Misleading method name with "magic" fallback

[polamayster]

oauthlib/oauthlib/oauth2/rfc6749/tokens.py

Lines 240 to 257 in b71636e

	def get_token_from_header(request):
	"""
	Helper function to extract a token from the request header.
	:param request: OAuthlib request.
	:type request: oauthlib.common.Request
	:return: Return the token or None if the Authorization header is malformed.
	"""
	token = None
	if 'Authorization' in request.headers:
	split_header = request.headers.get('Authorization').split()
	if len(split_header) == 2 and split_header[0].lower() == 'bearer':
	token = split_header[1]
	else:
	token = request.access_token
	return token

It would be much more predictable/cleaner if method either did not fallback to body payload/uri_query on line 255:

oauthlib/oauthlib/oauth2/rfc6749/tokens.py

Lines 254 to 255 in b71636e

	else:
	token = request.access_token

or method was renamed to reflect what it actually does.

Paranoiac mode on: security issue can slip in with a misuse as token in headers is for authorization of the request and token in payload is for introspection/revoke/refresh and can be accidentally used to authorize request itself:

oauthlib/oauthlib/oauth2/rfc6749/tokens.py

Lines 337 to 344 in ca57b0b

	def validate_request(self, request):
	"""
	:param request: OAuthlib request.
	:type request: oauthlib.common.Request
	"""
	token = get_token_from_header(request)
	return self.request_validator.validate_bearer_token(
	token, request.scopes, request)

[JonathanHuot]

Yes you're right, I think this part of the code deserves a refactoring to allow #609 , which is essential to progress on the different ways of client authentication.