Added support for HTTP Basic access to the API. (#3920)

A user can authenticate using either their: * username/password * api-key/random git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3219 e93f8b46-1217-0410-a6f0-8f06a7374b81

Added support for HTTP Basic access to the API. (#3920)
A user can authenticate using either their: * username/password * api-key/random git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@3219 e93f8b46-1217-0410-a6f0-8f06a7374b81
e07e9d8b · Eric Davis · baa1ad42 · e07e9d8b · e07e9d8b · e07e9d8b
Commit e07e9d8b authored Dec 23, 2009 by Eric Davis
4 changed files
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -70,11 +70,19 @@ class ApplicationController < ActionController::Base
    elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
      # RSS key authentication does not start a session
      User.find_by_rss_key(params[:key])
-    elsif ['xml', 'json'].include?(params[:format]) && params[:key] && accept_key_auth_actions.include?(params[:action])
+    elsif ['xml', 'json'].include?(params[:format]) && accept_key_auth_actions.include?(params[:action])
-      User.find_by_api_key(params[:key])
+      if params[:key].present?
+        # Use API key
+        User.find_by_api_key(params[:key])
+      else
+        # HTTP Basic, either username/password or API key/random
+        authenticate_with_http_basic do |username, password|
+          User.try_to_login(username, password) || User.find_by_api_key(username)
+        end
+      end
    end
  end
  # Sets the logged in user
  def logged_user=(user)
    reset_session
@@ -118,6 +126,7 @@ class ApplicationController < ActionController::Base
      end
      respond_to do |format|
        format.html { redirect_to :controller => "account", :action => "login", :back_url => url }
+        format.atom { redirect_to :controller => "account", :action => "login", :back_url => url }
        format.xml { head :unauthorized }
        format.json { head :unauthorized }
      end

--- a/test/integration/api_token_login_test.rb
+++ b/test/integration/api_token_login_test.rb
@@ -3,8 +3,16 @@ require "#{File.dirname(__FILE__)}/../test_helper"
 class ApiTokenLoginTest < ActionController::IntegrationTest
  fixtures :all
+  def setup
+    Setting.login_required = '1'
+  end
+  def teardown
+    Setting.login_required = '0'
+  end
  # Using the NewsController because it's a simple API.
-  context "get /news.xml" do
+  context "get /news" do
    context "in :xml format" do
      context "with a valid api token" do
@@ -21,9 +29,8 @@ class ApiTokenLoginTest < ActionController::IntegrationTest
        end
      end
-      context "with an invalid api token (on a protected site)" do
+      context "with an invalid api token" do
        setup do
-          Setting.login_required = '1'
          @user = User.generate_with_protected!
          @token = Token.generate!(:user => @user, :action => 'feeds')
          get "/news.xml?key=#{@token.value}"
@@ -52,9 +59,8 @@ class ApiTokenLoginTest < ActionController::IntegrationTest
        end
      end
-      context "with an invalid api token (on a protected site)" do
+      context "with an invalid api token" do
        setup do
-          Setting.login_required = '1'
          @user = User.generate_with_protected!
          @token = Token.generate!(:user => @user, :action => 'feeds')
          get "/news.json?key=#{@token.value}"
@@ -69,5 +75,4 @@ class ApiTokenLoginTest < ActionController::IntegrationTest
    end
  end
 end
--- a/test/integration/http_basic_login_test.rb
+++ b/test/integration/http_basic_login_test.rb
+require "#{File.dirname(__FILE__)}/../test_helper"
+class HttpBasicLoginTest < ActionController::IntegrationTest
+  fixtures :all
+  def setup
+    Setting.login_required = '1'
+  end
+  def teardown
+    Setting.login_required = '0'
+  end
+  # Using the NewsController because it's a simple API.
+  context "get /news" do
+    context "in :xml format" do
+      context "with a valid HTTP authentication" do
+        setup do
+          @user = User.generate_with_protected!(:password => 'my_password', :password_confirmation => 'my_password')
+          @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'my_password')
+          get "/news.xml", nil, :authorization => @authorization
+        end
+        should_respond_with :success
+        should_respond_with_content_type :xml
+        should "login as the user" do
+          assert_equal @user, User.current
+        end
+      end
+      context "with an invalid HTTP authentication" do
+        setup do
+          @user = User.generate_with_protected!
+          @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'wrong_password')
+          get "/news.xml", nil, :authorization => @authorization
+        end
+        should_respond_with :unauthorized
+        should_respond_with_content_type :xml
+        should "not login as the user" do
+          assert_equal User.anonymous, User.current
+        end
+      end
+    end
+    context "in :json format" do
+      context "with a valid HTTP authentication" do
+        setup do
+          @user = User.generate_with_protected!(:password => 'my_password', :password_confirmation => 'my_password')
+          @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'my_password')
+          get "/news.json", nil, :authorization => @authorization
+        end
+        should_respond_with :success
+        should_respond_with_content_type :json
+        should "login as the user" do
+          assert_equal @user, User.current
+        end
+      end
+      context "with an invalid HTTP authentication" do
+        setup do
+          @user = User.generate_with_protected!
+          @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@user.login, 'wrong_password')
+          get "/news.json", nil, :authorization => @authorization
+        end
+        should_respond_with :unauthorized
+        should_respond_with_content_type :json
+        should "not login as the user" do
+          assert_equal User.anonymous, User.current
+        end
+      end
+    end
+  end
+end
--- a/test/integration/http_basic_login_with_api_token_test.rb
+++ b/test/integration/http_basic_login_with_api_token_test.rb
+require "#{File.dirname(__FILE__)}/../test_helper"
+class HttpBasicLoginWithApiTokenTest < ActionController::IntegrationTest
+  fixtures :all
+  def setup
+    Setting.login_required = '1'
+  end
+  def teardown
+    Setting.login_required = '0'
+  end
+  # Using the NewsController because it's a simple API.
+  context "get /news" do
+    context "in :xml format" do
+      context "with a valid HTTP authentication using the API token" do
+        setup do
+          @user = User.generate_with_protected!
+          @token = Token.generate!(:user => @user, :action => 'api')
+          @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'X')
+          get "/news.xml", nil, :authorization => @authorization
+        end
+        should_respond_with :success
+        should_respond_with_content_type :xml
+        should "login as the user" do
+          assert_equal @user, User.current
+        end
+      end
+      context "with an invalid HTTP authentication" do
+        setup do
+          @user = User.generate_with_protected!
+          @token = Token.generate!(:user => @user, :action => 'feeds')
+          @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'X')
+          get "/news.xml", nil, :authorization => @authorization
+        end
+        should_respond_with :unauthorized
+        should_respond_with_content_type :xml
+        should "not login as the user" do
+          assert_equal User.anonymous, User.current
+        end
+      end
+    end
+    context "in :json format" do
+      context "with a valid HTTP authentication" do
+        setup do
+          @user = User.generate_with_protected!
+          @token = Token.generate!(:user => @user, :action => 'api')
+          @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'DoesNotMatter')
+          get "/news.json", nil, :authorization => @authorization
+        end
+        should_respond_with :success
+        should_respond_with_content_type :json
+        should "login as the user" do
+          assert_equal @user, User.current
+        end
+      end
+      context "with an invalid HTTP authentication" do
+        setup do
+          @user = User.generate_with_protected!
+          @token = Token.generate!(:user => @user, :action => 'feeds')
+          @authorization = ActionController::HttpAuthentication::Basic.encode_credentials(@token.value, 'DoesNotMatter')
+          get "/news.json", nil, :authorization => @authorization
+        end
+        should_respond_with :unauthorized
+        should_respond_with_content_type :json
+        should "not login as the user" do
+          assert_equal User.anonymous, User.current
+        end
+      end
+    end
+  end
+end