require token when updating user via API

4 files changed, 31 insertions, 8 deletions

diff --git a/users/app/controllers/v1/users_controller.rb b/users/app/controllers/v1/users_controller.rb
index a16c6e9..8897d01 100644
--- a/users/app/controllers/v1/users_controller.rb
+++ b/users/app/controllers/v1/users_controller.rb
@@ -3,8 +3,8 @@ module V1
 
     skip_before_filter :verify_authenticity_token
     before_filter :fetch_user, :only => [:update]
-    before_filter :require_login, :only => [:update, :index]
     before_filter :require_admin, :only => [:index]
+    before_filter :require_token, :only => [:update]
 
     respond_to :json
 
diff --git a/users/test/integration/api/login_test.rb b/users/test/integration/api/login_test.rb
index 82219d0..d56dfd1 100644
--- a/users/test/integration/api/login_test.rb
+++ b/users/test/integration/api/login_test.rb
@@ -14,6 +14,7 @@ class LoginTest < SrpTest
 
   test "login with srp" do
     authenticate
+    assert_equal ["M2", "id", "token"], server_auth.keys
     assert last_response.successful?
     assert_nil server_auth["errors"]
     assert server_auth["M2"]
diff --git a/users/test/integration/api/srp_test.rb b/users/test/integration/api/srp_test.rb
index bb24f5f..fcda187 100644
--- a/users/test/integration/api/srp_test.rb
+++ b/users/test/integration/api/srp_test.rb
@@ -35,8 +35,7 @@ class SrpTest < RackTest
   def register_user(login = "integration_test_user", password = 'srp, verify me!')
     cleanup_user(login)
     post 'http://api.lvh.me:3000/1/users.json',
-      user: user_params(login: login, password: password),
-      format: :json
+      user_params(login: login, password: password)
     @user = User.find_by_login(login)
     @login = login
     @password = password
@@ -44,14 +43,25 @@ class SrpTest < RackTest
 
   def update_user(params)
     put "http://api.lvh.me:3000/1/users/" + @user.id + '.json',
-      :user => user_params(params),
-      :format => :json
+      user_params(params),
+      auth_headers
   end
 
   def authenticate(params = nil)
     @server_auth = srp(params).authenticate(self)
   end
 
+  def auth_headers
+    return {} if @server_auth.nil?
+    {
+      "HTTP_AUTHORIZATION" => encoded_token
+    }
+  end
+
+  def encoded_token
+    ActionController::HttpAuthentication::Token.encode_credentials(server_auth["token"])
+  end
+
   def logout
     delete "http://api.lvh.me:3000/1/logout.json",
       format: :json
@@ -68,12 +78,17 @@ class SrpTest < RackTest
   end
 
   def user_params(params)
-    # if there is no srp magic needed just return the params
-    return params unless params.keys.include?(:password)
+    if params.keys.include?(:password)
+      srp_process_password(params)
+    end
+    return { user: params, format: :json }
+  end
+
+  def srp_process_password(params)
     params.reverse_merge! login: @login, salt: @salt
     @srp = SRP::Client.new params[:login], password: params.delete(:password)
     @salt = srp.salt.to_s(16)
-    params.merge :password_verifier => srp.verifier.to_s(16),
+    params.merge! :password_verifier => srp.verifier.to_s(16),
       :password_salt => @salt
   end
 
diff --git a/users/test/integration/api/update_account_test.rb b/users/test/integration/api/update_account_test.rb
index 16c2357..63429e7 100644
--- a/users/test/integration/api/update_account_test.rb
+++ b/users/test/integration/api/update_account_test.rb
@@ -12,6 +12,13 @@ class UpdateAccountTest < SrpTest
     assert_access_denied
   end
 
+  test "require token" do
+    authenticate
+    put "http://api.lvh.me:3000/1/users/" + @user.id + '.json',
+      user_params(password: "No! Verify me instead.")
+    assert_access_denied
+  end
+
   test "update password via api" do
     authenticate
     update_user password: "No! Verify me instead."