FEATURE: Overhaul of admin API key system (#8284)

- Allow revoking keys without deleting them - Auto-revoke keys after a period of no use (default 6 months) - Allow multiple keys per user - Allow attaching a description to each key, for easier auditing - Log changes to keys in the staff action log - Move all key management to one place, and improve the UI
2025-06-05 14:07:30 +08:00 · 2019-11-05 14:10:23 +00:00
parent fa2c06da93
commit 52c5cf33f8
46 changed files with 863 additions and 395 deletions
--- a/spec/requests/admin/users_controller_spec.rb
+++ b/spec/requests/admin/users_controller_spec.rb
@ -123,25 +123,6 @@ RSpec.describe Admin::UsersController do
    end
  end

-  describe '#generate_api_key' do
-    it 'calls generate_api_key' do
-      post "/admin/users/#{user.id}/generate_api_key.json"
-      expect(response.status).to eq(200)
-      json = JSON.parse(response.body)
-      expect(json["api_key"]["user"]["id"]).to eq(user.id)
-      expect(json["api_key"]["key"]).to be_present
-    end
-  end
-
-  describe '#revoke_api_key' do
-    it 'calls revoke_api_key' do
-      ApiKey.create!(user: user, key: SecureRandom.hex)
-      delete "/admin/users/#{user.id}/revoke_api_key.json"
-      expect(response.status).to eq(200)
-      expect(ApiKey.where(user: user).count).to eq(0)
-    end
-  end
-
  describe '#suspend' do
    fab!(:post) { Fabricate(:post) }
    let(:suspend_params) do
@ -269,15 +250,26 @@ RSpec.describe Admin::UsersController do
      expect(log.details).to match(/long reason/)
    end

-    it "also revokes any api keys" do
-      Fabricate(:api_key, user: user)
-      put "/admin/users/#{user.id}/suspend.json", params: suspend_params
+    it "also prevents use of any api keys" do
+      api_key = Fabricate(:api_key, user: user)

+      put "/posts/#{Fabricate(:post).id}/bookmark.json", params: {
+        bookmarked: "true",
+        api_key: api_key.key
+      }
      expect(response.status).to eq(200)
-      user.reload

+      put "/admin/users/#{user.id}/suspend.json", params: suspend_params
+      expect(response.status).to eq(200)
+
+      user.reload
      expect(user).to be_suspended
-      expect(ApiKey.where(user_id: user.id).count).to eq(0)
+
+      put "/posts/#{Fabricate(:post).id}/bookmark.json", params: {
+        bookmarked: "true",
+        api_key: api_key.key
+      }
+      expect(response.status).to eq(403)
    end
  end