jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

api: return error if login or api_key params are given but blank.

Browse Source 
* Make it an error to supply empty API credentials, like this:
  `https://danbooru.donmai.us/posts.json?login=&api_key=`. Some clients
  did this for some reason.

* Make it so that the `login` and `api_key` params are only allowed as
  URL params, not as POST or PUT body params. Allowing them as body
  params could interfere with the `PUT /api_keys/:id` endpoint, which
  takes an `api_key` param.
This commit is contained in:
evazion
2022-10-14 20:27:58 -05:00
parent b24e8ae2a7
commit 185c8bac82
3 changed files with 19 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/logical/session_loader.rb
View File

@@ -16,7 +16,7 @@ class SessionLoader
def initialize(request)
@request = request
@session = request.session
@params = request.parameters
@params = request.query_parameters
end
# Attempt to log a user in with the given username and password. Records a
@@ -90,7 +90,7 @@ class SessionLoader
# @return [Boolean] true if the current request has an API key
def has_api_authentication?
request.authorization.present? || params[:login].present? || (params[:api_key].present? && params[:api_key].is_a?(String))
request.authorization.present? || params.has_key?(:login) || params.has_key?(:api_key)
end
private