Feature: User API key support (server side implementation)

- Supports throttled read and write - No support for push yet, but data is captured about intent
2025-02-25 18:55:32 -06:00 · 2016-08-15 17:58:33 +10:00
parent d3c8985030
commit fc095acaaa
10 changed files with 396 additions and 0 deletions
--- a/spec/components/auth/default_current_user_provider_spec.rb
+++ b/spec/components/auth/default_current_user_provider_spec.rb
@@ -153,5 +153,78 @@ describe Auth::DefaultCurrentUserProvider do
    freeze_time 3.hours.from_now
    expect(provider("/", "HTTP_COOKIE" => "_t=#{user.auth_token}").current_user).to eq(nil)
  end
+
+  context "user api" do
+    let :user do
+      Fabricate(:user)
+    end
+
+    let :api_key do
+      UserApiKey.create!(
+        application_name: 'my app',
+        client_id: '1234',
+        read: true,
+        write: false,
+        push: false,
+        key: SecureRandom.hex,
+        user_id: user.id
+      )
+    end
+
+    it "allows user API access correctly" do
+      params = {
+        "REQUEST_METHOD" => "GET",
+        "USER_API_KEY" => api_key.key,
+      }
+
+      expect(provider("/", params).current_user.id).to eq(user.id)
+
+      expect {
+        provider("/", params.merge({"REQUEST_METHOD" => "POST"})).current_user
+      }.to raise_error(Discourse::InvalidAccess)
+
+    end
+
+    it "rate limits api usage" do
+
+      RateLimiter.stubs(:disabled?).returns(false)
+      limiter1 = RateLimiter.new(nil, "user_api_day_#{api_key.key}", 10, 60)
+      limiter2 = RateLimiter.new(nil, "user_api_min_#{api_key.key}", 10, 60)
+      limiter1.clear!
+      limiter2.clear!
+
+      SiteSetting.max_user_api_reqs_per_day = 3
+      SiteSetting.max_user_api_reqs_per_minute = 4
+
+      params = {
+        "REQUEST_METHOD" => "GET",
+        "USER_API_KEY" => api_key.key,
+      }
+
+      3.times do
+        provider("/", params).current_user
+      end
+
+      expect {
+        provider("/", params).current_user
+      }.to raise_error(RateLimiter::LimitExceeded)
+
+
+      SiteSetting.max_user_api_reqs_per_day = 4
+      SiteSetting.max_user_api_reqs_per_minute = 3
+
+      limiter1.clear!
+      limiter2.clear!
+
+      3.times do
+        provider("/", params).current_user
+      end
+
+      expect {
+        provider("/", params).current_user
+      }.to raise_error(RateLimiter::LimitExceeded)
+
+    end
+  end
 end