From e07e9d8bfed47b7af782075485437a34e7dc20f8 Mon Sep 17 00:00:00 2001 From: Eric Davis Date: Wed, 23 Dec 2009 06:27:38 +0000 Subject: [PATCH] Added support for HTTP Basic access to the API. (#3920) A user can authenticate using either their: * username/password * api-key/random git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3219 e93f8b46-1217-0410-a6f0-8f06a7374b81 --- app/controllers/application_controller.rb | 15 +++- test/integration/api_token_login_test.rb | 17 ++-- test/integration/http_basic_login_test.rb | 78 ++++++++++++++++++ .../http_basic_login_with_api_token_test.rb | 82 +++++++++++++++++++ 4 files changed, 183 insertions(+), 9 deletions(-) create mode 100644 test/integration/http_basic_login_test.rb create mode 100644 test/integration/http_basic_login_with_api_token_test.rb diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 40adff4bc..45aeb9955 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -70,11 +70,19 @@ class ApplicationController < ActionController::Base elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action]) # RSS key authentication does not start a session User.find_by_rss_key(params[:key]) - elsif ['xml', 'json'].include?(params[:format]) && params[:key] && accept_key_auth_actions.include?(params[:action]) - User.find_by_api_key(params[:key]) + elsif ['xml', 'json'].include?(params[:format]) && accept_key_auth_actions.include?(params[:action]) + if params[:key].present? + # Use API key + User.find_by_api_key(params[:key]) + else + # HTTP Basic, either username/password or API key/random + authenticate_with_http_basic do |username, password| + User.try_to_login(username, password) || User.find_by_api_key(username) + end + end end end - + # Sets the logged in user def logged_user=(user) reset_session @@ -118,6 +126,7 @@ class ApplicationController < ActionController::Base end respond_to do |format| format.html { redirect_to :controller => "account", :action => "login", :back_url => url } + format.atom { redirect_to :controller => "account", :action => "login", :back_url => url } format.xml { head :unauthorized } format.json { head :unauthorized } end diff --git a/test/integration/api_token_login_test.rb b/test/integration/api_token_login_test.rb index 4077403e6..9017ab7be 100644 --- a/test/integration/api_token_login_test.rb +++ b/test/integration/api_token_login_test.rb @@ -3,8 +3,16 @@ require "#{File.dirname(__FILE__)}/../test_helper" class ApiTokenLoginTest < ActionController::IntegrationTest fixtures :all + def setup + Setting.login_required = '1' + end + + def teardown + Setting.login_required = '0' + end + # Using the NewsController because it's a simple API. - context "get /news.xml" do + context "get /news" do context "in :xml format" do context "with a valid api token" do @@ -21,9 +29,8 @@ class ApiTokenLoginTest < ActionController::IntegrationTest end end - context "with an invalid api token (on a protected site)" do + context "with an invalid api token" do setup do - Setting.login_required = '1' @user = User.generate_with_protected! @token = Token.generate!(:user => @user, :action => 'feeds') get "/news.xml?key=#{@token.value}" @@ -52,9 +59,8 @@ class ApiTokenLoginTest < ActionController::IntegrationTest end end - context "with an invalid api token (on a protected site)" do + context "with an invalid api token" do setup do - Setting.login_required = '1' @user = User.generate_with_protected! @token = Token.generate!(:user => @user, :action => 'feeds') get "/news.json?key=#{@token.value}" @@ -69,5 +75,4 @@ class ApiTokenLoginTest < ActionController::IntegrationTest end end - end diff --git a/test/integration/http_basic_login_test.rb b/test/integration/http_basic_login_test.rb new file mode 100644 index 000000000..e18359dfc --- /dev/null +++ b/test/integration/http_basic_login_test.rb @@ -0,0 +1,78 @@ +require "#{File.dirname(__FILE__)}/../test_helper" + +class HttpBasicLoginTest < ActionController::IntegrationTest + fixtures :all + + def setup + Setting.login_required = '1' + end + + def teardown + Setting.login_required = '0' + end + + # Using the NewsController because it's a simple API. + context "get /news" do + + context "in :xml format" do + context "with a valid HTTP authentication" do + setup do + @user = User.generate_with_protected!(:password => 'my_password', :password_confirmation => 'my_password') + @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'my_password') + get "/news.xml", nil, :authorization => @authorization + end + + should_respond_with :success + should_respond_with_content_type :xml + should "login as the user" do + assert_equal @user, User.current + end + end + + context "with an invalid HTTP authentication" do + setup do + @user = User.generate_with_protected! + @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'wrong_password') + get "/news.xml", nil, :authorization => @authorization + end + + should_respond_with :unauthorized + should_respond_with_content_type :xml + should "not login as the user" do + assert_equal User.anonymous, User.current + end + end + end + + context "in :json format" do + context "with a valid HTTP authentication" do + setup do + @user = User.generate_with_protected!(:password => 'my_password', :password_confirmation => 'my_password') + @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'my_password') + get "/news.json", nil, :authorization => @authorization + end + + should_respond_with :success + should_respond_with_content_type :json + should "login as the user" do + assert_equal @user, User.current + end + end + + context "with an invalid HTTP authentication" do + setup do + @user = User.generate_with_protected! + @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'wrong_password') + get "/news.json", nil, :authorization => @authorization + end + + should_respond_with :unauthorized + should_respond_with_content_type :json + should "not login as the user" do + assert_equal User.anonymous, User.current + end + end + end + + end +end diff --git a/test/integration/http_basic_login_with_api_token_test.rb b/test/integration/http_basic_login_with_api_token_test.rb new file mode 100644 index 000000000..2aefb8b0e --- /dev/null +++ b/test/integration/http_basic_login_with_api_token_test.rb @@ -0,0 +1,82 @@ +require "#{File.dirname(__FILE__)}/../test_helper" + +class HttpBasicLoginWithApiTokenTest < ActionController::IntegrationTest + fixtures :all + + def setup + Setting.login_required = '1' + end + + def teardown + Setting.login_required = '0' + end + + # Using the NewsController because it's a simple API. + context "get /news" do + + context "in :xml format" do + context "with a valid HTTP authentication using the API token" do + setup do + @user = User.generate_with_protected! + @token = Token.generate!(:user => @user, :action => 'api') + @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'X') + get "/news.xml", nil, :authorization => @authorization + end + + should_respond_with :success + should_respond_with_content_type :xml + should "login as the user" do + assert_equal @user, User.current + end + end + + context "with an invalid HTTP authentication" do + setup do + @user = User.generate_with_protected! + @token = Token.generate!(:user => @user, :action => 'feeds') + @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'X') + get "/news.xml", nil, :authorization => @authorization + end + + should_respond_with :unauthorized + should_respond_with_content_type :xml + should "not login as the user" do + assert_equal User.anonymous, User.current + end + end + end + + context "in :json format" do + context "with a valid HTTP authentication" do + setup do + @user = User.generate_with_protected! + @token = Token.generate!(:user => @user, :action => 'api') + @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'DoesNotMatter') + get "/news.json", nil, :authorization => @authorization + end + + should_respond_with :success + should_respond_with_content_type :json + should "login as the user" do + assert_equal @user, User.current + end + end + + context "with an invalid HTTP authentication" do + setup do + @user = User.generate_with_protected! + @token = Token.generate!(:user => @user, :action => 'feeds') + @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'DoesNotMatter') + get "/news.json", nil, :authorization => @authorization + end + + should_respond_with :unauthorized + should_respond_with_content_type :json + should "not login as the user" do + assert_equal User.anonymous, User.current + end + end + end + + end +end -- 2.39.5