From d2428949380f0f9b887a2600217af286d11ac306 Mon Sep 17 00:00:00 2001
From: Toby Zerner <toby.zerner@gmail.com>
Date: Sat, 2 Jan 2016 15:07:33 +1030
Subject: [PATCH] Disable session (and thus enable sudo mode) when
 authenticating with API token

---
 .../core/src/Http/Middleware/AuthenticateWithHeader.php  | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/framework/core/src/Http/Middleware/AuthenticateWithHeader.php b/framework/core/src/Http/Middleware/AuthenticateWithHeader.php
index 447d62e84..044f1f489 100644
--- a/framework/core/src/Http/Middleware/AuthenticateWithHeader.php
+++ b/framework/core/src/Http/Middleware/AuthenticateWithHeader.php
@@ -37,10 +37,10 @@ class AuthenticateWithHeader implements MiddlewareInterface
         if (isset($parts[0]) && starts_with($parts[0], $this->prefix)) {
             $id = substr($parts[0], strlen($this->prefix));
 
-            if (isset($parts[1]) && ApiKey::find($id)) {
-                $actor = $this->getUser($parts[1]);
-
-                $request->getAttribute('session')->set('sudo_expiry', new DateTime);
+            if (isset($parts[1])) {
+                if (ApiKey::find($id)) {
+                    $actor = $this->getUser($parts[1]);
+                }
             } elseif ($token = AccessToken::find($id)) {
                 $token->touch();
 
@@ -49,6 +49,7 @@ class AuthenticateWithHeader implements MiddlewareInterface
 
             if (isset($actor)) {
                 $request = $request->withAttribute('actor', $actor);
+                $request = $request->withoutAttribute('session');
             }
         }