fixes #2166

app/controllers/api_keys_controller.rb

@@ -0,0 +1,17 @@
+class ApiKeysController < ApplicationController
+  before_filter :gold_only
+
+  def new
+    @api_key = ApiKey.new(:user_id => CurrentUser.user.id)
+  end
+
+  def create
+    @api_key = ApiKey.generate!(CurrentUser.user)
+    
+    if @api_key.errors.empty?
+      redirect_to user_path(CurrentUser.user), :notice => "API key generated"
+    else
+      render :action => "new"
+    end
+  end
+end

app/logical/session_loader.rb

@@ -55,18 +55,18 @@ private
   end
   
   def authenticate_api_key(name, api_key)
-    CurrentUser.user = User.authenticate_cookie_hash(name, api_key)
     CurrentUser.ip_addr = request.remote_ip
+    CurrentUser.user = User.authenticate_api_key(name, api_key)
   end
   
   def authenticate_legacy_api_key(name, password_hash)
-    CurrentUser.user = User.authenticate_hash(name, password_hash)
     CurrentUser.ip_addr = request.remote_ip
+    CurrentUser.user = User.authenticate_hash(name, password_hash)
   end
 
   def load_session_user
-    CurrentUser.user = User.find_by_id(session[:user_id])
     CurrentUser.ip_addr = request.remote_ip
+    CurrentUser.user = User.find_by_id(session[:user_id])
   end
 
   def load_cookie_user

app/models/api_key.rb

@@ -0,0 +1,10 @@
+class ApiKey < ActiveRecord::Base
+  belongs_to :user
+  validates_uniqueness_of :user_id
+  validates_uniqueness_of :key
+  attr_accessible :user_id, :key
+
+  def self.generate!(user)
+    create(:user_id => user.id, :key => SecureRandom.urlsafe_base64(32))
+  end
+end

app/models/user.rb

@@ -59,6 +59,7 @@ class User < ActiveRecord::Base
   has_many :posts, :foreign_key => "uploader_id"
   has_many :bans, lambda {order("bans.id desc")}
   has_one :recent_ban, lambda {order("bans.id desc")}, :class_name => "Ban"
+  has_one :api_key
   has_many :subscriptions, lambda {order("tag_subscriptions.name")}, :class_name => "TagSubscription", :foreign_key => "creator_id"
   has_many :note_versions, :foreign_key => "updater_id"
   has_many :dmails, lambda {order("dmails.id desc")}, :foreign_key => "owner_id"
@@ -192,6 +193,15 @@ class User < ActiveRecord::Base
         authenticate_hash(name, sha1(pass))
       end
 
+      def authenticate_api_key(name, api_key)
+        key = ApiKey.where(:key => api_key).first
+        return nil if key.nil?
+        user = find_by_name(name)
+        return nil if user.nil?
+        return user if key.user_id == user.id
+        nil
+      end
+
       def authenticate_hash(name, hash)
         user = find_by_name(name)
         if user && user.bcrypt_password == hash
@@ -531,9 +541,9 @@ class User < ActiveRecord::Base
     end
     
     def api_hourly_limit
-      if is_platinum?
+      if is_platinum? && api_key.present?
         20_000
-      elsif is_gold?
+      elsif is_gold? && api_key.present?
         10_000
       else
         3_000

app/views/api_keys/new.html.erb

@@ -0,0 +1,19 @@
+<div id="c-api-keys">
+  <div id="a-new">
+    <h1>New API Key</h1>
+
+    <p>You can generate a new API key to authenticate against <%= Danbooru.config.app_name %>.</p>
+
+    <%= error_messages_for :api_key %>
+
+    <%= simple_form_for(@api_key) do |f| %>
+      <%= submit_tag "Generate" %>
+    <% end %>
+  </div>
+</div>
+
+<%= render "users/secondary_links" %>
+
+<% content_for(:page_title) do %>
+  New API Key - <%= Danbooru.config.app_name %>
+<% end %>

app/views/users/_statistics.html.erb

@@ -131,7 +131,13 @@
       <% if CurrentUser.user.id == user.id %>
         <tr>
           <th>API Key</th>
-          <td><%= CurrentUser.user.bcrypt_cookie_password_hash %></td>
+          <td>
+            <% if CurrentUser.user.api_key %>
+              <%= CurrentUser.user.api_key.key %>
+            <% else %>
+              <%= link_to "Generate key", new_api_key_path %>
+            <% end %>
+          </td>
         </tr>
       <% end %>
   </table>