Support for per-user API keys

spec/controllers/admin/api_controller_spec.rb

@@ -0,0 +1,56 @@
+require 'spec_helper'
+
+describe Admin::ApiController do
+
+  it "is a subclass of AdminController" do
+    (Admin::ApiController < Admin::AdminController).should be_true
+  end
+
+  let!(:user) { log_in(:admin) }
+
+  context '.index' do
+    it "succeeds" do
+      xhr :get, :index
+      response.should be_success
+    end
+  end
+
+  context '.regenerate_key' do
+    let(:api_key) { Fabricate(:api_key) }
+
+    it "returns 404 when there is no key" do
+      xhr :put, :regenerate_key, id: 1234
+      response.should_not be_success
+      response.status.should == 404
+    end
+
+    it "delegates to the api key's `regenerate!` method" do
+      ApiKey.any_instance.expects(:regenerate!)
+      xhr :put, :regenerate_key, id: api_key.id
+    end
+  end
+
+  context '.revoke_key' do
+    let(:api_key) { Fabricate(:api_key) }
+
+    it "returns 404 when there is no key" do
+      xhr :delete, :revoke_key, id: 1234
+      response.should_not be_success
+      response.status.should == 404
+    end
+
+    it "delegates to the api key's `regenerate!` method" do
+      ApiKey.any_instance.expects(:destroy)
+      xhr :delete, :revoke_key, id: api_key.id
+    end
+  end
+
+  context '.create_master_key' do
+    it "creates a record" do
+      lambda {
+        xhr :post, :create_master_key
+      }.should change(ApiKey, :count).by(1)
+    end
+  end
+
+end

spec/controllers/admin/users_controller_spec.rb

@@ -62,6 +62,26 @@ describe Admin::UsersController do
 
     end
 
+    context '.generate_api_key' do
+      let(:evil_trout) { Fabricate(:evil_trout) }
+
+      it 'calls generate_api_key' do
+        User.any_instance.expects(:generate_api_key).with(@user)
+        xhr :post, :generate_api_key, user_id: evil_trout.id
+      end
+    end
+
+    context '.revoke_api_key' do
+
+      let(:evil_trout) { Fabricate(:evil_trout) }
+
+      it 'calls revoke_api_key' do
+        User.any_instance.expects(:revoke_api_key)
+        xhr :delete, :revoke_api_key, user_id: evil_trout.id
+      end
+
+    end
+
     context '.approve' do
 
       let(:evil_trout) { Fabricate(:evil_trout) }

spec/controllers/application_controller_spec.rb

@@ -15,10 +15,18 @@ describe 'api' do
       Fabricate(:post)
     end
 
+    let(:api_key) { user.generate_api_key(user) }
+    let(:master_key) { ApiKey.create_master_key }
+
     # choosing an arbitrarily easy to mock trusted activity
     it 'allows users with api key to bookmark posts' do
       PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).once
-      put :bookmark, bookmarked: "true", post_id: post.id, api_key: SiteSetting.api_key, api_username: user.username, format: :json
+      put :bookmark, bookmarked: "true", post_id: post.id, api_key: api_key.key, format: :json
+    end
+
+    it 'allows users with a master api key to bookmark posts' do
+      PostAction.expects(:act).with(user, post, PostActionType.types[:bookmark]).once
+      put :bookmark, bookmarked: "true", post_id: post.id, api_key: master_key.key, api_username: user.username, format: :json
     end
 
     it 'disallows phonies to bookmark posts' do

spec/fabricators/api_key_fabricator.rb

@@ -0,0 +1,3 @@
+Fabricator(:api_key) do
+  key '1dfb7d427400cb8ef18052fd412781af134cceca5725dd74f34bbc6b9e35ddc9'
+end

spec/models/api_key_spec.rb

@@ -0,0 +1,16 @@
+# encoding: utf-8
+require 'spec_helper'
+require_dependency 'api_key'
+
+describe ApiKey do
+  it { should belong_to :user }
+  it { should belong_to :created_by }
+
+  it { should validate_presence_of :key }
+
+  it 'validates uniqueness of user_id' do
+    Fabricate(:api_key)
+    should validate_uniqueness_of(:user_id)
+  end
+
+end

spec/models/user_spec.rb

@@ -863,4 +863,55 @@ describe User do
       expect(user.update_avatar(upload)).to be_true
     end
   end
+
+  describe 'api keys' do
+    let(:admin) { Fabricate(:admin) }
+    let(:other_admin) { Fabricate(:admin) }
+    let(:user) { Fabricate(:user) }
+
+    describe '.generate_api_key' do
+
+      it "generates an api key when none exists, and regenerates when it does" do
+        expect(user.api_key).to be_blank
+
+        # Generate a key
+        api_key = user.generate_api_key(admin)
+        expect(api_key.user).to eq(user)
+        expect(api_key.key).to be_present
+        expect(api_key.created_by).to eq(admin)
+
+        user.reload
+        expect(user.api_key).to eq(api_key)
+
+        # Regenerate a key. Keeps the same record, updates the key
+        new_key = user.generate_api_key(other_admin)
+        expect(new_key.id).to eq(api_key.id)
+        expect(new_key.key).to_not eq(api_key.key)
+        expect(new_key.created_by).to eq(other_admin)
+      end
+
+    end
+
+    describe '.revoke_api_key' do
+
+      it "revokes an api key when exists" do
+        expect(user.api_key).to be_blank
+
+        # Revoke nothing does nothing
+        user.revoke_api_key
+        user.reload
+        expect(user.api_key).to be_blank
+
+        # When a key is present it is removed
+        user.generate_api_key(admin)
+        user.reload
+        user.revoke_api_key
+        user.reload
+        expect(user.api_key).to be_blank
+      end
+
+    end
+
+  end
+
 end