mirror of
https://github.com/discourse/discourse.git
synced 2025-05-28 23:49:34 +08:00
FEATURE: Header based auth for API requests (#7129)
Now you can also make authenticated API requests by passing the `api_key` and `api_username` in the HTTP header instead of query params. The new header values are: `Api-key` and `Api-Username`. Here is an example in cURL: ``` text curl -i -sS -X POST "http://127.0.0.1:3000/categories" \ -H "Content-Type: multipart/form-data;" \ -H "Api-Key: 7aa202bec1ff70563bc0a3d102feac0a7dd2af96b5b772a9feaf27485f9d31a2" \ -H "Api-Username: system" \ -F "name=7c1c0ed93583cba7124b745d1bd56b32" \ -F "color=49d9e9" \ -F "text_color=f0fcfd" ``` There is also support for `Api-User-Id` and `Api-User-External-Id` instead of specifying the username along with the key.
This commit is contained in:
@ -153,6 +153,162 @@ describe Auth::DefaultCurrentUserProvider do
|
||||
|
||||
end
|
||||
|
||||
context "server header api" do
|
||||
|
||||
it "raises errors for incorrect api_key" do
|
||||
params = { "HTTP_API_KEY" => "INCORRECT" }
|
||||
expect {
|
||||
provider("/", params).current_user
|
||||
}.to raise_error(Discourse::InvalidAccess, /API username or key is invalid/)
|
||||
end
|
||||
|
||||
it "finds a user for a correct per-user api key" do
|
||||
user = Fabricate(:user)
|
||||
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1)
|
||||
params = { "HTTP_API_KEY" => "hello" }
|
||||
|
||||
good_provider = provider("/", params)
|
||||
expect(good_provider.current_user.id).to eq(user.id)
|
||||
expect(good_provider.is_api?).to eq(true)
|
||||
expect(good_provider.is_user_api?).to eq(false)
|
||||
expect(good_provider.should_update_last_seen?).to eq(false)
|
||||
|
||||
user.update_columns(active: false)
|
||||
|
||||
expect {
|
||||
provider("/", params).current_user
|
||||
}.to raise_error(Discourse::InvalidAccess)
|
||||
|
||||
user.update_columns(active: true, suspended_till: 1.day.from_now)
|
||||
|
||||
expect {
|
||||
provider("/", params).current_user
|
||||
}.to raise_error(Discourse::InvalidAccess)
|
||||
end
|
||||
|
||||
it "raises for a user pretending" do
|
||||
user = Fabricate(:user)
|
||||
user2 = Fabricate(:user)
|
||||
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1)
|
||||
params = { "HTTP_API_KEY" => "hello", "HTTP_API_USERNAME" => user2.username.downcase }
|
||||
|
||||
expect {
|
||||
provider("/", params).current_user
|
||||
}.to raise_error(Discourse::InvalidAccess)
|
||||
end
|
||||
|
||||
it "raises for a user with a mismatching ip" do
|
||||
user = Fabricate(:user)
|
||||
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1, allowed_ips: ['10.0.0.0/24'])
|
||||
params = {
|
||||
"HTTP_API_KEY" => "hello",
|
||||
"HTTP_API_USERNAME" => user.username.downcase,
|
||||
"REMOTE_ADDR" => "10.1.0.1"
|
||||
}
|
||||
|
||||
expect {
|
||||
provider("/", params).current_user
|
||||
}.to raise_error(Discourse::InvalidAccess)
|
||||
|
||||
end
|
||||
|
||||
it "allows a user with a matching ip" do
|
||||
user = Fabricate(:user)
|
||||
ApiKey.create!(key: "hello", user_id: user.id, created_by_id: -1, allowed_ips: ['100.0.0.0/24'])
|
||||
params = {
|
||||
"HTTP_API_KEY" => "hello",
|
||||
"HTTP_API_USERNAME" => user.username.downcase,
|
||||
"REMOTE_ADDR" => "100.0.0.22",
|
||||
}
|
||||
|
||||
found_user = provider("/", params).current_user
|
||||
|
||||
expect(found_user.id).to eq(user.id)
|
||||
|
||||
params = {
|
||||
"HTTP_API_KEY" => "hello",
|
||||
"HTTP_API_USERNAME" => user.username.downcase,
|
||||
"HTTP_X_FORWARDED_FOR" => "10.1.1.1, 100.0.0.22"
|
||||
}
|
||||
|
||||
found_user = provider("/", params).current_user
|
||||
expect(found_user.id).to eq(user.id)
|
||||
|
||||
end
|
||||
|
||||
it "finds a user for a correct system api key" do
|
||||
user = Fabricate(:user)
|
||||
ApiKey.create!(key: "hello", created_by_id: -1)
|
||||
params = { "HTTP_API_KEY" => "hello", "HTTP_API_USERNAME" => user.username.downcase }
|
||||
expect(provider("/", params).current_user.id).to eq(user.id)
|
||||
end
|
||||
|
||||
it "finds a user for a correct system api key with external id" do
|
||||
user = Fabricate(:user)
|
||||
ApiKey.create!(key: "hello", created_by_id: -1)
|
||||
SingleSignOnRecord.create(user_id: user.id, external_id: "abc", last_payload: '')
|
||||
params = { "HTTP_API_KEY" => "hello", "HTTP_API_USER_EXTERNAL_ID" => "abc" }
|
||||
expect(provider("/", params).current_user.id).to eq(user.id)
|
||||
end
|
||||
|
||||
it "finds a user for a correct system api key with id" do
|
||||
user = Fabricate(:user)
|
||||
ApiKey.create!(key: "hello", created_by_id: -1)
|
||||
params = { "HTTP_API_KEY" => "hello", "HTTP_API_USER_ID" => user.id }
|
||||
expect(provider("/", params).current_user.id).to eq(user.id)
|
||||
end
|
||||
|
||||
context "rate limiting" do
|
||||
before do
|
||||
RateLimiter.enable
|
||||
end
|
||||
|
||||
after do
|
||||
RateLimiter.disable
|
||||
end
|
||||
|
||||
it "rate limits api requests per api key" do
|
||||
global_setting :max_admin_api_reqs_per_key_per_minute, 3
|
||||
|
||||
freeze_time
|
||||
|
||||
user = Fabricate(:user)
|
||||
key = SecureRandom.hex
|
||||
api_key = ApiKey.create!(key: key, created_by_id: -1)
|
||||
params = { "HTTP_API_KEY" => key, "HTTP_API_USERNAME" => user.username.downcase }
|
||||
system_params = params.merge("HTTP_API_USERNAME" => "system")
|
||||
|
||||
provider("/", params).current_user
|
||||
provider("/", system_params).current_user
|
||||
provider("/", params).current_user
|
||||
|
||||
expect do
|
||||
provider("/", system_params).current_user
|
||||
end.to raise_error(RateLimiter::LimitExceeded)
|
||||
|
||||
freeze_time 59.seconds.from_now
|
||||
|
||||
expect do
|
||||
provider("/", system_params).current_user
|
||||
end.to raise_error(RateLimiter::LimitExceeded)
|
||||
|
||||
freeze_time 2.seconds.from_now
|
||||
|
||||
# 1 minute elapsed
|
||||
provider("/", system_params).current_user
|
||||
|
||||
# should not rate limit a random key
|
||||
api_key.destroy
|
||||
key = SecureRandom.hex
|
||||
ApiKey.create!(key: key, created_by_id: -1)
|
||||
params = { "HTTP_API_KEY" => key, "HTTP_API_USERNAME" => user.username.downcase }
|
||||
provider("/", params).current_user
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
it "should not update last seen for ajax calls without Discourse-Visible header" do
|
||||
expect(provider("/topic/anything/goes",
|
||||
:method => "POST",
|
||||
|
Reference in New Issue
Block a user