DEPRECATION: Remove support for api creds in query params (#9106)

* DEPRECATION: Remove support for api creds in query params This commit removes support for api credentials in query params except for a few whitelisted routes like rss/json feeds and the handle_mail route. Several tests were written to valid these changes, but the bulk of the spec changes are just switching them over to use header based auth so that they will pass without changing what they were actually testing. Original commit that notified admins this change was coming was created over 3 months ago: 2db2003187 * fix tests * Also allow iCalendar feeds Co-authored-by: Rafael dos Santos Silva <xfalcox@gmail.com>
2025-02-25 18:55:32 -06:00 · 2020-04-06 16:55:44 -06:00
parent 58bec3b200
commit d04ba4b3b2
10 changed files with 170 additions and 143 deletions
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -743,7 +743,7 @@ describe UsersController do

        it "won't create the user as active with a regular key" do
          post "/u.json",
-            params: post_user_params.merge(active: true, api_key: api_key.key)
+            params: post_user_params.merge(active: true), headers: { HTTP_API_KEY: api_key.key }

          expect(response.status).to eq(200)
          expect(JSON.parse(response.body)['active']).to be_falsey
@@ -759,7 +759,7 @@ describe UsersController do
          SiteSetting.must_approve_users = true

          #Sidekiq::Client.expects(:enqueue).never
-          post "/u.json", params: post_user_params.merge(approved: true, active: true, api_key: api_key.key)
+          post "/u.json", params: post_user_params.merge(approved: true, active: true), headers: { HTTP_API_KEY: api_key.key }

          expect(Jobs::CriticalUserEmail.jobs.size).to eq(0)
          expect(Jobs::SendSystemMessage.jobs.size).to eq(0)
@@ -781,7 +781,7 @@ describe UsersController do
          Jobs.run_immediately!
          SiteSetting.must_approve_users = true

-          post "/u.json", params: post_user_params.merge(active: true, api_key: api_key.key)
+          post "/u.json", params: post_user_params.merge(active: true), headers: { HTTP_API_KEY: api_key.key }

          expect(response.status).to eq(200)
          json = JSON.parse(response.body)
@@ -796,7 +796,7 @@ describe UsersController do
          Jobs.run_immediately!
          SiteSetting.must_approve_users = true

-          post "/u.json", params: post_user_params.merge(api_key: api_key.key)
+          post "/u.json", params: post_user_params, headers: { HTTP_API_KEY: api_key.key }

          expect(response.status).to eq(200)
          json = JSON.parse(response.body)
@@ -810,7 +810,7 @@ describe UsersController do
        it "won't create the developer as active" do
          UsernameCheckerService.expects(:is_developer?).returns(true)

-          post "/u.json", params: post_user_params.merge(active: true, api_key: api_key.key)
+          post "/u.json", params: post_user_params.merge(active: true), headers: { HTTP_API_KEY: api_key.key }
          expect(response.status).to eq(200)
          expect(JSON.parse(response.body)['active']).to be_falsy
        end
@@ -819,7 +819,7 @@ describe UsersController do
          SiteSetting.allow_user_locale = true
          admin.update!(locale: :fr)

-          post "/u.json", params: post_user_params.merge(active: true, api_key: api_key.key)
+          post "/u.json", params: post_user_params.merge(active: true), headers: { HTTP_API_KEY: api_key.key }
          expect(response.status).to eq(200)

          json = JSON.parse(response.body)
@@ -832,7 +832,7 @@ describe UsersController do
          SiteSetting.must_approve_users = true
          SiteSetting.auto_approve_email_domains = "example.com"

-          post "/u.json", params: post_user_params.merge(active: true, api_key: api_key.key)
+          post "/u.json", params: post_user_params.merge(active: true), headers: { HTTP_API_KEY: api_key.key }

          expect(response.status).to eq(200)
          json = JSON.parse(response.body)
@@ -858,7 +858,7 @@ describe UsersController do
        fab!(:api_key, refind: false) { Fabricate(:api_key, user: user) }

        it "won't create the user as staged with a regular key" do
-          post "/u.json", params: post_user_params.merge(staged: true, api_key: api_key.key)
+          post "/u.json", params: post_user_params.merge(staged: true), headers: { HTTP_API_KEY: api_key.key }
          expect(response.status).to eq(200)

          new_user = User.where(username: post_user_params[:username]).first
@@ -871,7 +871,7 @@ describe UsersController do
        fab!(:api_key, refind: false) { Fabricate(:api_key, user: user) }

        it "creates the user as staged with a regular key" do
-          post "/u.json", params: post_user_params.merge(staged: true, api_key: api_key.key)
+          post "/u.json", params: post_user_params.merge(staged: true), headers: { HTTP_API_KEY: api_key.key }
          expect(response.status).to eq(200)

          new_user = User.where(username: post_user_params[:username]).first
@@ -880,7 +880,7 @@ describe UsersController do

        it "won't create the developer as staged" do
          UsernameCheckerService.expects(:is_developer?).returns(true)
-          post "/u.json", params: post_user_params.merge(staged: true, api_key: api_key.key)
+          post "/u.json", params: post_user_params.merge(staged: true), headers: { HTTP_API_KEY: api_key.key }
          expect(response.status).to eq(200)

          new_user = User.where(username: post_user_params[:username]).first
@@ -1850,8 +1850,9 @@ describe UsersController do
                },
                user_fields: {
                  user_field.id.to_s => 'user field value'
-                },
-                api_key: api_key.key
+                }
+              }, headers: {
+                HTTP_API_KEY: api_key.key
              }
              expect(response.status).to eq(200)
              u = User.find_by_email('user@mail.com')