elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
# RSS key authentication does not start a session
User.find_by_rss_key(params[:key])
- elsif ['xml', 'json'].include?(params[:format]) && params[:key] && accept_key_auth_actions.include?(params[:action])
- User.find_by_api_key(params[:key])
+ elsif ['xml', 'json'].include?(params[:format]) && accept_key_auth_actions.include?(params[:action])
+ if params[:key].present?
+ # Use API key
+ User.find_by_api_key(params[:key])
+ else
+ # HTTP Basic, either username/password or API key/random
+ authenticate_with_http_basic do |username, password|
+ User.try_to_login(username, password) || User.find_by_api_key(username)
+ end
+ end
end
end
-
+
# Sets the logged in user
def logged_user=(user)
reset_session
end
respond_to do |format|
format.html { redirect_to :controller => "account", :action => "login", :back_url => url }
+ format.atom { redirect_to :controller => "account", :action => "login", :back_url => url }
format.xml { head :unauthorized }
format.json { head :unauthorized }
end
class ApiTokenLoginTest < ActionController::IntegrationTest
fixtures :all
+ def setup
+ Setting.login_required = '1'
+ end
+
+ def teardown
+ Setting.login_required = '0'
+ end
+
# Using the NewsController because it's a simple API.
- context "get /news.xml" do
+ context "get /news" do
context "in :xml format" do
context "with a valid api token" do
end
end
- context "with an invalid api token (on a protected site)" do
+ context "with an invalid api token" do
setup do
- Setting.login_required = '1'
@user = User.generate_with_protected!
@token = Token.generate!(:user => @user, :action => 'feeds')
get "/news.xml?key=#{@token.value}"
end
end
- context "with an invalid api token (on a protected site)" do
+ context "with an invalid api token" do
setup do
- Setting.login_required = '1'
@user = User.generate_with_protected!
@token = Token.generate!(:user => @user, :action => 'feeds')
get "/news.json?key=#{@token.value}"
end
end
-
end
--- /dev/null
+require "#{File.dirname(__FILE__)}/../test_helper"
+
+class HttpBasicLoginTest < ActionController::IntegrationTest
+ fixtures :all
+
+ def setup
+ Setting.login_required = '1'
+ end
+
+ def teardown
+ Setting.login_required = '0'
+ end
+
+ # Using the NewsController because it's a simple API.
+ context "get /news" do
+
+ context "in :xml format" do
+ context "with a valid HTTP authentication" do
+ setup do
+ @user = User.generate_with_protected!(:password => 'my_password', :password_confirmation => 'my_password')
+ @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'my_password')
+ get "/news.xml", nil, :authorization => @authorization
+ end
+
+ should_respond_with :success
+ should_respond_with_content_type :xml
+ should "login as the user" do
+ assert_equal @user, User.current
+ end
+ end
+
+ context "with an invalid HTTP authentication" do
+ setup do
+ @user = User.generate_with_protected!
+ @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'wrong_password')
+ get "/news.xml", nil, :authorization => @authorization
+ end
+
+ should_respond_with :unauthorized
+ should_respond_with_content_type :xml
+ should "not login as the user" do
+ assert_equal User.anonymous, User.current
+ end
+ end
+ end
+
+ context "in :json format" do
+ context "with a valid HTTP authentication" do
+ setup do
+ @user = User.generate_with_protected!(:password => 'my_password', :password_confirmation => 'my_password')
+ @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'my_password')
+ get "/news.json", nil, :authorization => @authorization
+ end
+
+ should_respond_with :success
+ should_respond_with_content_type :json
+ should "login as the user" do
+ assert_equal @user, User.current
+ end
+ end
+
+ context "with an invalid HTTP authentication" do
+ setup do
+ @user = User.generate_with_protected!
+ @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'wrong_password')
+ get "/news.json", nil, :authorization => @authorization
+ end
+
+ should_respond_with :unauthorized
+ should_respond_with_content_type :json
+ should "not login as the user" do
+ assert_equal User.anonymous, User.current
+ end
+ end
+ end
+
+ end
+end
--- /dev/null
+require "#{File.dirname(__FILE__)}/../test_helper"
+
+class HttpBasicLoginWithApiTokenTest < ActionController::IntegrationTest
+ fixtures :all
+
+ def setup
+ Setting.login_required = '1'
+ end
+
+ def teardown
+ Setting.login_required = '0'
+ end
+
+ # Using the NewsController because it's a simple API.
+ context "get /news" do
+
+ context "in :xml format" do
+ context "with a valid HTTP authentication using the API token" do
+ setup do
+ @user = User.generate_with_protected!
+ @token = Token.generate!(:user => @user, :action => 'api')
+ @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'X')
+ get "/news.xml", nil, :authorization => @authorization
+ end
+
+ should_respond_with :success
+ should_respond_with_content_type :xml
+ should "login as the user" do
+ assert_equal @user, User.current
+ end
+ end
+
+ context "with an invalid HTTP authentication" do
+ setup do
+ @user = User.generate_with_protected!
+ @token = Token.generate!(:user => @user, :action => 'feeds')
+ @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'X')
+ get "/news.xml", nil, :authorization => @authorization
+ end
+
+ should_respond_with :unauthorized
+ should_respond_with_content_type :xml
+ should "not login as the user" do
+ assert_equal User.anonymous, User.current
+ end
+ end
+ end
+
+ context "in :json format" do
+ context "with a valid HTTP authentication" do
+ setup do
+ @user = User.generate_with_protected!
+ @token = Token.generate!(:user => @user, :action => 'api')
+ @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'DoesNotMatter')
+ get "/news.json", nil, :authorization => @authorization
+ end
+
+ should_respond_with :success
+ should_respond_with_content_type :json
+ should "login as the user" do
+ assert_equal @user, User.current
+ end
+ end
+
+ context "with an invalid HTTP authentication" do
+ setup do
+ @user = User.generate_with_protected!
+ @token = Token.generate!(:user => @user, :action => 'feeds')
+ @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'DoesNotMatter')
+ get "/news.json", nil, :authorization => @authorization
+ end
+
+ should_respond_with :unauthorized
+ should_respond_with_content_type :json
+ should "not login as the user" do
+ assert_equal User.anonymous, User.current
+ end
+ end
+ end
+
+ end
+end
projects / redmine.git / commitdiff