Support for per-user API keys

spec/controllers/admin/api_controller_spec.rb

@@ -0,0 +1,56 @@
+require 'spec_helper'
+
+describe Admin::ApiController do
+
+  it "is a subclass of AdminController" do
+    (Admin::ApiController < Admin::AdminController).should be_true
+  end
+
+  let!(:user) { log_in(:admin) }
+
+  context '.index' do
+    it "succeeds" do
+      xhr :get, :index
+      response.should be_success
+    end
+  end
+
+  context '.regenerate_key' do
+    let(:api_key) { Fabricate(:api_key) }
+
+    it "returns 404 when there is no key" do
+      xhr :put, :regenerate_key, id: 1234
+      response.should_not be_success
+      response.status.should == 404
+    end
+
+    it "delegates to the api key's `regenerate!` method" do
+      ApiKey.any_instance.expects(:regenerate!)
+      xhr :put, :regenerate_key, id: api_key.id
+    end
+  end
+
+  context '.revoke_key' do
+    let(:api_key) { Fabricate(:api_key) }
+
+    it "returns 404 when there is no key" do
+      xhr :delete, :revoke_key, id: 1234
+      response.should_not be_success
+      response.status.should == 404
+    end
+
+    it "delegates to the api key's `regenerate!` method" do
+      ApiKey.any_instance.expects(:destroy)
+      xhr :delete, :revoke_key, id: api_key.id
+    end
+  end
+
+  context '.create_master_key' do
+    it "creates a record" do
+      lambda {
+        xhr :post, :create_master_key
+      }.should change(ApiKey, :count).by(1)
+    end
+  end
+
+end

spec/controllers/admin/users_controller_spec.rb

@@ -62,6 +62,26 @@ describe Admin::UsersController do
 
     end
 
+    context '.generate_api_key' do
+      let(:evil_trout) { Fabricate(:evil_trout) }
+
+      it 'calls generate_api_key' do
+        User.any_instance.expects(:generate_api_key).with(@user)
+        xhr :post, :generate_api_key, user_id: evil_trout.id
+      end
+    end
+
+    context '.revoke_api_key' do
+
+      let(:evil_trout) { Fabricate(:evil_trout) }
+
+      it 'calls revoke_api_key' do
+        User.any_instance.expects(:revoke_api_key)
+        xhr :delete, :revoke_api_key, user_id: evil_trout.id
+      end
+
+    end
+
     context '.approve' do
 
       let(:evil_trout) { Fabricate(:evil_trout) }

spec/controllers/application_controller_spec.rb

@@ -15,10 +15,18 @@ describe 'api' do
       Fabricate(:post)
     end
 
+    let(:api_key) { user.generate_api_key(user) }
+    let(:master_key) { ApiKey.create_master_key }
+
     # choosing an arbitrarily easy to mock trusted activity
     it 'allows users with api key to bookmark posts' do
       PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).once
-      put :bookmark, bookmarked: "true", post_id: post.id, api_key: SiteSetting.api_key, api_username: user.username, format: :json
+      put :bookmark, bookmarked: "true", post_id: post.id, api_key: api_key.key, format: :json
+    end
+
+    it 'allows users with a master api key to bookmark posts' do
+      PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).once
+      put :bookmark, bookmarked: "true", post_id: post.id, api_key: master_key.key, api_username: user.username, format: :json
     end
 
     it 'disallows phonies to bookmark posts' do