3d01febcf7
Require the user to re-enter their password before they can view, create, update, or delete their API keys. This works by tracking the timestamp of the user's last password re-entry in a `last_authenticated_at` session cookie, and redirecting the user to a password confirmation page if they haven't re-entered their password in the last hour. This is modeled after Github's Sudo mode.
113 lines
3.3 KiB
Ruby
113 lines
3.3 KiB
Ruby
require 'test_helper'
|
|
|
|
class ApiKeysControllerTest < ActionDispatch::IntegrationTest
|
|
context "An api keys controller" do
|
|
setup do
|
|
@user = create(:user)
|
|
@api_key = create(:api_key, user: @user)
|
|
end
|
|
|
|
context "#index action" do
|
|
should "let a user see their own API keys" do
|
|
get_auth user_api_keys_path(@user.id), @user
|
|
|
|
assert_response :success
|
|
assert_select "#api-key-#{@api_key.id}", count: 1
|
|
end
|
|
|
|
should "not let a user see API keys belonging to other users" do
|
|
get_auth user_api_keys_path(@user.id), create(:user)
|
|
|
|
assert_response :success
|
|
assert_select "#api-key-#{@api_key.id}", count: 0
|
|
end
|
|
|
|
should "let the owner see all API keys" do
|
|
get_auth user_api_keys_path(@user.id), create(:owner_user)
|
|
|
|
assert_response :success
|
|
assert_select "#api-key-#{@api_key.id}", count: 1
|
|
end
|
|
|
|
should "not return the key in the API" do
|
|
get_auth user_api_keys_path(@user.id), @user, as: :json
|
|
|
|
assert_response :success
|
|
assert_nil response.parsed_body.first["key"]
|
|
end
|
|
|
|
should "redirect to the confirm password page if the user hasn't recently authenticated" do
|
|
post session_path, params: { name: @user.name, password: @user.password }
|
|
travel_to 2.hours.from_now do
|
|
get user_api_keys_path(@user.id)
|
|
end
|
|
|
|
assert_redirected_to confirm_password_session_path(url: user_api_keys_path(@user.id))
|
|
end
|
|
end
|
|
|
|
context "#new action" do
|
|
should "render for a Member user" do
|
|
get_auth new_user_api_key_path(@user.id), @user
|
|
assert_response :success
|
|
end
|
|
|
|
should "fail for an Anonymous user" do
|
|
get new_user_api_key_path(@user.id)
|
|
assert_response 403
|
|
end
|
|
end
|
|
|
|
context "#create action" do
|
|
should "create a new API key" do
|
|
post_auth user_api_keys_path(@user.id), @user, params: { api_key: { name: "blah" }}
|
|
|
|
assert_redirected_to user_api_keys_path(@user.id)
|
|
assert_equal("blah", @user.api_keys.last.name)
|
|
end
|
|
end
|
|
|
|
context "#edit action" do
|
|
should "render for the API key owner" do
|
|
get_auth edit_api_key_path(@api_key.id), @user
|
|
assert_response :success
|
|
end
|
|
|
|
should "fail for someone else" do
|
|
get_auth edit_api_key_path(@api_key.id), create(:user)
|
|
assert_response 403
|
|
end
|
|
end
|
|
|
|
context "#update action" do
|
|
should "render for the API key owner" do
|
|
put_auth api_key_path(@api_key.id), @user, params: { api_key: { name: "blah" }}
|
|
|
|
assert_redirected_to user_api_keys_path(@user.id)
|
|
assert_equal("blah", @api_key.reload.name)
|
|
end
|
|
|
|
should "fail for someone else" do
|
|
put_auth api_key_path(@api_key.id), create(:user)
|
|
assert_response 403
|
|
end
|
|
end
|
|
|
|
context "#destroy" do
|
|
should "delete the user's API key" do
|
|
delete_auth api_key_path(@api_key.id), @user
|
|
|
|
assert_redirected_to user_api_keys_path(@user.id)
|
|
assert_raise(ActiveRecord::RecordNotFound) { @api_key.reload }
|
|
end
|
|
|
|
should "not allow deleting another user's API key" do
|
|
delete_auth api_key_path(@api_key.id), create(:user)
|
|
|
|
assert_response 403
|
|
assert_not_nil(@api_key.reload)
|
|
end
|
|
end
|
|
end
|
|
end
|