api keys: rework API key UI.

* Add an explanation of what an API key is and how to use it. * Make it possible for the site owner to view all API keys. * Remove the requirement to re-enter your password before you can view your API key (to be reworked). * Move the API key controller from maintenance/user/api_keys_controller.rb to a top level controller.
2021-02-14 02:50:03 -06:00
parent ae204df4ca
commit 37061f95a6
18 changed files with 224 additions and 167 deletions
--- a/test/functional/api_keys_controller_test.rb
+++ b/test/functional/api_keys_controller_test.rb
@@ -0,0 +1,72 @@
+require 'test_helper'
+
+class ApiKeysControllerTest < ActionDispatch::IntegrationTest
+  context "An api keys controller" do
+    setup do
+      @user = create(:user)
+    end
+
+    context "#index action" do
+      setup do
+        @api_key = create(:api_key, user: @user)
+      end
+
+      should "let a user see their own API keys" do
+        get_auth user_api_keys_path(@user.id), @user
+
+        assert_response :success
+        assert_select "#api-key-#{@api_key.id}", count: 1
+      end
+
+      should "not let a user see API keys belonging to other users" do
+        get_auth user_api_keys_path(@user.id), create(:user)
+
+        assert_response :success
+        assert_select "#api-key-#{@api_key.id}", count: 0
+      end
+
+      should "let the owner see all API keys" do
+        get_auth user_api_keys_path(@user.id), create(:owner_user)
+
+        assert_response :success
+        assert_select "#api-key-#{@api_key.id}", count: 1
+      end
+
+      should "not return the key in the API" do
+        get_auth user_api_keys_path(@user.id), @user, as: :json
+
+        assert_response :success
+        assert_nil response.parsed_body.first["key"]
+      end
+    end
+
+    context "#create action" do
+      should "create a new API key" do
+        post_auth user_api_keys_path(@user.id), @user
+
+        assert_redirected_to user_api_keys_path(@user.id)
+        assert_equal(true, @user.api_key.present?)
+      end
+    end
+
+    context "#destroy" do
+      setup do
+        @api_key = create(:api_key, user: @user)
+      end
+
+      should "delete the user's API key" do
+        delete_auth api_key_path(@api_key.id), @user
+
+        assert_redirected_to user_api_keys_path(@user.id)
+        assert_nil(@user.reload.api_key)
+      end
+
+      should "not allow deleting another user's API key" do
+        delete_auth api_key_path(@api_key.id), create(:user)
+
+        assert_response 403
+        assert_not_nil(@user.reload.api_key)
+      end
+    end
+  end
+end
--- a/test/functional/application_controller_test.rb
+++ b/test/functional/application_controller_test.rb
@@ -39,7 +39,7 @@ class ApplicationControllerTest < ActionDispatch::IntegrationTest
    context "on api authentication" do
      setup do
        @user = create(:user, password: "password")
-        @api_key = ApiKey.generate!(@user)
+        @api_key = create(:api_key, user: @user)

        ActionController::Base.allow_forgery_protection = true
      end
--- a/test/functional/maintenance/user/api_keys_controller_test.rb
+++ b/test/functional/maintenance/user/api_keys_controller_test.rb
@@ -1,51 +0,0 @@
-require 'test_helper'
-
-module Maintenance
-  module User
-    class ApiKeysControllerTest < ActionDispatch::IntegrationTest
-      context "An api keys controller" do
-        setup do
-          @user = create(:gold_user, :password => "password")
-          ApiKey.generate!(@user)
-        end
-
-        context "#show" do
-          should "render" do
-            get_auth maintenance_user_api_key_path, @user, params: {user_id: @user.id}
-            assert_response :success
-          end
-        end
-
-        context "#view" do
-          context "with a correct password" do
-            should "succeed" do
-              post_auth view_maintenance_user_api_key_path(user_id: @user.id), @user, params: {user: {password: "password"}}
-              assert_response :success
-            end
-
-            should "not generate another API key if the user already has one" do
-              assert_difference("ApiKey.count", 0) do
-                post_auth view_maintenance_user_api_key_path(user_id: @user.id), @user, params: {user: {password: "password"}}
-              end
-            end
-          end
-        end
-
-        context "#update" do
-          should "regenerate the API key" do
-            old_key = @user.api_key
-            put_auth maintenance_user_api_key_path, @user, params: {user_id: @user.id, user: {password: "password"}}
-            assert_not_equal(old_key.key, @user.reload.api_key.key)
-          end
-        end
-
-        context "#destroy" do
-          should "delete the API key" do
-            delete_auth maintenance_user_api_key_path, @user, params: {user_id: @user.id, user: {password: "password"}}
-            assert_nil(@user.reload.api_key)
-          end
-        end
-      end
-    end
-  end
-end