api keys: require reauthentication when working with API keys.

Require the user to re-enter their password before they can view, create, update, or delete their API keys. This works by tracking the timestamp of the user's last password re-entry in a `last_authenticated_at` session cookie, and redirecting the user to a password confirmation page if they haven't re-entered their password in the last hour. This is modeled after Github's Sudo mode.
2021-02-15 00:09:12 -06:00
parent d99985160a
commit 3d01febcf7
7 changed files with 42 additions and 0 deletions
--- a/test/functional/api_keys_controller_test.rb
+++ b/test/functional/api_keys_controller_test.rb
@@ -35,6 +35,15 @@ class ApiKeysControllerTest < ActionDispatch::IntegrationTest
        assert_response :success
        assert_nil response.parsed_body.first["key"]
      end
+
+      should "redirect to the confirm password page if the user hasn't recently authenticated" do
+        post session_path, params: { name: @user.name, password: @user.password }
+        travel_to 2.hours.from_now do
+          get user_api_keys_path(@user.id)
+        end
+
+        assert_redirected_to confirm_password_session_path(url: user_api_keys_path(@user.id))
+      end
    end

    context "#new action" do