Added support for HTTP Basic access to the API. (#3920)
A user can authenticate using either their: * username/password * api-key/random git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3219 e93f8b46-1217-0410-a6f0-8f06a7374b81
This commit is contained in:
parent
baa1ad4256
commit
e07e9d8bfe
|
@ -70,8 +70,16 @@ class ApplicationController < ActionController::Base
|
|||
elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
|
||||
# RSS key authentication does not start a session
|
||||
User.find_by_rss_key(params[:key])
|
||||
elsif ['xml', 'json'].include?(params[:format]) && params[:key] && accept_key_auth_actions.include?(params[:action])
|
||||
User.find_by_api_key(params[:key])
|
||||
elsif ['xml', 'json'].include?(params[:format]) && accept_key_auth_actions.include?(params[:action])
|
||||
if params[:key].present?
|
||||
# Use API key
|
||||
User.find_by_api_key(params[:key])
|
||||
else
|
||||
# HTTP Basic, either username/password or API key/random
|
||||
authenticate_with_http_basic do |username, password|
|
||||
User.try_to_login(username, password) || User.find_by_api_key(username)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -118,6 +126,7 @@ class ApplicationController < ActionController::Base
|
|||
end
|
||||
respond_to do |format|
|
||||
format.html { redirect_to :controller => "account", :action => "login", :back_url => url }
|
||||
format.atom { redirect_to :controller => "account", :action => "login", :back_url => url }
|
||||
format.xml { head :unauthorized }
|
||||
format.json { head :unauthorized }
|
||||
end
|
||||
|
|
|
@ -3,8 +3,16 @@ require "#{File.dirname(__FILE__)}/../test_helper"
|
|||
class ApiTokenLoginTest < ActionController::IntegrationTest
|
||||
fixtures :all
|
||||
|
||||
def setup
|
||||
Setting.login_required = '1'
|
||||
end
|
||||
|
||||
def teardown
|
||||
Setting.login_required = '0'
|
||||
end
|
||||
|
||||
# Using the NewsController because it's a simple API.
|
||||
context "get /news.xml" do
|
||||
context "get /news" do
|
||||
|
||||
context "in :xml format" do
|
||||
context "with a valid api token" do
|
||||
|
@ -21,9 +29,8 @@ class ApiTokenLoginTest < ActionController::IntegrationTest
|
|||
end
|
||||
end
|
||||
|
||||
context "with an invalid api token (on a protected site)" do
|
||||
context "with an invalid api token" do
|
||||
setup do
|
||||
Setting.login_required = '1'
|
||||
@user = User.generate_with_protected!
|
||||
@token = Token.generate!(:user => @user, :action => 'feeds')
|
||||
get "/news.xml?key=#{@token.value}"
|
||||
|
@ -52,9 +59,8 @@ class ApiTokenLoginTest < ActionController::IntegrationTest
|
|||
end
|
||||
end
|
||||
|
||||
context "with an invalid api token (on a protected site)" do
|
||||
context "with an invalid api token" do
|
||||
setup do
|
||||
Setting.login_required = '1'
|
||||
@user = User.generate_with_protected!
|
||||
@token = Token.generate!(:user => @user, :action => 'feeds')
|
||||
get "/news.json?key=#{@token.value}"
|
||||
|
@ -69,5 +75,4 @@ class ApiTokenLoginTest < ActionController::IntegrationTest
|
|||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
|
|
|
@ -0,0 +1,78 @@
|
|||
require "#{File.dirname(__FILE__)}/../test_helper"
|
||||
|
||||
class HttpBasicLoginTest < ActionController::IntegrationTest
|
||||
fixtures :all
|
||||
|
||||
def setup
|
||||
Setting.login_required = '1'
|
||||
end
|
||||
|
||||
def teardown
|
||||
Setting.login_required = '0'
|
||||
end
|
||||
|
||||
# Using the NewsController because it's a simple API.
|
||||
context "get /news" do
|
||||
|
||||
context "in :xml format" do
|
||||
context "with a valid HTTP authentication" do
|
||||
setup do
|
||||
@user = User.generate_with_protected!(:password => 'my_password', :password_confirmation => 'my_password')
|
||||
@authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'my_password')
|
||||
get "/news.xml", nil, :authorization => @authorization
|
||||
end
|
||||
|
||||
should_respond_with :success
|
||||
should_respond_with_content_type :xml
|
||||
should "login as the user" do
|
||||
assert_equal @user, User.current
|
||||
end
|
||||
end
|
||||
|
||||
context "with an invalid HTTP authentication" do
|
||||
setup do
|
||||
@user = User.generate_with_protected!
|
||||
@authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'wrong_password')
|
||||
get "/news.xml", nil, :authorization => @authorization
|
||||
end
|
||||
|
||||
should_respond_with :unauthorized
|
||||
should_respond_with_content_type :xml
|
||||
should "not login as the user" do
|
||||
assert_equal User.anonymous, User.current
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context "in :json format" do
|
||||
context "with a valid HTTP authentication" do
|
||||
setup do
|
||||
@user = User.generate_with_protected!(:password => 'my_password', :password_confirmation => 'my_password')
|
||||
@authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'my_password')
|
||||
get "/news.json", nil, :authorization => @authorization
|
||||
end
|
||||
|
||||
should_respond_with :success
|
||||
should_respond_with_content_type :json
|
||||
should "login as the user" do
|
||||
assert_equal @user, User.current
|
||||
end
|
||||
end
|
||||
|
||||
context "with an invalid HTTP authentication" do
|
||||
setup do
|
||||
@user = User.generate_with_protected!
|
||||
@authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'wrong_password')
|
||||
get "/news.json", nil, :authorization => @authorization
|
||||
end
|
||||
|
||||
should_respond_with :unauthorized
|
||||
should_respond_with_content_type :json
|
||||
should "not login as the user" do
|
||||
assert_equal User.anonymous, User.current
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
|
@ -0,0 +1,82 @@
|
|||
require "#{File.dirname(__FILE__)}/../test_helper"
|
||||
|
||||
class HttpBasicLoginWithApiTokenTest < ActionController::IntegrationTest
|
||||
fixtures :all
|
||||
|
||||
def setup
|
||||
Setting.login_required = '1'
|
||||
end
|
||||
|
||||
def teardown
|
||||
Setting.login_required = '0'
|
||||
end
|
||||
|
||||
# Using the NewsController because it's a simple API.
|
||||
context "get /news" do
|
||||
|
||||
context "in :xml format" do
|
||||
context "with a valid HTTP authentication using the API token" do
|
||||
setup do
|
||||
@user = User.generate_with_protected!
|
||||
@token = Token.generate!(:user => @user, :action => 'api')
|
||||
@authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'X')
|
||||
get "/news.xml", nil, :authorization => @authorization
|
||||
end
|
||||
|
||||
should_respond_with :success
|
||||
should_respond_with_content_type :xml
|
||||
should "login as the user" do
|
||||
assert_equal @user, User.current
|
||||
end
|
||||
end
|
||||
|
||||
context "with an invalid HTTP authentication" do
|
||||
setup do
|
||||
@user = User.generate_with_protected!
|
||||
@token = Token.generate!(:user => @user, :action => 'feeds')
|
||||
@authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'X')
|
||||
get "/news.xml", nil, :authorization => @authorization
|
||||
end
|
||||
|
||||
should_respond_with :unauthorized
|
||||
should_respond_with_content_type :xml
|
||||
should "not login as the user" do
|
||||
assert_equal User.anonymous, User.current
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context "in :json format" do
|
||||
context "with a valid HTTP authentication" do
|
||||
setup do
|
||||
@user = User.generate_with_protected!
|
||||
@token = Token.generate!(:user => @user, :action => 'api')
|
||||
@authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'DoesNotMatter')
|
||||
get "/news.json", nil, :authorization => @authorization
|
||||
end
|
||||
|
||||
should_respond_with :success
|
||||
should_respond_with_content_type :json
|
||||
should "login as the user" do
|
||||
assert_equal @user, User.current
|
||||
end
|
||||
end
|
||||
|
||||
context "with an invalid HTTP authentication" do
|
||||
setup do
|
||||
@user = User.generate_with_protected!
|
||||
@token = Token.generate!(:user => @user, :action => 'feeds')
|
||||
@authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'DoesNotMatter')
|
||||
get "/news.json", nil, :authorization => @authorization
|
||||
end
|
||||
|
||||
should_respond_with :unauthorized
|
||||
should_respond_with_content_type :json
|
||||
should "not login as the user" do
|
||||
assert_equal User.anonymous, User.current
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue