update clients headers with correct params

provisioner/client/client.go

@@ -201,7 +201,10 @@ func (c *Client) sendRequest(req *http.Request, v interface{}) (*types.ExternalE
 	req.Header.Set("Content-Type", "application/json; charset=utf-8")
 	req.Header.Set("Accept", "application/json; charset=utf-8")
 
-	if c.Token != "" {
+	if c.Token != "" && c.TokenID != 0 {
+		req.Header.Set("X-Porter-Token", c.Token)
+		req.Header.Set("X-Porter-Token-ID", fmt.Sprintf("%d", c.TokenID))
+	} else if c.Token != "" {
 		req.Header.Set("Authorization", fmt.Sprintf("Bearer %s", c.Token))
 	}
 

provisioner/server/authn/authn.go

@@ -127,7 +127,6 @@ func (authn *AuthNPorterToken) ServeHTTP(w http.ResponseWriter, r *http.Request)
 
 	if err == nil {
 		// attach ce token to context
-		// add the user to the context
 		ctx := r.Context()
 		ctx = context.WithValue(ctx, "ce_token", ceToken)
 		r = r.Clone(ctx)

provisioner/server/authz/workspace.go

@@ -64,6 +64,22 @@ func (p *WorkspaceScopedMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Req
 		return
 	}
 
+	// if a CE token is attached, make sure it matches the project ID
+	if ceToken, ok := r.Context().Value("ce_token").(*models.CredentialsExchangeToken); ok {
+		if ceToken.ProjectID != name.ProjectID {
+			apierrors.HandleAPIError(
+				p.config.Logger,
+				p.config.Alerter, w, r,
+				apierrors.NewErrForbidden(
+					fmt.Errorf("credential exchange token project ID does not match requested project ID"),
+				),
+				true,
+			)
+
+			return
+		}
+	}
+
 	// look for infra with that ID and project ID
 	infra, err := p.config.Repo.Infra().ReadInfra(name.ProjectID, name.InfraID)