summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAzul <azul@leap.se>2014-02-08 16:15:46 +0100
committerAzul <azul@leap.se>2014-02-10 14:26:30 +0100
commitcbd757cf151cd61bfdd5637d09f43e4831fec3bb (patch)
treee5a60f11a2963f0689294d0ebf4f18e93effd099
parent758b9a3c30a73fd985943fb7a887f0373be3a833 (diff)
require token when updating user via API
-rw-r--r--users/app/controllers/v1/users_controller.rb2
-rw-r--r--users/test/integration/api/login_test.rb1
-rw-r--r--users/test/integration/api/srp_test.rb29
-rw-r--r--users/test/integration/api/update_account_test.rb7
4 files changed, 31 insertions, 8 deletions
diff --git a/users/app/controllers/v1/users_controller.rb b/users/app/controllers/v1/users_controller.rb
index a16c6e9..8897d01 100644
--- a/users/app/controllers/v1/users_controller.rb
+++ b/users/app/controllers/v1/users_controller.rb
@@ -3,8 +3,8 @@ module V1
skip_before_filter :verify_authenticity_token
before_filter :fetch_user, :only => [:update]
- before_filter :require_login, :only => [:update, :index]
before_filter :require_admin, :only => [:index]
+ before_filter :require_token, :only => [:update]
respond_to :json
diff --git a/users/test/integration/api/login_test.rb b/users/test/integration/api/login_test.rb
index 82219d0..d56dfd1 100644
--- a/users/test/integration/api/login_test.rb
+++ b/users/test/integration/api/login_test.rb
@@ -14,6 +14,7 @@ class LoginTest < SrpTest
test "login with srp" do
authenticate
+ assert_equal ["M2", "id", "token"], server_auth.keys
assert last_response.successful?
assert_nil server_auth["errors"]
assert server_auth["M2"]
diff --git a/users/test/integration/api/srp_test.rb b/users/test/integration/api/srp_test.rb
index bb24f5f..fcda187 100644
--- a/users/test/integration/api/srp_test.rb
+++ b/users/test/integration/api/srp_test.rb
@@ -35,8 +35,7 @@ class SrpTest < RackTest
def register_user(login = "integration_test_user", password = 'srp, verify me!')
cleanup_user(login)
post 'http://api.lvh.me:3000/1/users.json',
- user: user_params(login: login, password: password),
- format: :json
+ user_params(login: login, password: password)
@user = User.find_by_login(login)
@login = login
@password = password
@@ -44,14 +43,25 @@ class SrpTest < RackTest
def update_user(params)
put "http://api.lvh.me:3000/1/users/" + @user.id + '.json',
- :user => user_params(params),
- :format => :json
+ user_params(params),
+ auth_headers
end
def authenticate(params = nil)
@server_auth = srp(params).authenticate(self)
end
+ def auth_headers
+ return {} if @server_auth.nil?
+ {
+ "HTTP_AUTHORIZATION" => encoded_token
+ }
+ end
+
+ def encoded_token
+ ActionController::HttpAuthentication::Token.encode_credentials(server_auth["token"])
+ end
+
def logout
delete "http://api.lvh.me:3000/1/logout.json",
format: :json
@@ -68,12 +78,17 @@ class SrpTest < RackTest
end
def user_params(params)
- # if there is no srp magic needed just return the params
- return params unless params.keys.include?(:password)
+ if params.keys.include?(:password)
+ srp_process_password(params)
+ end
+ return { user: params, format: :json }
+ end
+
+ def srp_process_password(params)
params.reverse_merge! login: @login, salt: @salt
@srp = SRP::Client.new params[:login], password: params.delete(:password)
@salt = srp.salt.to_s(16)
- params.merge :password_verifier => srp.verifier.to_s(16),
+ params.merge! :password_verifier => srp.verifier.to_s(16),
:password_salt => @salt
end
diff --git a/users/test/integration/api/update_account_test.rb b/users/test/integration/api/update_account_test.rb
index 16c2357..63429e7 100644
--- a/users/test/integration/api/update_account_test.rb
+++ b/users/test/integration/api/update_account_test.rb
@@ -12,6 +12,13 @@ class UpdateAccountTest < SrpTest
assert_access_denied
end
+ test "require token" do
+ authenticate
+ put "http://api.lvh.me:3000/1/users/" + @user.id + '.json',
+ user_params(password: "No! Verify me instead.")
+ assert_access_denied
+ end
+
test "update password via api" do
authenticate
update_user password: "No! Verify me instead."