Use access-token in header

package.json

@@ -13,7 +13,7 @@
     "build": "babel -s -d lib src && rimraf dist && mkdir dist && browserify -d browser-index.js | exorcist dist/browser-matrix.js.map > dist/browser-matrix.js && uglifyjs -c -m -o dist/browser-matrix.min.js --source-map dist/browser-matrix.min.js.map --in-source-map dist/browser-matrix.js.map dist/browser-matrix.js",
     "dist": "npm run build",
     "watch": "watchify -d browser-index.js -o 'exorcist dist/browser-matrix.js.map > dist/browser-matrix.js' -v",
-    "lint": "eslint --max-warnings 112 src spec",
+    "lint": "eslint --max-warnings 110 src spec",
     "prepublish": "npm run build && git rev-parse HEAD > git-revision.txt"
   },
   "repository": {

spec/integ/matrix-client-methods.spec.js

@@ -51,7 +51,10 @@ describe("MatrixClient", function() {
             ).check(function(req) {
                 expect(req.data).toEqual(buf);
                 expect(req.queryParams.filename).toEqual("hi.txt");
-                expect(req.queryParams.access_token).toEqual(accessToken);
+                if (!(req.queryParams.access_token == accessToken ||
+                        req.headers["Authorization"] == "Bearer " + accessToken)) {
+                    expect(true).toBe(false);
+                }
                 expect(req.headers["Content-Type"]).toEqual("text/plain");
                 expect(req.opts.json).toBeFalsy();
                 expect(req.opts.timeout).toBe(undefined);

src/http-api.js

@@ -385,24 +385,89 @@ module.exports.MatrixHttpApi.prototype = {
         if (!queryParams) {
             queryParams = {};
         }
-        if (!queryParams.access_token) {
-            queryParams.access_token = this.opts.accessToken;
+        if (this.authorizationHeaderSupported === undefined ||
+                this.authorizationHeaderSupported) {
+            if (isFinite(opts)) {
+                // opts used to be localTimeoutMs
+                opts = {
+                    localTimeoutMs: opts,
+                };
+            }
+            if (!opts) {
+                opts = {};
+            }
+            if (!opts.headers) {
+                opts.headers = {};
+            }
+            if (!opts.headers.Authorization) {
+                if (queryParams.access_token) {
+                    opts.headers.Authorization = "Bearer " + queryParams.access_token;
+                    delete queryParams.access_token;
+                } else {
+                    opts.headers.Authorization = "Bearer " + this.opts.accessToken;
+                }
+            }
+            if (queryParams.access_token) {
+                delete queryParams.access_token;
+            }
+        } else {
+            if (!queryParams.access_token) {
+                queryParams.access_token = this.opts.accessToken;
+            }
         }
 
-        const request_promise = this.request(
+        const requestPromise = this.request(
             callback, method, path, queryParams, data, opts,
         );
 
         const self = this;
-        request_promise.catch(function(err) {
+
+        if (this.authorizationHeaderSupported === undefined) {
+            const defer = q.defer();
+            const returnPromise = defer.promise;
+            returnPromise.abort = requestPromise.abort;
+
+            requestPromise.then((resp) => {
+                self.authorizationHeaderSupported = true;
+                defer.resolve(resp);
+            }, (err) => {
+                if (err.errcode == 'M_MISSING_TOKEN' ||
+                        err.toString().indexOf("Error: CORS request rejected") != -1) {
+                    self.authorizationHeaderSupported = false;
+                    queryParams.access_token = opts.headers.Authorization.substr(7);
+                    delete opts.headers.Authorization;
+                    const secondPromise = self.request(
+                        callback, method, path, queryParams, data, opts,
+                    );
+                    returnPromise.abort = secondPromise.abort;
+                    secondPromise.then((resp) => {
+                        defer.resolve(resp);
+                    }, (err) => {
+                        if (err.errcode == 'M_UNKNOWN_TOKEN') {
+                            self.event_emitter.emit("Session.logged_out");
+                        }
+                        defer.reject(err);
+                    });
+                } else if (err.errcode == 'M_UNKNOWN_TOKEN') {
+                    self.event_emitter.emit("Session.logged_out");
+                    defer.reject(err);
+                } else {
+                    defer.reject(err);
+                }
+            });
+
+            return returnPromise;
+        }
+
+        requestPromise.catch(function(err) {
             if (err.errcode == 'M_UNKNOWN_TOKEN') {
                 self.event_emitter.emit("Session.logged_out");
             }
         });
 
         // return the original promise, otherwise tests break due to it having to
         // go around the event loop one more time to process the result of the request
-        return request_promise;
+        return requestPromise;
     },
 
     /**