_require_public_data "Shouldn't be able to create with non-public user"
      ## Then try with the public data user
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # try and put something into a string that the API might
      # use unquoted and therefore allow code injection...
@ -552,7 +552,7 @@ module Api
                                     :num_changes => Settings.initial_changes_per_hour - 1)
      # create authentication header
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # try creating a node
      xml = "<osm><node lat='0' lon='0' changeset='#{changeset.id}'/></osm>"
@ -599,7 +599,7 @@ module Api
      end
      # create authentication header
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # try creating a node
      xml = "<osm><node lat='0' lon='0' changeset='#{changeset.id}'/></osm>"
--- a/test/controllers/api/notes_controller_test.rb
+++ b/test/controllers/api/notes_controller_test.rb
@ -203,7 +203,7 @@ module Api
    def test_comment_success
      open_note_with_comment = create(:note_with_comments)
      user = create(:user)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      assert_difference "NoteComment.count", 1 do
        assert_no_difference "ActionMailer::Base.deliveries.size" do
          perform_enqueued_jobs do
@ -244,7 +244,7 @@ module Api
        create(:note_comment, :note => note, :author => second_user)
      end
-      auth_header = basic_authorization_header third_user.email, "test"
+      auth_header = bearer_authorization_header third_user
      assert_difference "NoteComment.count", 1 do
        assert_difference "ActionMailer::Base.deliveries.size", 2 do
@ -300,7 +300,7 @@ module Api
        assert_response :unauthorized
      end
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      assert_no_difference "NoteComment.count" do
        post comment_api_note_path(open_note_with_comment), :headers => auth_header
@ -344,7 +344,7 @@ module Api
      post close_api_note_path(open_note_with_comment, :text => "This is a close comment", :format => "json")
      assert_response :unauthorized
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      post close_api_note_path(open_note_with_comment, :text => "This is a close comment", :format => "json"), :headers => auth_header
      assert_response :success
@ -375,7 +375,7 @@ module Api
      post close_api_note_path(12345)
      assert_response :unauthorized
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      post close_api_note_path(12345), :headers => auth_header
      assert_response :not_found
@ -398,7 +398,7 @@ module Api
      post reopen_api_note_path(closed_note_with_comment, :text => "This is a reopen comment", :format => "json")
      assert_response :unauthorized
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      post reopen_api_note_path(closed_note_with_comment, :text => "This is a reopen comment", :format => "json"), :headers => auth_header
      assert_response :success
@ -431,7 +431,7 @@ module Api
      post reopen_api_note_path(hidden_note_with_comment)
      assert_response :unauthorized
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      post reopen_api_note_path(12345), :headers => auth_header
      assert_response :not_found
@ -550,12 +550,12 @@ module Api
      delete api_note_path(open_note_with_comment, :text => "This is a hide comment", :format => "json")
      assert_response :unauthorized
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      delete api_note_path(open_note_with_comment, :text => "This is a hide comment", :format => "json"), :headers => auth_header
      assert_response :forbidden
-      auth_header = basic_authorization_header moderator_user.email, "test"
+      auth_header = bearer_authorization_header moderator_user
      delete api_note_path(open_note_with_comment, :text => "This is a hide comment", :format => "json"), :headers => auth_header
      assert_response :success
@ -572,7 +572,7 @@ module Api
      get api_note_path(open_note_with_comment, :format => "json"), :headers => auth_header
      assert_response :success
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      get api_note_path(open_note_with_comment, :format => "json"), :headers => auth_header
      assert_response :gone
@ -585,12 +585,12 @@ module Api
      delete api_note_path(12345, :format => "json")
      assert_response :unauthorized
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      delete api_note_path(12345, :format => "json"), :headers => auth_header
      assert_response :forbidden
-      auth_header = basic_authorization_header moderator_user.email, "test"
+      auth_header = bearer_authorization_header moderator_user
      delete api_note_path(12345, :format => "json"), :headers => auth_header
      assert_response :not_found
--- a/test/controllers/api/old_nodes_controller_test.rb
+++ b/test/controllers/api/old_nodes_controller_test.rb
@ -48,7 +48,7 @@ module Api
      propagate_tags(node, node.old_nodes.last)
      ## First try this with a non-public user
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      # setup a simple XML node
      xml_doc = xml_for_node(private_node)
@ -95,7 +95,7 @@ module Api
      # probably should check that they didn't get written to the database
      ## Now do it with the public user
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # setup a simple XML node
@ -212,7 +212,7 @@ module Api
    # test the redaction of an old version of a node, while being
    # authorised as a normal user.
    def test_redact_node_normal_user
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      node = create(:node, :with_history, :version => 4)
      node_v3 = node.old_nodes.find_by(:version => 3)
@ -227,7 +227,7 @@ module Api
    # test that, even as moderator, the current version of a node
    # can't be redacted.
    def test_redact_node_current_version
-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)
      node = create(:node, :with_history, :version => 4)
      node_v4 = node.old_nodes.find_by(:version => 4)
@ -287,7 +287,7 @@ module Api
      assert_response :forbidden, "Redacted node shouldn't be visible via the version API."
      # not even to a logged-in user
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      get api_old_node_path(node_v1.node_id, node_v1.version), :headers => auth_header
      assert_response :forbidden, "Redacted node shouldn't be visible via the version API, even when logged in."
    end
@ -305,7 +305,7 @@ module Api
                    "redacted node #{node_v1.node_id} version #{node_v1.version} shouldn't be present in the history."
      # not even to a logged-in user
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      get api_node_history_path(node), :headers => auth_header
      assert_response :success, "Redaction shouldn't have stopped history working."
      assert_select "osm node[id='#{node_v1.node_id}'][version='#{node_v1.version}']", 0,
@ -318,7 +318,7 @@ module Api
    def test_redact_node_moderator
      node = create(:node, :with_history, :version => 4)
      node_v3 = node.old_nodes.find_by(:version => 3)
-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)
      do_redact_node(node_v3, create(:redaction), auth_header)
      assert_response :success, "should be OK to redact old version as moderator."
@ -346,13 +346,13 @@ module Api
    def test_redact_node_is_redacted
      node = create(:node, :with_history, :version => 4)
      node_v3 = node.old_nodes.find_by(:version => 3)
-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)
      do_redact_node(node_v3, create(:redaction), auth_header)
      assert_response :success, "should be OK to redact old version as moderator."
      # re-auth as non-moderator
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      # check can't see the redacted data
      get api_old_node_path(node_v3.node_id, node_v3.version), :headers => auth_header
@ -386,7 +386,7 @@ module Api
      node_v1 = node.old_nodes.find_by(:version => 1)
      node_v1.redact!(create(:redaction))
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      post node_version_redact_path(node_v1.node_id, node_v1.version), :headers => auth_header
      assert_response :forbidden, "should need to be moderator to unredact."
@ -401,7 +401,7 @@ module Api
      node_v1 = node.old_nodes.find_by(:version => 1)
      node_v1.redact!(create(:redaction))
-      auth_header = basic_authorization_header moderator_user.email, "test"
+      auth_header = bearer_authorization_header moderator_user
      post node_version_redact_path(node_v1.node_id, node_v1.version), :headers => auth_header
      assert_response :success, "should be OK to unredact old version as moderator."
@ -417,7 +417,7 @@ module Api
      assert_select "osm node[id='#{node_v1.node_id}'][version='#{node_v1.version}']", 1,
                    "node #{node_v1.node_id} version #{node_v1.version} should now be present in the history for moderators without passing flag."
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      # check normal user can now see the redacted data
      get api_old_node_path(node_v1.node_id, node_v1.version), :headers => auth_header
--- a/test/controllers/api/old_relations_controller_test.rb
+++ b/test/controllers/api/old_relations_controller_test.rb
@ -58,7 +58,7 @@ module Api
      relation = create(:relation, :with_history, :version => 4)
      relation_v3 = relation.old_relations.find_by(:version => 3)
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      do_redact_relation(relation_v3, create(:redaction), auth_header)
      assert_response :forbidden, "should need to be moderator to redact."
@ -71,7 +71,7 @@ module Api
      relation = create(:relation, :with_history, :version => 4)
      relation_latest = relation.old_relations.last
-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)
      do_redact_relation(relation_latest, create(:redaction), auth_header)
      assert_response :bad_request, "shouldn't be OK to redact current version as moderator."
@ -126,7 +126,7 @@ module Api
      assert_response :forbidden, "Redacted relation shouldn't be visible via the version API."
      # not even to a logged-in user
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      get api_old_relation_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
      assert_response :forbidden, "Redacted relation shouldn't be visible via the version API, even when logged in."
    end
@ -144,7 +144,7 @@ module Api
                    "redacted relation #{relation_v1.relation_id} version #{relation_v1.version} shouldn't be present in the history."
      # not even to a logged-in user
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      get api_old_relation_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
      get api_relation_history_path(relation), :headers => auth_header
      assert_response :success, "Redaction shouldn't have stopped history working."
@ -159,7 +159,7 @@ module Api
      relation = create(:relation, :with_history, :version => 4)
      relation_v3 = relation.old_relations.find_by(:version => 3)
-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)
      do_redact_relation(relation_v3, create(:redaction), auth_header)
      assert_response :success, "should be OK to redact old version as moderator."
@ -188,13 +188,13 @@ module Api
      relation = create(:relation, :with_history, :version => 4)
      relation_v3 = relation.old_relations.find_by(:version => 3)
-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)
      do_redact_relation(relation_v3, create(:redaction), auth_header)
      assert_response :success, "should be OK to redact old version as moderator."
      # re-auth as non-moderator
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      # check can't see the redacted data
      get api_old_relation_path(relation_v3.relation_id, relation_v3.version), :headers => auth_header
@ -227,7 +227,7 @@ module Api
      relation_v1 = relation.old_relations.find_by(:version => 1)
      relation_v1.redact!(create(:redaction))
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      post relation_version_redact_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
      assert_response :forbidden, "should need to be moderator to unredact."
@ -241,7 +241,7 @@ module Api
      relation_v1 = relation.old_relations.find_by(:version => 1)
      relation_v1.redact!(create(:redaction))
-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)
      post relation_version_redact_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
      assert_response :success, "should be OK to unredact old version as moderator."
@ -257,7 +257,7 @@ module Api
      assert_select "osm relation[id='#{relation_v1.relation_id}'][version='#{relation_v1.version}']", 1,
                    "relation #{relation_v1.relation_id} version #{relation_v1.version} should still be present in the history for moderators."
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      # check normal user can now see the redacted data
      get api_old_relation_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
--- a/test/controllers/api/old_ways_controller_test.rb
+++ b/test/controllers/api/old_ways_controller_test.rb
@ -98,7 +98,7 @@ module Api
    # test the redaction of an old version of a way, while being
    # authorised as a normal user.
    def test_redact_way_normal_user
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      way = create(:way, :with_history, :version => 4)
      way_v3 = way.old_ways.find_by(:version => 3)
@ -110,7 +110,7 @@ module Api
    # test that, even as moderator, the current version of a way
    # can't be redacted.
    def test_redact_way_current_version
-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)
      way = create(:way, :with_history, :version => 4)
      way_latest = way.old_ways.last
@ -167,7 +167,7 @@ module Api
      assert_response :forbidden, "Redacted way shouldn't be visible via the version API."
      # not even to a logged-in user
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      get api_old_way_path(way_v1.way_id, way_v1.version), :headers => auth_header
      assert_response :forbidden, "Redacted way shouldn't be visible via the version API, even when logged in."
    end
@ -185,7 +185,7 @@ module Api
                    "redacted way #{way_v1.way_id} version #{way_v1.version} shouldn't be present in the history."
      # not even to a logged-in user
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      get api_way_history_path(way), :headers => auth_header
      assert_response :success, "Redaction shouldn't have stopped history working."
      assert_select "osm way[id='#{way_v1.way_id}'][version='#{way_v1.version}']", 0,
@ -198,7 +198,7 @@ module Api
    def test_redact_way_moderator
      way = create(:way, :with_history, :version => 4)
      way_v3 = way.old_ways.find_by(:version => 3)
-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)
      do_redact_way(way_v3, create(:redaction), auth_header)
      assert_response :success, "should be OK to redact old version as moderator."
@ -226,13 +226,13 @@ module Api
    def test_redact_way_is_redacted
      way = create(:way, :with_history, :version => 4)
      way_v3 = way.old_ways.find_by(:version => 3)
-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)
      do_redact_way(way_v3, create(:redaction), auth_header)
      assert_response :success, "should be OK to redact old version as moderator."
      # re-auth as non-moderator
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      # check can't see the redacted data
      get api_old_way_path(way_v3.way_id, way_v3.version), :headers => auth_header
@ -265,7 +265,7 @@ module Api
      way_v1 = way.old_ways.find_by(:version => 1)
      way_v1.redact!(create(:redaction))
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      post way_version_redact_path(way_v1.way_id, way_v1.version), :headers => auth_header
      assert_response :forbidden, "should need to be moderator to unredact."
@ -280,7 +280,7 @@ module Api
      way_v1 = way.old_ways.find_by(:version => 1)
      way_v1.redact!(create(:redaction))
-      auth_header = basic_authorization_header moderator_user.email, "test"
+      auth_header = bearer_authorization_header moderator_user
      post way_version_redact_path(way_v1.way_id, way_v1.version), :headers => auth_header
      assert_response :success, "should be OK to unredact old version as moderator."
@ -296,7 +296,7 @@ module Api
      assert_select "osm way[id='#{way_v1.way_id}'][version='#{way_v1.version}']", 1,
                    "way #{way_v1.way_id} version #{way_v1.version} should still be present in the history for moderators."
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      # check normal user can now see the unredacted data
      get api_old_way_path(way_v1.way_id, way_v1.version), :headers => auth_header
--- a/test/controllers/api/permissions_controller_test.rb
+++ b/test/controllers/api/permissions_controller_test.rb
@ -32,30 +32,6 @@ module Api
      assert_equal 0, js["permissions"].count
    end
    def test_permissions_basic_auth
      auth_header = basic_authorization_header create(:user).email, "test"
      get permissions_path, :headers => auth_header
      assert_response :success
      assert_select "osm > permissions", :count => 1 do
        assert_select "permission", :count => Oauth.scopes.size
        Oauth.scopes.each do |p|
          assert_select "permission[name='allow_#{p.name}']", :count => 1
        end
      end
      # Test json
      get permissions_path(:format => "json"), :headers => auth_header
      assert_response :success
      assert_equal "application/json", @response.media_type
      js = ActiveSupport::JSON.decode(@response.body)
      assert_not_nil js
      assert_equal Oauth.scopes.size, js["permissions"].count
      Oauth.scopes.each do |p|
        assert_includes js["permissions"], "allow_#{p.name}"
      end
    end
    def test_permissions_oauth2
      user = create(:user)
      token = create(:oauth_access_token,
--- a/test/controllers/api/relations_controller_test.rb
+++ b/test/controllers/api/relations_controller_test.rb
@ -221,7 +221,7 @@ module Api
      node = create(:node)
      way = create(:way_with_nodes, :nodes_count => 2)
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      # create an relation without members
      xml = "<osm><relation changeset='#{private_changeset.id}'><tag k='test' v='yes' /></relation></osm>"
@ -263,7 +263,7 @@ module Api
                      "relation upload did not return success status"
      ## Now try with the public user
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # create an relation without members
      xml = "<osm><relation changeset='#{changeset.id}'><tag k='test' v='yes' /></relation></osm>"
@ -391,7 +391,7 @@ module Api
      relation = create(:relation)
      create_list(:relation_tag, 4, :relation => relation)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      with_relation(relation.id) do |rel|
        # alter one of the tags
@ -423,7 +423,7 @@ module Api
      relation = create(:relation)
      create_list(:relation_tag, 4, :relation => relation)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      with_relation(relation.id) do |rel|
        # alter one of the tags
@ -450,7 +450,7 @@ module Api
      relation = create(:relation)
      other_relation = create(:relation)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      with_relation(relation.id) do |rel|
        update_changeset(rel, changeset.id)
        put api_relation_path(other_relation), :params => rel.to_s, :headers => auth_header
@ -466,7 +466,7 @@ module Api
      user = create(:user)
      changeset = create(:changeset, :user => user)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # create a relation with non-existing node as member
      xml = "<osm><relation changeset='#{changeset.id}'>" \
@ -487,7 +487,7 @@ module Api
      changeset = create(:changeset, :user => user)
      node = create(:node)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # create some xml that should return an error
      xml = "<osm><relation changeset='#{changeset.id}'>" \
@ -522,7 +522,7 @@ module Api
      assert_response :unauthorized
      ## Then try with the private user, to make sure that you get a forbidden
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      # this shouldn't work, as we should need the payload...
      delete api_relation_path(relation), :headers => auth_header
@ -564,7 +564,7 @@ module Api
      assert_response :forbidden
      ## now set auth for the public user
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # this shouldn't work, as we should need the payload...
      delete api_relation_path(relation), :headers => auth_header
@ -743,7 +743,7 @@ module Api
      way1 = create(:way_with_nodes, :nodes_count => 2)
      way2 = create(:way_with_nodes, :nodes_count => 2)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      doc_str = <<~OSM
        <osm>
@ -816,13 +816,13 @@ module Api
      doc = XML::Parser.string(doc_str).parse
      ## First try with the private user
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      put relation_create_path, :params => doc.to_s, :headers => auth_header
      assert_response :forbidden
      ## Now try with the public user
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      put relation_create_path, :params => doc.to_s, :headers => auth_header
      assert_response :success, "can't create a relation: #{@response.body}"
@ -855,7 +855,7 @@ module Api
        </osm>
      OSM
      doc = XML::Parser.string(doc_str).parse
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      put relation_create_path, :params => doc.to_s, :headers => auth_header
      assert_response :success, "can't create a relation: #{@response.body}"
@ -922,7 +922,7 @@ module Api
                                     :num_changes => Settings.initial_changes_per_hour - 1)
      # create authentication header
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # try creating a relation
      xml = "<osm><relation changeset='#{changeset.id}'>" \
@ -982,7 +982,7 @@ module Api
      end
      # create authentication header
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # try creating a relation
      xml = "<osm><relation changeset='#{changeset.id}'>" \
@ -1062,7 +1062,7 @@ module Api
    # that the changeset bounding box is +bbox+.
    def check_changeset_modify(bbox)
      ## First test with the private user to check that you get a forbidden
-      auth_header = basic_authorization_header create(:user, :data_public => false).email, "test"
+      auth_header = bearer_authorization_header create(:user, :data_public => false)
      # create a new changeset for this operation, so we are assured
      # that the bounding box will be newly-generated.
@ -1073,7 +1073,7 @@ module Api
      end
      ## Now do the whole thing with the public user
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      # create a new changeset for this operation, so we are assured
      # that the bounding box will be newly-generated.
--- a/test/controllers/api/traces_controller_test.rb
+++ b/test/controllers/api/traces_controller_test.rb
@ -44,12 +44,12 @@ module Api
      assert_response :unauthorized
      # Now with some other user, which should work since the trace is public
-      auth_header = basic_authorization_header create(:user).display_name, "test"
+      auth_header = bearer_authorization_header
      get api_trace_path(public_trace_file), :headers => auth_header
      assert_response :success
      # And finally we should be able to do it with the owner of the trace
-      auth_header = basic_authorization_header public_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header public_trace_file.user
      get api_trace_path(public_trace_file), :headers => auth_header
      assert_response :success
      assert_select "gpx_file[id='#{public_trace_file.id}'][uid='#{public_trace_file.user.id}']", 1
@ -64,12 +64,12 @@ module Api
      assert_response :unauthorized
      # Now try with another user, which shouldn't work since the trace is anon
-      auth_header = basic_authorization_header create(:user).display_name, "test"
+      auth_header = bearer_authorization_header
      get api_trace_path(anon_trace_file), :headers => auth_header
      assert_response :forbidden
      # And finally we should be able to get the trace details with the trace owner
-      auth_header = basic_authorization_header anon_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header anon_trace_file.user
      get api_trace_path(anon_trace_file), :headers => auth_header
      assert_response :success
    end
@ -83,12 +83,12 @@ module Api
      assert_response :unauthorized
      # Login, and try again
-      auth_header = basic_authorization_header deleted_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header deleted_trace_file.user
      get api_trace_path(:id => 0), :headers => auth_header
      assert_response :not_found
      # Now try a trace which did exist but has been deleted
-      auth_header = basic_authorization_header deleted_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header deleted_trace_file.user
      get api_trace_path(deleted_trace_file), :headers => auth_header
      assert_response :not_found
    end
@ -102,14 +102,14 @@ module Api
      assert_response :unauthorized
      # Now with some other user, which should work since the trace is public
-      auth_header = basic_authorization_header create(:user).display_name, "test"
+      auth_header = bearer_authorization_header
      get api_trace_data_path(public_trace_file), :headers => auth_header
      follow_redirect!
      follow_redirect!
      check_trace_data public_trace_file, "848caa72f2f456d1bd6a0fdf228aa1b9"
      # And finally we should be able to do it with the owner of the trace
-      auth_header = basic_authorization_header public_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header public_trace_file.user
      get api_trace_data_path(public_trace_file), :headers => auth_header
      follow_redirect!
      follow_redirect!
@ -121,7 +121,7 @@ module Api
      identifiable_trace_file = create(:trace, :visibility => "identifiable", :fixture => "d")
      # Authenticate as the owner of the trace we will be using
-      auth_header = basic_authorization_header identifiable_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header identifiable_trace_file.user
      # First get the data as is
      get api_trace_data_path(identifiable_trace_file), :headers => auth_header
@ -147,12 +147,12 @@ module Api
      assert_response :unauthorized
      # Now with some other user, which shouldn't work since the trace is anon
-      auth_header = basic_authorization_header create(:user).display_name, "test"
+      auth_header = bearer_authorization_header
      get api_trace_data_path(anon_trace_file), :headers => auth_header
      assert_response :forbidden
      # And finally we should be able to do it with the owner of the trace
-      auth_header = basic_authorization_header anon_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header anon_trace_file.user
      get api_trace_data_path(anon_trace_file), :headers => auth_header
      follow_redirect!
      follow_redirect!
@ -168,12 +168,12 @@ module Api
      assert_response :unauthorized
      # Login, and try again
-      auth_header = basic_authorization_header create(:user).display_name, "test"
+      auth_header = bearer_authorization_header
      get api_trace_data_path(:id => 0), :headers => auth_header
      assert_response :not_found
      # Now try a trace which did exist but has been deleted
-      auth_header = basic_authorization_header deleted_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header deleted_trace_file.user
      get api_trace_data_path(deleted_trace_file), :headers => auth_header
      assert_response :not_found
    end
@ -195,7 +195,7 @@ module Api
      # Now authenticated
      create(:user_preference, :user => user, :k => "gps.trace.visibility", :v => "identifiable")
      assert_not_equal "trackable", user.preferences.find_by(:k => "gps.trace.visibility").v
-      auth_header = basic_authorization_header user.display_name, "test"
+      auth_header = bearer_authorization_header user
      post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :visibility => "trackable" }, :headers => auth_header
      assert_response :success
      trace = Trace.find(response.body.to_i)
@ -213,7 +213,7 @@ module Api
      # Now authenticated, with the legacy public flag
      assert_not_equal "public", user.preferences.find_by(:k => "gps.trace.visibility").v
-      auth_header = basic_authorization_header user.display_name, "test"
+      auth_header = bearer_authorization_header user
      post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :public => 1 }, :headers => auth_header
      assert_response :success
      trace = Trace.find(response.body.to_i)
@ -232,7 +232,7 @@ module Api
      # Now authenticated, with the legacy private flag
      second_user = create(:user)
      assert_nil second_user.preferences.find_by(:k => "gps.trace.visibility")
-      auth_header = basic_authorization_header second_user.display_name, "test"
+      auth_header = bearer_authorization_header second_user
      post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :public => 0 }, :headers => auth_header
      assert_response :success
      trace = Trace.find(response.body.to_i)
@ -257,28 +257,28 @@ module Api
      assert_response :unauthorized
      # Now with some other user, which should fail
-      auth_header = basic_authorization_header create(:user).display_name, "test"
+      auth_header = bearer_authorization_header
      put api_trace_path(public_trace_file), :params => create_trace_xml(public_trace_file), :headers => auth_header
      assert_response :forbidden
      # Now with a trace which doesn't exist
-      auth_header = basic_authorization_header create(:user).display_name, "test"
+      auth_header = bearer_authorization_header
      put api_trace_path(:id => 0), :params => create_trace_xml(public_trace_file), :headers => auth_header
      assert_response :not_found
      # Now with a trace which did exist but has been deleted
-      auth_header = basic_authorization_header deleted_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header deleted_trace_file.user
      put api_trace_path(deleted_trace_file), :params => create_trace_xml(deleted_trace_file), :headers => auth_header
      assert_response :not_found
      # Now try an update with the wrong ID
-      auth_header = basic_authorization_header public_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header public_trace_file.user
      put api_trace_path(public_trace_file), :params => create_trace_xml(anon_trace_file), :headers => auth_header
      assert_response :bad_request,
                      "should not be able to update a trace with a different ID from the XML"
      # And finally try an update that should work
-      auth_header = basic_authorization_header public_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header public_trace_file.user
      t = public_trace_file
      t.description = "Changed description"
      t.visibility = "private"
@ -293,7 +293,7 @@ module Api
    def test_update_tags
      tracetag = create(:tracetag)
      trace = tracetag.trace
-      auth_header = basic_authorization_header trace.user.display_name, "test"
+      auth_header = bearer_authorization_header trace.user
      put api_trace_path(trace), :params => create_trace_xml(trace), :headers => auth_header
      assert_response :success
@ -314,22 +314,22 @@ module Api
      assert_response :unauthorized
      # Now with some other user, which should fail
-      auth_header = basic_authorization_header create(:user).display_name, "test"
+      auth_header = bearer_authorization_header
      delete api_trace_path(public_trace_file), :headers => auth_header
      assert_response :forbidden
      # Now with a trace which doesn't exist
-      auth_header = basic_authorization_header create(:user).display_name, "test"
+      auth_header = bearer_authorization_header
      delete api_trace_path(:id => 0), :headers => auth_header
      assert_response :not_found
      # And finally we should be able to do it with the owner of the trace
-      auth_header = basic_authorization_header public_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header public_trace_file.user
      delete api_trace_path(public_trace_file), :headers => auth_header
      assert_response :success
      # Try it a second time, which should fail
-      auth_header = basic_authorization_header public_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header public_trace_file.user
      delete api_trace_path(public_trace_file), :headers => auth_header
      assert_response :not_found
    end
--- a/test/controllers/api/user_preferences_controller_test.rb
+++ b/test/controllers/api/user_preferences_controller_test.rb
@ -39,7 +39,7 @@ module Api
      assert_response :unauthorized, "should be authenticated"
      # authenticate as a user with no preferences
-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header
      # try the read again
      get user_preferences_path, :headers => auth_header
@ -53,7 +53,7 @@ module Api
      user = create(:user)
      user_preference = create(:user_preference, :user => user)
      user_preference2 = create(:user_preference, :user => user)
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header(user)
      # try the read again
      get user_preferences_path, :headers => auth_header
@ -89,7 +89,7 @@ module Api
      assert_response :unauthorized, "should be authenticated"
      # authenticate as a user with preferences
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header(user)
      # try the read again
      get user_preference_path(:preference_key => "key"), :headers => auth_header
@ -121,7 +121,7 @@ module Api
      end
      # authenticate as a user with preferences
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header(user)
      # try the put again
      assert_no_difference "UserPreference.count" do
@ -181,7 +181,7 @@ module Api
      end
      # authenticate as a user with preferences
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header(user)
      # try adding a new preference
      assert_difference "UserPreference.count", 1 do
@ -225,7 +225,7 @@ module Api
      assert_equal "value", UserPreference.find([user.id, "key"]).v
      # authenticate as a user with preferences
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header(user)
      # try the delete again
      assert_difference "UserPreference.count", -1 do
--- a/test/controllers/api/users_controller_test.rb
+++ b/test/controllers/api/users_controller_test.rb
@ -164,7 +164,7 @@ module Api
      assert_response :unauthorized
      # check that we get a response when logged in
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      get user_details_path, :headers => auth_header
      assert_response :success
      assert_equal "application/xml", response.media_type
@ -173,7 +173,7 @@ module Api
      check_xml_details(user, true, false)
      # check that data is returned properly in json
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      get user_details_path(:format => "json"), :headers => auth_header
      assert_response :success
      assert_equal "application/json", response.media_type
@ -427,7 +427,7 @@ module Api
      assert_response :unauthorized
      # check that we get a response when logged in
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      get user_gpx_files_path, :headers => auth_header
      assert_response :success
      assert_equal "application/xml", response.media_type
--- a/test/controllers/api/ways_controller_test.rb
+++ b/test/controllers/api/ways_controller_test.rb
@ -146,7 +146,7 @@ module Api
      changeset = create(:changeset, :user => user)
      ## First check that it fails when creating a way using a non-public user
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      # use the first user's open changeset
      changeset_id = private_changeset.id
@ -161,7 +161,7 @@ module Api
                      "way upload did not return forbidden status"
      ## Now use a public user
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # use the first user's open changeset
      changeset_id = changeset.id
@ -207,7 +207,7 @@ module Api
      closed_changeset = create(:changeset, :closed, :user => user)
      ## First test with a private user to make sure that they are not authorized
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      # use the first user's open changeset
      # create a way with non-existing node
@ -235,7 +235,7 @@ module Api
                      "way upload to closed changeset with a private user did not return 'forbidden'"
      ## Now test with a public user
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # use the first user's open changeset
      # create a way with non-existing node
@ -301,7 +301,7 @@ module Api
      assert_response :unauthorized
      # now set auth using the private user
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      # this shouldn't work as with the 0.6 api we need pay load to delete
      delete api_way_path(private_way), :headers => auth_header
@ -350,7 +350,7 @@ module Api
      ### Now check with a public user
      # now set auth
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # this shouldn't work as with the 0.6 api we need pay load to delete
      delete api_way_path(way), :headers => auth_header
@ -419,7 +419,7 @@ module Api
      ## Second test with the private user
      # setup auth
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      ## trying to break changesets
@ -457,7 +457,7 @@ module Api
      ## Finally test with the public user
      # setup auth
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      ## trying to break changesets
@ -541,7 +541,7 @@ module Api
      ## Try with the non-public user
      # setup auth
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      # add an identical tag to the way
      tag_xml = XML::Node.new("tag")
@ -559,7 +559,7 @@ module Api
      ## Now try with the public user
      # setup auth
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # add an identical tag to the way
      tag_xml = XML::Node.new("tag")
@ -589,7 +589,7 @@ module Api
      ## Try with the non-public user
      # setup auth
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      # add an identical tag to the way
      tag_xml = XML::Node.new("tag")
@ -607,7 +607,7 @@ module Api
      ## Now try with the public user
      # setup auth
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # add an identical tag to the way
      tag_xml = XML::Node.new("tag")
@ -635,7 +635,7 @@ module Api
      ## First test with the non-public user so should be rejected
      # setup auth
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      # create duplicate tag
      tag_xml = XML::Node.new("tag")
@ -655,7 +655,7 @@ module Api
      ## Now test with the public user
      # setup auth
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # create duplicate tag
      tag_xml = XML::Node.new("tag")
@ -687,7 +687,7 @@ module Api
      ## First make sure that you can't with a non-public user
      # setup auth
-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user
      # add the tag into the existing xml
      way_str = "<osm><way changeset='#{private_changeset.id}'>"
@ -702,7 +702,7 @@ module Api
      ## Now do it with a public user
      # setup auth
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # add the tag into the existing xml
      way_str = "<osm><way changeset='#{changeset.id}'>"
@ -769,7 +769,7 @@ module Api
                                     :num_changes => Settings.initial_changes_per_hour - 1)
      # create authentication header
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # try creating a way
      xml = "<osm><way changeset='#{changeset.id}'>" \
@ -826,7 +826,7 @@ module Api
      end
      # create authentication header
-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user
      # try creating a way
      xml = "<osm><way changeset='#{changeset.id}'>" \
--- a/test/integration/compressed_requests_test.rb
+++ b/test/integration/compressed_requests_test.rb
@ -37,10 +37,9 @@ class CompressedRequestsTest < ActionDispatch::IntegrationTest
    # upload it
    post "/api/0.6/changeset/#{changeset.id}/upload",
         :params => diff,
-         :headers => {
+         :headers => bearer_authorization_header(user).merge(
           "HTTP_AUTHORIZATION" => format("Basic %<auth>s", :auth => Base64.encode64("#{user.display_name}:test")),
           "HTTP_CONTENT_TYPE" => "application/xml"
-         }
+         )
    assert_response :success,
                    "can't upload an uncompressed diff to changeset: #{@response.body}"
@ -86,11 +85,10 @@ class CompressedRequestsTest < ActionDispatch::IntegrationTest
    # upload it
    post "/api/0.6/changeset/#{changeset.id}/upload",
         :params => gzip_content(diff),
-         :headers => {
+         :headers => bearer_authorization_header(user).merge(
           "HTTP_AUTHORIZATION" => format("Basic %<auth>s", :auth => Base64.encode64("#{user.display_name}:test")),
           "HTTP_CONTENT_ENCODING" => "gzip",
           "HTTP_CONTENT_TYPE" => "application/xml"
-         }
+         )
    assert_response :success,
                    "can't upload a gzip compressed diff to changeset: #{@response.body}"
@ -136,11 +134,10 @@ class CompressedRequestsTest < ActionDispatch::IntegrationTest
    # upload it
    post "/api/0.6/changeset/#{changeset.id}/upload",
         :params => deflate_content(diff),
-         :headers => {
+         :headers => bearer_authorization_header(user).merge(
           "HTTP_AUTHORIZATION" => format("Basic %<auth>s", :auth => Base64.encode64("#{user.display_name}:test")),
           "HTTP_CONTENT_ENCODING" => "deflate",
           "HTTP_CONTENT_TYPE" => "application/xml"
-         }
+         )
    assert_response :success,
                    "can't upload a deflate compressed diff to changeset: #{@response.body}"
@ -157,11 +154,10 @@ class CompressedRequestsTest < ActionDispatch::IntegrationTest
    # upload it
    post "/api/0.6/changeset/#{changeset.id}/upload",
         :params => "",
-         :headers => {
+         :headers => bearer_authorization_header(user).merge(
           "HTTP_AUTHORIZATION" => format("Basic %<auth>s", :auth => Base64.encode64("#{user.display_name}:test")),
           "HTTP_CONTENT_ENCODING" => "unknown",
           "HTTP_CONTENT_TYPE" => "application/xml"
-         }
+         )
    assert_response :unsupported_media_type
  end
--- a/test/integration/user_blocks_test.rb
+++ b/test/integration/user_blocks_test.rb
@ -7,7 +7,7 @@ class UserBlocksTest < ActionDispatch::IntegrationTest
    get "/api/#{Settings.api_version}/user/details"
    assert_response :unauthorized
-    get "/api/#{Settings.api_version}/user/details", :headers => basic_authorization_header(blocked_user.display_name, "test")
+    get "/api/#{Settings.api_version}/user/details", :headers => bearer_authorization_header(blocked_user)
    assert_response :success
    # now block the user
@ -18,7 +18,7 @@ class UserBlocksTest < ActionDispatch::IntegrationTest
      :ends_at => Time.now.utc + 5.minutes,
      :deactivates_at => Time.now.utc + 5.minutes
    )
-    get "/api/#{Settings.api_version}/user/details", :headers => basic_authorization_header(blocked_user.display_name, "test")
+    get "/api/#{Settings.api_version}/user/details", :headers => bearer_authorization_header(blocked_user)
    assert_response :forbidden
  end
@ -33,7 +33,7 @@ class UserBlocksTest < ActionDispatch::IntegrationTest
      :ends_at => Time.now.utc + 5.minutes,
      :deactivates_at => Time.now.utc + 5.minutes
    )
-    get "/api/#{Settings.api_version}/user/details", :headers => basic_authorization_header(blocked_user.display_name, "test")
+    get "/api/#{Settings.api_version}/user/details", :headers => bearer_authorization_header(blocked_user)
    assert_response :forbidden
    # revoke the ban
@ -53,7 +53,7 @@ class UserBlocksTest < ActionDispatch::IntegrationTest
    reset!
    # access the API again. this time it should work
-    get "/api/#{Settings.api_version}/user/details", :headers => basic_authorization_header(blocked_user.display_name, "test")
+    get "/api/#{Settings.api_version}/user/details", :headers => bearer_authorization_header(blocked_user)
    assert_response :success
  end
 end
--- a/test/integration/user_terms_seen_test.rb
+++ b/test/integration/user_terms_seen_test.rb
@ -4,14 +4,14 @@ class UserTermsSeenTest < ActionDispatch::IntegrationTest
  def test_api_blocked
    user = create(:user, :terms_seen => false, :terms_agreed => nil)
-    get "/api/#{Settings.api_version}/user/preferences", :headers => auth_header(user.display_name, "test")
+    get "/api/#{Settings.api_version}/user/preferences", :headers => bearer_authorization_header(user)
    assert_response :forbidden
    # touch it so that the user has seen the terms
    user.terms_seen = true
    user.save
-    get "/api/#{Settings.api_version}/user/preferences", :headers => auth_header(user.display_name, "test")
+    get "/api/#{Settings.api_version}/user/preferences", :headers => bearer_authorization_header(user)
    assert_response :success
  end
@ -58,10 +58,4 @@ class UserTermsSeenTest < ActionDispatch::IntegrationTest
    get "/traces/mine", :params => { :referer => "/diary/new" }
    assert_redirected_to :controller => :users, :action => :terms, :referer => "/diary/new"
  end
  private
  def auth_header(user, pass)
    { "HTTP_AUTHORIZATION" => format("Basic %<auth>s", :auth => Base64.encode64("#{user}:#{pass}")) }
  end
 end
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@ -134,14 +134,15 @@ module ActiveSupport
    end
    ##
-    # return request header for HTTP Basic Authorization
+    # return request header for HTTP Bearer Authorization
-    def basic_authorization_header(user, pass)
+    def bearer_authorization_header(token_or_user = nil, scopes: Oauth::SCOPES)
-      { "Authorization" => format("Basic %<auth>s", :auth => Base64.encode64("#{user}:#{pass}")) }
+      token = case token_or_user
              when nil then create(:oauth_access_token, :scopes => scopes).token
              when User then create(:oauth_access_token, :resource_owner_id => token_or_user.id, :scopes => scopes).token
              when Doorkeeper::AccessToken then token_or_user.token
              when String then token_or_user
              end
    ##
    # return request header for HTTP Bearer Authorization
    def bearer_authorization_header(token)
      { "Authorization" => "Bearer #{token}" }
    end
@ -168,7 +169,7 @@ module ActiveSupport
    ##
    # Not sure this is the best response we could give
    def assert_inactive_user(msg = "an inactive user shouldn't be able to access the API")
-      assert_response :unauthorized, msg
+      assert_response :forbidden, msg
      # assert_equal @response.headers['Error'], ""
    end