diff options
author | Azul <azul@leap.se> | 2013-09-23 19:55:22 +0200 |
---|---|---|
committer | Azul <azul@leap.se> | 2013-09-24 10:48:32 +0200 |
commit | 193bf6446b384dce1699e8fb82be6f16cb8cb5f6 (patch) | |
tree | fb4ed9b5a383a04c491ea0d1a54a413117028f24 | |
parent | 98db0cc42019dfcd90d58e0126fe691590fde2e2 (diff) |
use token auth when accessing the api from webapp
One failing integration test still needs to be fixed
m--------- | users/app/assets/javascripts/srp | 0 | ||||
-rw-r--r-- | users/app/assets/javascripts/users.js | 20 | ||||
-rw-r--r-- | users/app/controllers/v1/sessions_controller.rb | 1 | ||||
-rw-r--r-- | users/app/views/users/_edit.html.haml | 5 | ||||
-rw-r--r-- | users/test/integration/browser/account_test.rb | 33 |
5 files changed, 56 insertions, 3 deletions
diff --git a/users/app/assets/javascripts/srp b/users/app/assets/javascripts/srp -Subproject 9c61d52f1f975ec0eefe5b4a0b71ac529300cbe +Subproject d22bf3b9fe2fd31192e1e1b358e97e5a0f3f90b diff --git a/users/app/assets/javascripts/users.js b/users/app/assets/javascripts/users.js index 4c9b510..9d1a0f0 100644 --- a/users/app/assets/javascripts/users.js +++ b/users/app/assets/javascripts/users.js @@ -3,7 +3,12 @@ // LOCAL FUNCTIONS // - var poll_users, prevent_default, form_failed, form_passed, clear_errors; + var poll_users, + prevent_default, + form_failed, + form_passed, + clear_errors, + update_user; prevent_default = function(event) { return event.preventDefault(); @@ -19,6 +24,17 @@ return $('#messages').empty(); }; + update_user = function(submitEvent) { + var form = submitEvent.target; + var token = form.dataset.token; + var url = form.action; + return $.ajax({ + url: url, + type: 'PUT', + headers: { Authorization: 'Token token="' + token + '"' }, + data: $(form).serialize() + }); + }; // // PUBLIC FUNCTIONS @@ -76,6 +92,8 @@ $('#new_session').submit(srp.login); $('#update_login_and_password').submit(prevent_default); $('#update_login_and_password').submit(srp.update); + $('#update_pgp_key').submit(prevent_default); + $('#update_pgp_key').submit(update_user); return $('#user-typeahead').typeahead({ source: poll_users }); diff --git a/users/app/controllers/v1/sessions_controller.rb b/users/app/controllers/v1/sessions_controller.rb index 1b20a82..eb6c322 100644 --- a/users/app/controllers/v1/sessions_controller.rb +++ b/users/app/controllers/v1/sessions_controller.rb @@ -24,6 +24,7 @@ module V1 def update authenticate! @token = Token.create(:user_id => current_user.id) + session[:token] = @token.id render :json => login_response end diff --git a/users/app/views/users/_edit.html.haml b/users/app/views/users/_edit.html.haml index 5f74d32..ae3f32d 100644 --- a/users/app/views/users/_edit.html.haml +++ b/users/app/views/users/_edit.html.haml @@ -10,7 +10,8 @@ -# however, we don't want the user to change their login without generating a new key, so we hide the ui for this -# (although it works perfectly fine to change username if the field was visible). -# -- form_options = {:url => '/not-used', :html => {:class => user_form_class('form-horizontal'), :id => 'update_login_and_password'}, :validate => true} + +- form_options = {:url => '/not-used', :html => {:class => user_form_class('form-horizontal'), :id => 'update_login_and_password', :data => {token: session[:token]}}, :validate => true} = simple_form_for @user, form_options do |f| %legend= t(:change_password) = hidden_field_tag 'user_param', @user.to_param @@ -28,7 +29,7 @@ -# this will be replaced by a identities controller/view at some point -# -- form_options = {:html => {:class => user_form_class('form-horizontal'), :id => 'update_pgp_key'}, :validate => true} +- form_options = {:html => {:class => user_form_class('form-horizontal'), :id => 'update_pgp_key', :data => {token: session[:token]}}, :validate => true} = simple_form_for [:api, @user], form_options do |f| %legend= t(:advanced_options) = f.input :public_key, :as => :text, :hint => t(:use_ascii_key), :input_html => {:class => "full-width", :rows => 4} diff --git a/users/test/integration/browser/account_test.rb b/users/test/integration/browser/account_test.rb index 8c2c997..3434557 100644 --- a/users/test/integration/browser/account_test.rb +++ b/users/test/integration/browser/account_test.rb @@ -24,8 +24,41 @@ class AccountTest < BrowserIntegrationTest fill_in 'Password', with: password click_on 'Log In' assert page.has_content?("Welcome #{username}") + User.find_by_login(username).account.destroy end + test "change password" do + username, password = submit_signup + click_on "Account Settings" + within('#update_login_and_password') do + fill_in 'Password', with: "other password" + fill_in 'Password confirmation', with: "other password" + click_on 'Save' + end + click_on 'Logout' + click_on 'Log In' + fill_in 'Username', with: username + fill_in 'Password', with: "other password" + click_on 'Log In' + assert page.has_content?("Welcome #{username}") + User.find_by_login(username).account.destroy + end + + test "change pgp key" do + pgp_key = "My PGP Key Stub" + username, password = submit_signup + click_on "Account Settings" + within('#update_pgp_key') do + fill_in 'Public key', with: pgp_key + click_on 'Save' + end + debugger + assert user = User.find_by_login(username) + assert_equal pgp_key, user.public_key + user.account.destroy + end + + # trying to seed an invalid A for srp login test "detects attempt to circumvent SRP" do user = FactoryGirl.create :user |