Support access_token in URL

[manelclos]

Hi,
When loading image resources using an URL (i.e. img.src), there is no way to send the access token as a header. Would you consider modifying the middleware to include reading access_token from the URI? this is included in the standard: https://tools.ietf.org/html/rfc6750#section-2.3

I tried the modification myself and it is working perfectly:

class OAuth2TokenMiddleware(MiddlewareMixin):
    def process_request(self, request):
        # do something only if request contains a Bearer token
        if request.META.get("HTTP_AUTHORIZATION", "").startswith("Bearer"):
            if not hasattr(request, "user") or request.user.is_anonymous:
                user = authenticate(request=request)
                if user:
                    request.user = request._cached_user = user

        # new code follows. If no Bearer is present, try access_token in URI:
        elif request.GET.get('access_token'):
            bearer = "Bearer %s" % request.GET.get('access_token')
            request.META["HTTP_AUTHORIZATION"] = bearer
            user = authenticate(request=request)
            if user:
                request.user = request._cached_user = user

    def process_response(self, request, response):
        patch_vary_headers(response, ("Authorization",))
        return response

Would love to send a PR if you consider including this.

[jleclanche]

It has to be something that can be disabled (and is off by default), but I will take a PR for it.

[manelclos]

Yes, I only need it in some urls and not in every project. Thanks!