Drop support for basic authentication

diff --git a/app/controllers/api/permissions_controller.rb b/app/controllers/api/permissions_controller.rb
index d7fb92ae6aebc9531afd7b6a2a159a8812a3b3f0..637aa36a0342caf017254f3baa3203c7b0d235e0 100644 (file)
--- a/app/controllers/api/permissions_controller.rb
+++ b/app/controllers/api/permissions_controller.rb
@@ -9,13 +9,10 @@ module Api
     # External apps that use the api are able to query which permissions
     # they have. This currently returns a list of permissions granted to the current user:
     # * if authenticated via OAuth, this list will contain all permissions granted by the user to the access_token.
     # External apps that use the api are able to query which permissions
     # they have. This currently returns a list of permissions granted to the current user:
     # * if authenticated via OAuth, this list will contain all permissions granted by the user to the access_token.

-    # * if authenticated via basic auth all permissions are granted, so the list will contain all permissions.

     # * unauthenticated users have no permissions, so the list will be empty.
     def show
       @permissions = if doorkeeper_token.present?
                        doorkeeper_token.scopes.map { |s| :"allow_#{s}" }
     # * unauthenticated users have no permissions, so the list will be empty.
     def show
       @permissions = if doorkeeper_token.present?
                        doorkeeper_token.scopes.map { |s| :"allow_#{s}" }

-                     elsif current_user
-                       Oauth.scopes.map { |s| :"allow_#{s.name}" }

                      else
                        []
                      end
                      else
                        []
                      end

diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb
index 1a8185a3e92a2e01321eb794c5086e6a715af922..5b264db970aeb19a8b7a4efd6eeec31a787e78e9 100644 (file)
--- a/app/controllers/api_controller.rb
+++ b/app/controllers/api_controller.rb
@@ -47,19 +47,14 @@ class ApiController < ApplicationController
     end
   end
 
     end
   end
 

-  def authorize(realm = "Web Password", errormessage = "Couldn't authenticate you")
+  def authorize(errormessage = "Couldn't authenticate you")

     # make the current_user object from any auth sources we have
     setup_user_auth
 
     # handle authenticate pass/fail
     unless current_user
       # no auth, the user does not exist or the password was wrong
     # make the current_user object from any auth sources we have
     setup_user_auth
 
     # handle authenticate pass/fail
     unless current_user
       # no auth, the user does not exist or the password was wrong

-      if Settings.basic_auth_support
-        response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
-        render :plain => errormessage, :status => :unauthorized
-      else
-        render :plain => errormessage, :status => :forbidden
-      end
+      render :plain => errormessage, :status => :unauthorized

 
       false
     end
 
       false
     end


@@ -80,13 +75,8 @@ class ApiController < ApplicationController
       report_error t("oauth.permissions.missing"), :forbidden
     elsif current_user
       head :forbidden
       report_error t("oauth.permissions.missing"), :forbidden
     elsif current_user
       head :forbidden

-    elsif Settings.basic_auth_support
-      realm = "Web Password"
-      errormessage = "Couldn't authenticate you"
-      response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\""
-      render :plain => errormessage, :status => :unauthorized

     else
     else

-      render :plain => errormessage, :status => :forbidden
+      head :unauthorized

     end
   end
 
     end
   end
 


@@ -103,25 +93,7 @@ class ApiController < ApplicationController
   def setup_user_auth
     logger.info " setup_user_auth"
     # try and setup using OAuth
   def setup_user_auth
     logger.info " setup_user_auth"
     # try and setup using OAuth

-    if doorkeeper_token&.accessible?
-      self.current_user = User.find(doorkeeper_token.resource_owner_id)
-    else
-      username, passwd = auth_data # parse from headers
-      # authenticate per-scheme
-      self.current_user = if username.nil?
-                            nil # no authentication provided - perhaps first connect (client should retry after 401)
-                          else
-                            User.authenticate(:username => username, :password => passwd) # basic auth
-                          end
-      if username && current_user
-        if Settings.basic_auth_support
-          # log if we have authenticated using basic auth
-          logger.info "Authenticated as user #{current_user.id} using basic authentication"
-        else
-          report_error t("application.basic_auth_disabled", :link => t("application.auth_disabled_link")), :forbidden
-        end
-      end
-    end
+    self.current_user = User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token&.accessible?

 
     # have we identified the user?
     if current_user
 
     # have we identified the user?
     if current_user

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index cc006c19cf78a6e8634f57e42258c60300722827..4b36607bb00a988b671ce3f2da760633f0aabeba 100644 (file)
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -323,20 +323,6 @@ class ApplicationController < ActionController::Base
     end
   end
 
     end
   end
 

-  # extract authorisation credentials from headers, returns user = nil if none
-  def auth_data
-    if request.env.key? "X-HTTP_AUTHORIZATION" # where mod_rewrite might have put it
-      authdata = request.env["X-HTTP_AUTHORIZATION"].to_s.split
-    elsif request.env.key? "REDIRECT_X_HTTP_AUTHORIZATION" # mod_fcgi
-      authdata = request.env["REDIRECT_X_HTTP_AUTHORIZATION"].to_s.split
-    elsif request.env.key? "HTTP_AUTHORIZATION" # regular location
-      authdata = request.env["HTTP_AUTHORIZATION"].to_s.split
-    end
-    # only basic authentication supported
-    user, pass = Base64.decode64(authdata[1]).split(":", 2) if authdata && authdata[0] == "Basic"
-    [user, pass]
-  end
-

   # clean any referer parameter
   def safe_referer(referer)
     begin
   # clean any referer parameter
   def safe_referer(referer)
     begin

diff --git a/config/locales/en.yml b/config/locales/en.yml
index b9e7ee16a651809aaea473e34d47a20824a18c66..08706e42b0925c6af909ab6e4554ed4389ee3cc9 100644 (file)
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -2580,8 +2580,6 @@ en:
         other: "GPX file with %{count} points from %{user}"
       description_without_count: "GPX file from %{user}"
   application:
         other: "GPX file with %{count} points from %{user}"
       description_without_count: "GPX file from %{user}"
   application:

-    basic_auth_disabled: "HTTP Basic Authentication is disabled: %{link}"
-    auth_disabled_link: "https://wiki.openstreetmap.org/wiki/2024_authentication_update"

     permission_denied: You do not have permission to access that action
     require_cookies:
       cookies_needed: "You appear to have cookies disabled - please enable cookies in your browser before continuing."
     permission_denied: You do not have permission to access that action
     require_cookies:
       cookies_needed: "You appear to have cookies disabled - please enable cookies in your browser before continuing."

diff --git a/config/settings.yml b/config/settings.yml
index e2ff88a419effdabc6f4a09bb7947b8d1d53ed5f..b5a565b133dc4df6697cdeab8e299c5a4f2d2758 100644 (file)
--- a/config/settings.yml
+++ b/config/settings.yml
@@ -106,8 +106,6 @@ attachments_dir: ":rails_root/public/attachments"
 #logstash_path: ""
 # List of memcache servers to use for caching
 #memcache_servers: []
 #logstash_path: ""
 # List of memcache servers to use for caching
 #memcache_servers: []

-# Enable HTTP basic authentication support
-basic_auth_support: true

 # URL of Nominatim instance to use for geocoding
 nominatim_url: "https://nominatim.openstreetmap.org/"
 # Default editor
 # URL of Nominatim instance to use for geocoding
 nominatim_url: "https://nominatim.openstreetmap.org/"
 # Default editor

diff --git a/test/controllers/api/changeset_comments_controller_test.rb b/test/controllers/api/changeset_comments_controller_test.rb
index f479b24b3cb99b3b9f68921fd772086f69bd4103..ca7fc3407966067c7cc225f0acf9f27caaa4e741 100644 (file)
--- a/test/controllers/api/changeset_comments_controller_test.rb
+++ b/test/controllers/api/changeset_comments_controller_test.rb
@@ -41,7 +41,7 @@ module Api
       deleted_user = create(:user, :deleted)
       private_user_closed_changeset = create(:changeset, :closed, :user => private_user)
 
       deleted_user = create(:user, :deleted)
       private_user_closed_changeset = create(:changeset, :closed, :user => private_user)
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       assert_difference "ChangesetComment.count", 1 do
         assert_no_difference "ActionMailer::Base.deliveries.size" do
 
       assert_difference "ChangesetComment.count", 1 do
         assert_no_difference "ActionMailer::Base.deliveries.size" do


@@ -74,7 +74,7 @@ module Api
 
       ActionMailer::Base.deliveries.clear
 
 
       ActionMailer::Base.deliveries.clear
 

-      auth_header = basic_authorization_header user2.email, "test"
+      auth_header = bearer_authorization_header user2

 
       assert_difference "ChangesetComment.count", 1 do
         assert_difference "ActionMailer::Base.deliveries.size", 2 do
 
       assert_difference "ChangesetComment.count", 1 do
         assert_difference "ActionMailer::Base.deliveries.size", 2 do


@@ -105,7 +105,7 @@ module Api
       post changeset_comment_path(create(:changeset, :closed), :text => "This is a comment")
       assert_response :unauthorized
 
       post changeset_comment_path(create(:changeset, :closed), :text => "This is a comment")
       assert_response :unauthorized
 

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       # bad changeset id
       assert_no_difference "ChangesetComment.count" do
 
       # bad changeset id
       assert_no_difference "ChangesetComment.count" do


@@ -138,7 +138,7 @@ module Api
       changeset = create(:changeset, :closed)
       user = create(:user)
 
       changeset = create(:changeset, :closed)
       user = create(:user)
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       assert_difference "ChangesetComment.count", Settings.initial_changeset_comments_per_hour do
         1.upto(Settings.initial_changeset_comments_per_hour) do |count|
 
       assert_difference "ChangesetComment.count", Settings.initial_changeset_comments_per_hour do
         1.upto(Settings.initial_changeset_comments_per_hour) do |count|


@@ -160,7 +160,7 @@ module Api
       user = create(:user)
       create_list(:changeset_comment, 200, :author_id => user.id, :created_at => Time.now.utc - 1.day)
 
       user = create(:user)
       create_list(:changeset_comment, 200, :author_id => user.id, :created_at => Time.now.utc - 1.day)
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       assert_difference "ChangesetComment.count", Settings.max_changeset_comments_per_hour do
         1.upto(Settings.max_changeset_comments_per_hour) do |count|
 
       assert_difference "ChangesetComment.count", Settings.max_changeset_comments_per_hour do
         1.upto(Settings.max_changeset_comments_per_hour) do |count|


@@ -182,7 +182,7 @@ module Api
       user = create(:user)
       create(:issue_with_reports, :reportable => user, :reported_user => user)
 
       user = create(:user)
       create(:issue_with_reports, :reportable => user, :reported_user => user)
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       assert_difference "ChangesetComment.count", Settings.initial_changeset_comments_per_hour / 2 do
         1.upto(Settings.initial_changeset_comments_per_hour / 2) do |count|
 
       assert_difference "ChangesetComment.count", Settings.initial_changeset_comments_per_hour / 2 do
         1.upto(Settings.initial_changeset_comments_per_hour / 2) do |count|


@@ -203,7 +203,7 @@ module Api
       changeset = create(:changeset, :closed)
       user = create(:moderator_user)
 
       changeset = create(:changeset, :closed)
       user = create(:moderator_user)
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       assert_difference "ChangesetComment.count", Settings.moderator_changeset_comments_per_hour do
         1.upto(Settings.moderator_changeset_comments_per_hour) do |count|
 
       assert_difference "ChangesetComment.count", Settings.moderator_changeset_comments_per_hour do
         1.upto(Settings.moderator_changeset_comments_per_hour) do |count|


@@ -229,14 +229,14 @@ module Api
       assert_response :unauthorized
       assert comment.reload.visible
 
       assert_response :unauthorized
       assert comment.reload.visible
 

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       # not a moderator
       post changeset_comment_hide_path(comment), :headers => auth_header
       assert_response :forbidden
       assert comment.reload.visible
 
 
       # not a moderator
       post changeset_comment_hide_path(comment), :headers => auth_header
       assert_response :forbidden
       assert comment.reload.visible
 

-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)

 
       # bad comment id
       post changeset_comment_hide_path(999111), :headers => auth_header
 
       # bad comment id
       post changeset_comment_hide_path(999111), :headers => auth_header


@@ -250,7 +250,7 @@ module Api
       comment = create(:changeset_comment)
       assert comment.visible
 
       comment = create(:changeset_comment)
       assert comment.visible
 

-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)

 
       post changeset_comment_hide_path(comment), :headers => auth_header
       assert_response :success
 
       post changeset_comment_hide_path(comment), :headers => auth_header
       assert_response :success


@@ -268,14 +268,14 @@ module Api
       assert_response :unauthorized
       assert_not comment.reload.visible
 
       assert_response :unauthorized
       assert_not comment.reload.visible
 

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       # not a moderator
       post changeset_comment_unhide_path(comment), :headers => auth_header
       assert_response :forbidden
       assert_not comment.reload.visible
 
 
       # not a moderator
       post changeset_comment_unhide_path(comment), :headers => auth_header
       assert_response :forbidden
       assert_not comment.reload.visible
 

-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)

 
       # bad comment id
       post changeset_comment_unhide_path(999111), :headers => auth_header
 
       # bad comment id
       post changeset_comment_unhide_path(999111), :headers => auth_header


@@ -289,7 +289,7 @@ module Api
       comment = create(:changeset_comment, :visible => false)
       assert_not comment.visible
 
       comment = create(:changeset_comment, :visible => false)
       assert_not comment.visible
 

-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)

 
       post changeset_comment_unhide_path(comment), :headers => auth_header
       assert_response :success
 
       post changeset_comment_unhide_path(comment), :headers => auth_header
       assert_response :success


@@ -320,28 +320,5 @@ module Api
       end
       assert_response :success
     end
       end
       assert_response :success
     end

-
-    # This test does the same as above, but with basic auth, to similarly test that the
-    # abilities take into account terms agreement too.
-    def test_api_write_and_terms_agreed_via_basic_auth
-      user = create(:user, :terms_agreed => nil)
-      changeset = create(:changeset, :closed)
-
-      auth_header = basic_authorization_header user.email, "test"
-
-      assert_difference "ChangesetComment.count", 0 do
-        post changeset_comment_path(changeset, :text => "This is a comment"), :headers => auth_header
-      end
-      assert_response :forbidden
-
-      # Try again, after agreement with the terms
-      user.terms_agreed = Time.now.utc
-      user.save!
-
-      assert_difference "ChangesetComment.count", 1 do
-        post changeset_comment_path(changeset, :text => "This is a comment"), :headers => auth_header
-      end
-      assert_response :success
-    end

   end
 end
   end
 end

diff --git a/test/controllers/api/changesets_controller_test.rb b/test/controllers/api/changesets_controller_test.rb
index 1d7afa03586130e5041b17a4722857a97f5561cf..c0be42a21614132b8628618a21749b663532d35a 100644 (file)
--- a/test/controllers/api/changesets_controller_test.rb
+++ b/test/controllers/api/changesets_controller_test.rb
@@ -64,7 +64,7 @@ module Api
     # -----------------------
 
     def test_create
     # -----------------------
 
     def test_create

-      auth_header = basic_authorization_header create(:user, :data_public => false).email, "test"
+      auth_header = bearer_authorization_header create(:user, :data_public => false)

       # Create the first user's changeset
       xml = "<osm><changeset>" \
             "<tag k='created_by' v='osm test suite checking changesets'/>" \
       # Create the first user's changeset
       xml = "<osm><changeset>" \
             "<tag k='created_by' v='osm test suite checking changesets'/>" \


@@ -72,7 +72,7 @@ module Api
       put changeset_create_path, :params => xml, :headers => auth_header
       assert_require_public_data
 
       put changeset_create_path, :params => xml, :headers => auth_header
       assert_require_public_data
 

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

       # Create the first user's changeset
       xml = "<osm><changeset>" \
             "<tag k='created_by' v='osm test suite checking changesets'/>" \
       # Create the first user's changeset
       xml = "<osm><changeset>" \
             "<tag k='created_by' v='osm test suite checking changesets'/>" \


@@ -99,13 +99,13 @@ module Api
     end
 
     def test_create_invalid
     end
 
     def test_create_invalid

-      auth_header = basic_authorization_header create(:user, :data_public => false).email, "test"
+      auth_header = bearer_authorization_header create(:user, :data_public => false)

       xml = "<osm><changeset></osm>"
       put changeset_create_path, :params => xml, :headers => auth_header
       assert_require_public_data
 
       ## Try the public user
       xml = "<osm><changeset></osm>"
       put changeset_create_path, :params => xml, :headers => auth_header
       assert_require_public_data
 
       ## Try the public user

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

       xml = "<osm><changeset></osm>"
       put changeset_create_path, :params => xml, :headers => auth_header
       assert_response :bad_request, "creating a invalid changeset should fail"
       xml = "<osm><changeset></osm>"
       put changeset_create_path, :params => xml, :headers => auth_header
       assert_response :bad_request, "creating a invalid changeset should fail"


@@ -117,23 +117,23 @@ module Api
       assert_response :unauthorized, "shouldn't be able to create a changeset with no auth"
 
       ## Now try to with a non-public user
       assert_response :unauthorized, "shouldn't be able to create a changeset with no auth"
 
       ## Now try to with a non-public user

-      auth_header = basic_authorization_header create(:user, :data_public => false).email, "test"
+      auth_header = bearer_authorization_header create(:user, :data_public => false)

       put changeset_create_path, :headers => auth_header
       assert_require_public_data
 
       ## Try an inactive user
       put changeset_create_path, :headers => auth_header
       assert_require_public_data
 
       ## Try an inactive user

-      auth_header = basic_authorization_header create(:user, :pending).email, "test"
+      auth_header = bearer_authorization_header create(:user, :pending)

       put changeset_create_path, :headers => auth_header
       assert_inactive_user
 
       ## Now try to use a normal user
       put changeset_create_path, :headers => auth_header
       assert_inactive_user
 
       ## Now try to use a normal user

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

       put changeset_create_path, :headers => auth_header
       assert_response :bad_request, "creating a changeset with no content should fail"
     end
 
     def test_create_wrong_method
       put changeset_create_path, :headers => auth_header
       assert_response :bad_request, "creating a changeset with no content should fail"
     end
 
     def test_create_wrong_method

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       get changeset_create_path, :headers => auth_header
       assert_response :not_found
 
       get changeset_create_path, :headers => auth_header
       assert_response :not_found


@@ -216,7 +216,7 @@ module Api
 
       # one hidden comment shown to moderators
       moderator_user = create(:moderator_user)
 
       # one hidden comment shown to moderators
       moderator_user = create(:moderator_user)

-      auth_header = basic_authorization_header moderator_user.email, "test"
+      auth_header = bearer_authorization_header moderator_user

       get changeset_show_path(changeset), :params => { :include_discussion => true, :show_hidden_comments => true },
                                           :headers => auth_header
       assert_response :success, "cannot get closed changeset with comments"
       get changeset_show_path(changeset), :params => { :include_discussion => true, :show_hidden_comments => true },
                                           :headers => auth_header
       assert_response :success, "cannot get closed changeset with comments"


@@ -322,7 +322,7 @@ module Api
 
       # one hidden comment shown to moderators
       moderator_user = create(:moderator_user)
 
       # one hidden comment shown to moderators
       moderator_user = create(:moderator_user)

-      auth_header = basic_authorization_header moderator_user.email, "test"
+      auth_header = bearer_authorization_header moderator_user

       get changeset_show_path(changeset), :params => { :format => "json", :include_discussion => true, :show_hidden_comments => true },
                                           :headers => auth_header
       assert_response :success, "cannot get closed changeset with comments"
       get changeset_show_path(changeset), :params => { :format => "json", :include_discussion => true, :show_hidden_comments => true },
                                           :headers => auth_header
       assert_response :success, "cannot get closed changeset with comments"


@@ -416,12 +416,12 @@ module Api
       assert_response :unauthorized
 
       ## Try using the non-public user
       assert_response :unauthorized
 
       ## Try using the non-public user

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

       put changeset_close_path(private_changeset), :headers => auth_header
       assert_require_public_data
 
       ## The try with the public user
       put changeset_close_path(private_changeset), :headers => auth_header
       assert_require_public_data
 
       ## The try with the public user

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       cs_id = changeset.id
       put changeset_close_path(cs_id), :headers => auth_header
 
       cs_id = changeset.id
       put changeset_close_path(cs_id), :headers => auth_header


@@ -439,7 +439,7 @@ module Api
       user = create(:user)
       changeset = create(:changeset)
 
       user = create(:user)
       changeset = create(:changeset)
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       put changeset_close_path(changeset), :headers => auth_header
       assert_response :conflict
 
       put changeset_close_path(changeset), :headers => auth_header
       assert_response :conflict


@@ -452,7 +452,7 @@ module Api
       user = create(:user)
       changeset = create(:changeset, :user => user)
 
       user = create(:user)
       changeset = create(:changeset, :user => user)
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       get changeset_close_path(changeset), :headers => auth_header
       assert_response :not_found
 
       get changeset_close_path(changeset), :headers => auth_header
       assert_response :not_found


@@ -477,7 +477,7 @@ module Api
       end
 
       # Now try with auth
       end
 
       # Now try with auth

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

       cs_ids.each do |id|
         put changeset_close_path(id), :headers => auth_header
         assert_response :not_found, "The changeset #{id} doesn't exist, so can't be closed"
       cs_ids.each do |id|
         put changeset_close_path(id), :headers => auth_header
         assert_response :not_found, "The changeset #{id} doesn't exist, so can't be closed"


@@ -534,7 +534,7 @@ module Api
                       "shouldn't be able to upload a simple valid diff to changeset: #{@response.body}"
 
       ## Now try with a private user
                       "shouldn't be able to upload a simple valid diff to changeset: #{@response.body}"
 
       ## Now try with a private user

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

       changeset_id = private_changeset.id
 
       # simple diff to change a node, way and relation by removing
       changeset_id = private_changeset.id
 
       # simple diff to change a node, way and relation by removing


@@ -563,7 +563,7 @@ module Api
                       "can't upload a simple valid diff to changeset: #{@response.body}"
 
       ## Now try with the public user
                       "can't upload a simple valid diff to changeset: #{@response.body}"
 
       ## Now try with the public user

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

       changeset_id = changeset.id
 
       # simple diff to change a node, way and relation by removing
       changeset_id = changeset.id
 
       # simple diff to change a node, way and relation by removing


@@ -606,7 +606,7 @@ module Api
       way = create(:way_with_nodes, :nodes_count => 2)
       relation = create(:relation)
 
       way = create(:way_with_nodes, :nodes_count => 2)
       relation = create(:relation)
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # simple diff to create a node way and relation using placeholders
       diff = <<~CHANGESET
 
       # simple diff to create a node way and relation using placeholders
       diff = <<~CHANGESET


@@ -677,7 +677,7 @@ module Api
       create(:relation_member, :relation => super_relation, :member => used_way)
       create(:relation_member, :relation => super_relation, :member => used_node)
 
       create(:relation_member, :relation => super_relation, :member => used_way)
       create(:relation_member, :relation => super_relation, :member => used_node)
 

-      auth_header = basic_authorization_header changeset.user.display_name, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       diff = XML::Document.new
       diff.root = XML::Node.new "osmChange"
 
       diff = XML::Document.new
       diff.root = XML::Node.new "osmChange"


@@ -719,7 +719,7 @@ module Api
       node = create(:node)
       changeset = create(:changeset)
 
       node = create(:node)
       changeset = create(:changeset)
 

-      auth_header = basic_authorization_header changeset.user.display_name, "test"
+      auth_header = bearer_authorization_header changeset.user

       diff = "<osmChange><delete><node id='#{node.id}' version='#{node.version}' changeset='#{changeset.id}'/></delete></osmChange>"
 
       # upload it
       diff = "<osmChange><delete><node id='#{node.id}' version='#{node.version}' changeset='#{changeset.id}'/></delete></osmChange>"
 
       # upload it


@@ -736,7 +736,7 @@ module Api
 
     def test_repeated_changeset_create
       3.times do
 
     def test_repeated_changeset_create
       3.times do

-        auth_header = basic_authorization_header create(:user).email, "test"
+        auth_header = bearer_authorization_header

 
         # create a temporary changeset
         xml = "<osm><changeset>" \
 
         # create a temporary changeset
         xml = "<osm><changeset>" \


@@ -751,7 +751,7 @@ module Api
 
     def test_upload_large_changeset
       user = create(:user)
 
     def test_upload_large_changeset
       user = create(:user)

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # create an old changeset to ensure we have the maximum rate limit
       create(:changeset, :user => user, :created_at => Time.now.utc - 28.days)
 
       # create an old changeset to ensure we have the maximum rate limit
       create(:changeset, :user => user, :created_at => Time.now.utc - 28.days)


@@ -813,7 +813,7 @@ module Api
       create(:relation_member, :relation => relation, :member => used_way)
       create(:relation_member, :relation => relation, :member => used_node)
 
       create(:relation_member, :relation => relation, :member => used_way)
       create(:relation_member, :relation => relation, :member => used_node)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       diff = XML::Document.new
       diff.root = XML::Node.new "osmChange"
 
       diff = XML::Document.new
       diff.root = XML::Node.new "osmChange"


@@ -855,7 +855,7 @@ module Api
       create(:relation_member, :relation => super_relation, :member => used_way)
       create(:relation_member, :relation => super_relation, :member => used_node)
 
       create(:relation_member, :relation => super_relation, :member => used_way)
       create(:relation_member, :relation => super_relation, :member => used_node)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       diff = XML::Document.new
       diff.root = XML::Node.new "osmChange"
 
       diff = XML::Document.new
       diff.root = XML::Node.new "osmChange"


@@ -911,7 +911,7 @@ module Api
     def test_upload_invalid_too_long_tag
       changeset = create(:changeset)
 
     def test_upload_invalid_too_long_tag
       changeset = create(:changeset)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       # simple diff to create a node way and relation using placeholders
       diff = <<~CHANGESET
 
       # simple diff to create a node way and relation using placeholders
       diff = <<~CHANGESET


@@ -941,7 +941,7 @@ module Api
 
       changeset = create(:changeset)
 
 
       changeset = create(:changeset)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       # simple diff to create a node way and relation using placeholders
       diff = <<~CHANGESET
 
       # simple diff to create a node way and relation using placeholders
       diff = <<~CHANGESET


@@ -1000,7 +1000,7 @@ module Api
       relation = create(:relation)
       other_relation = create(:relation)
 
       relation = create(:relation)
       other_relation = create(:relation)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       # simple diff to create a node way and relation using placeholders
       diff = <<~CHANGESET
 
       # simple diff to create a node way and relation using placeholders
       diff = <<~CHANGESET


@@ -1043,7 +1043,7 @@ module Api
     def test_upload_multiple_valid
       node = create(:node)
       changeset = create(:changeset)
     def test_upload_multiple_valid
       node = create(:node)
       changeset = create(:changeset)

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       # change the location of a node multiple times, each time referencing
       # the last version. doesn't this depend on version numbers being
 
       # change the location of a node multiple times, each time referencing
       # the last version. doesn't this depend on version numbers being


@@ -1081,7 +1081,7 @@ module Api
       node = create(:node)
       changeset = create(:changeset)
 
       node = create(:node)
       changeset = create(:changeset)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       diff = <<~CHANGESET
         <osmChange>
 
       diff = <<~CHANGESET
         <osmChange>


@@ -1103,7 +1103,7 @@ module Api
     def test_upload_missing_version
       changeset = create(:changeset)
 
     def test_upload_missing_version
       changeset = create(:changeset)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       diff = <<~CHANGESET
         <osmChange>
 
       diff = <<~CHANGESET
         <osmChange>


@@ -1124,7 +1124,7 @@ module Api
     def test_action_upload_invalid
       changeset = create(:changeset)
 
     def test_action_upload_invalid
       changeset = create(:changeset)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       diff = <<~CHANGESET
         <osmChange>
 
       diff = <<~CHANGESET
         <osmChange>


@@ -1149,7 +1149,7 @@ module Api
       other_relation = create(:relation)
       create(:relation_tag, :relation => relation)
 
       other_relation = create(:relation)
       create(:relation_tag, :relation => relation)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       diff = <<~CHANGESET
         <osmChange>
 
       diff = <<~CHANGESET
         <osmChange>


@@ -1184,7 +1184,7 @@ module Api
     def test_upload_reuse_placeholder_valid
       changeset = create(:changeset)
 
     def test_upload_reuse_placeholder_valid
       changeset = create(:changeset)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       diff = <<~CHANGESET
         <osmChange>
 
       diff = <<~CHANGESET
         <osmChange>


@@ -1218,7 +1218,7 @@ module Api
     def test_upload_placeholder_invalid
       changeset = create(:changeset)
 
     def test_upload_placeholder_invalid
       changeset = create(:changeset)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       diff = <<~CHANGESET
         <osmChange>
 
       diff = <<~CHANGESET
         <osmChange>


@@ -1256,7 +1256,7 @@ module Api
     def test_upload_process_order
       changeset = create(:changeset)
 
     def test_upload_process_order
       changeset = create(:changeset)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       diff = <<~CHANGESET
         <osmChange>
 
       diff = <<~CHANGESET
         <osmChange>


@@ -1280,7 +1280,7 @@ module Api
     def test_upload_duplicate_delete
       changeset = create(:changeset)
 
     def test_upload_duplicate_delete
       changeset = create(:changeset)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       diff = <<~CHANGESET
         <osmChange>
 
       diff = <<~CHANGESET
         <osmChange>


@@ -1327,7 +1327,7 @@ module Api
       changeset = create(:changeset)
       way = create(:way)
 
       changeset = create(:changeset)
       way = create(:way)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       diff = <<~CHANGESET
         <osmChange>
 
       diff = <<~CHANGESET
         <osmChange>


@@ -1382,7 +1382,7 @@ module Api
       changeset = create(:changeset)
       relation = create(:relation)
 
       changeset = create(:changeset)
       relation = create(:relation)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       diff = <<~CHANGESET
         <osmChange>
 
       diff = <<~CHANGESET
         <osmChange>


@@ -1434,7 +1434,7 @@ module Api
     # test what happens if a diff is uploaded containing only a node
     # move.
     def test_upload_node_move
     # test what happens if a diff is uploaded containing only a node
     # move.
     def test_upload_node_move

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       xml = "<osm><changeset>" \
             "<tag k='created_by' v='osm test suite checking changesets'/>" \
 
       xml = "<osm><changeset>" \
             "<tag k='created_by' v='osm test suite checking changesets'/>" \


@@ -1471,7 +1471,7 @@ module Api
     ##
     # test what happens if a diff is uploaded adding a node to a way.
     def test_upload_way_extend
     ##
     # test what happens if a diff is uploaded adding a node to a way.
     def test_upload_way_extend

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       xml = "<osm><changeset>" \
             "<tag k='created_by' v='osm test suite checking changesets'/>" \
 
       xml = "<osm><changeset>" \
             "<tag k='created_by' v='osm test suite checking changesets'/>" \


@@ -1512,7 +1512,7 @@ module Api
     def test_upload_empty_invalid
       changeset = create(:changeset)
 
     def test_upload_empty_invalid
       changeset = create(:changeset)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       ["<osmChange/>",
        "<osmChange></osmChange>",
 
       ["<osmChange/>",
        "<osmChange></osmChange>",


@@ -1532,7 +1532,7 @@ module Api
       node = create(:node)
       create(:relation_member, :member => node)
 
       node = create(:node)
       create(:relation_member, :member => node)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       # try and delete a node that is in use
       diff = XML::Document.new
 
       # try and delete a node that is in use
       diff = XML::Document.new


@@ -1556,7 +1556,7 @@ module Api
     def test_upload_not_found
       changeset = create(:changeset)
 
     def test_upload_not_found
       changeset = create(:changeset)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       # modify node
       diff = <<~CHANGESET
 
       # modify node
       diff = <<~CHANGESET


@@ -1640,7 +1640,7 @@ module Api
     def test_upload_relation_placeholder_not_fix
       changeset = create(:changeset)
 
     def test_upload_relation_placeholder_not_fix
       changeset = create(:changeset)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       # modify node
       diff = <<~CHANGESET
 
       # modify node
       diff = <<~CHANGESET


@@ -1674,7 +1674,7 @@ module Api
     def test_upload_multiple_delete_block
       changeset = create(:changeset)
 
     def test_upload_multiple_delete_block
       changeset = create(:changeset)
 

-      auth_header = basic_authorization_header changeset.user.email, "test"
+      auth_header = bearer_authorization_header changeset.user

 
       node = create(:node)
       way = create(:way)
 
       node = create(:node)
       way = create(:way)


@@ -1717,7 +1717,7 @@ module Api
                                      :num_changes => Settings.initial_changes_per_hour - 2)
 
       # create authentication header
                                      :num_changes => Settings.initial_changes_per_hour - 2)
 
       # create authentication header

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # simple diff to create a node way and relation using placeholders
       diff = <<~CHANGESET
 
       # simple diff to create a node way and relation using placeholders
       diff = <<~CHANGESET


@@ -1772,7 +1772,7 @@ module Api
       end
 
       # create authentication header
       end
 
       # create authentication header

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # simple diff to create a node way and relation using placeholders
       diff = <<~CHANGESET
 
       # simple diff to create a node way and relation using placeholders
       diff = <<~CHANGESET


@@ -1813,7 +1813,7 @@ module Api
                                      :max_lat => (0.5 * GeoRecord::SCALE).round, :max_lon => (2.5 * GeoRecord::SCALE).round)
 
       # create authentication header
                                      :max_lat => (0.5 * GeoRecord::SCALE).round, :max_lon => (2.5 * GeoRecord::SCALE).round)
 
       # create authentication header

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # simple diff to create a node
       diff = <<~CHANGESET
 
       # simple diff to create a node
       diff = <<~CHANGESET


@@ -1847,7 +1847,7 @@ module Api
                                      :max_lat => (0.5 * GeoRecord::SCALE).round, :max_lon => (2.5 * GeoRecord::SCALE).round)
 
       # create authentication header
                                      :max_lat => (0.5 * GeoRecord::SCALE).round, :max_lon => (2.5 * GeoRecord::SCALE).round)
 
       # create authentication header

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # simple diff to create a node way and relation using placeholders
       diff = <<~CHANGESET
 
       # simple diff to create a node way and relation using placeholders
       diff = <<~CHANGESET


@@ -1873,7 +1873,7 @@ module Api
       node = create(:node)
 
       ## First try with a non-public user, which should get a forbidden
       node = create(:node)
 
       ## First try with a non-public user, which should get a forbidden

-      auth_header = basic_authorization_header create(:user, :data_public => false).email, "test"
+      auth_header = bearer_authorization_header create(:user, :data_public => false)

 
       # create a temporary changeset
       xml = "<osm><changeset>" \
 
       # create a temporary changeset
       xml = "<osm><changeset>" \


@@ -1883,7 +1883,7 @@ module Api
       assert_response :forbidden
 
       ## Now try with a normal user
       assert_response :forbidden
 
       ## Now try with a normal user

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       # create a temporary changeset
       xml = "<osm><changeset>" \
 
       # create a temporary changeset
       xml = "<osm><changeset>" \


@@ -1928,7 +1928,7 @@ module Api
     #
     # NOTE: the error turned out to be something else completely!
     def test_josm_upload
     #
     # NOTE: the error turned out to be something else completely!
     def test_josm_upload

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       # create a temporary changeset
       xml = "<osm><changeset>" \
 
       # create a temporary changeset
       xml = "<osm><changeset>" \


@@ -1989,7 +1989,7 @@ module Api
       node = create(:node)
       node2 = create(:node)
       way = create(:way)
       node = create(:node)
       node2 = create(:node)
       way = create(:way)

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       # create a temporary changeset
       xml = "<osm><changeset>" \
 
       # create a temporary changeset
       xml = "<osm><changeset>" \


@@ -2104,7 +2104,7 @@ module Api
       way = create(:way)
       create(:way_node, :way => way, :node => create(:node, :lat => 0.3, :lon => 0.3))
 
       way = create(:way)
       create(:way_node, :way => way, :node => create(:node, :lat => 0.3, :lon => 0.3))
 

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       # create a new changeset
       xml = "<osm><changeset/></osm>"
 
       # create a new changeset
       xml = "<osm><changeset/></osm>"


@@ -2193,7 +2193,7 @@ module Api
       assert_response :not_found, "shouldn't be able to get changesets by non-public user (name)"
 
       # but this should work
       assert_response :not_found, "shouldn't be able to get changesets by non-public user (name)"
 
       # but this should work

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

       get changesets_path(:user => private_user.id), :headers => auth_header
       assert_response :success, "can't get changesets by user ID"
       assert_changesets_in_order [private_user_changeset, private_user_closed_changeset]
       get changesets_path(:user => private_user.id), :headers => auth_header
       assert_response :success, "can't get changesets by user ID"
       assert_changesets_in_order [private_user_changeset, private_user_closed_changeset]


@@ -2421,12 +2421,12 @@ module Api
       assert_response :unauthorized
 
       # try with the wrong authorization
       assert_response :unauthorized
 
       # try with the wrong authorization

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

       put changeset_show_path(private_changeset), :params => new_changeset.to_s, :headers => auth_header
       assert_response :conflict
 
       # now this should get an unauthorized
       put changeset_show_path(private_changeset), :params => new_changeset.to_s, :headers => auth_header
       assert_response :conflict
 
       # now this should get an unauthorized

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

       put changeset_show_path(private_changeset), :params => new_changeset.to_s, :headers => auth_header
       assert_require_public_data "user with their data non-public, shouldn't be able to edit their changeset"
 
       put changeset_show_path(private_changeset), :params => new_changeset.to_s, :headers => auth_header
       assert_require_public_data "user with their data non-public, shouldn't be able to edit their changeset"
 


@@ -2442,12 +2442,12 @@ module Api
       assert_response :unauthorized
 
       # try with the wrong authorization
       assert_response :unauthorized
 
       # try with the wrong authorization

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

       put changeset_show_path(changeset), :params => new_changeset.to_s, :headers => auth_header
       assert_response :conflict
 
       # now this should work...
       put changeset_show_path(changeset), :params => new_changeset.to_s, :headers => auth_header
       assert_response :conflict
 
       # now this should work...

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

       put changeset_show_path(changeset), :params => new_changeset.to_s, :headers => auth_header
       assert_response :success
 
       put changeset_show_path(changeset), :params => new_changeset.to_s, :headers => auth_header
       assert_response :success
 


@@ -2460,7 +2460,7 @@ module Api
     # check that a user different from the one who opened the changeset
     # can't modify it.
     def test_changeset_update_invalid
     # check that a user different from the one who opened the changeset
     # can't modify it.
     def test_changeset_update_invalid

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       changeset = create(:changeset)
       new_changeset = create_changeset_xml(:user => changeset.user, :id => changeset.id)
 
       changeset = create(:changeset)
       new_changeset = create_changeset_xml(:user => changeset.user, :id => changeset.id)


@@ -2478,7 +2478,7 @@ module Api
     ## FIXME should be changed to an integration test due to the with_controller
     def test_changeset_limits
       user = create(:user)
     ## FIXME should be changed to an integration test due to the with_controller
     def test_changeset_limits
       user = create(:user)

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # create an old changeset to ensure we have the maximum rate limit
       create(:changeset, :user => user, :created_at => Time.now.utc - 28.days)
 
       # create an old changeset to ensure we have the maximum rate limit
       create(:changeset, :user => user, :created_at => Time.now.utc - 28.days)


@@ -2559,7 +2559,7 @@ module Api
     ##
     # test subscribe success
     def test_subscribe_success
     ##
     # test subscribe success
     def test_subscribe_success

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

       changeset = create(:changeset, :closed)
 
       assert_difference "changeset.subscribers.count", 1 do
       changeset = create(:changeset, :closed)
 
       assert_difference "changeset.subscribers.count", 1 do


@@ -2587,7 +2587,7 @@ module Api
       end
       assert_response :unauthorized
 
       end
       assert_response :unauthorized
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # bad changeset id
       assert_no_difference "changeset.subscribers.count" do
 
       # bad changeset id
       assert_no_difference "changeset.subscribers.count" do


@@ -2608,7 +2608,7 @@ module Api
     # test unsubscribe success
     def test_unsubscribe_success
       user = create(:user)
     # test unsubscribe success
     def test_unsubscribe_success
       user = create(:user)

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

       changeset = create(:changeset, :closed)
       changeset.subscribers.push(user)
 
       changeset = create(:changeset, :closed)
       changeset.subscribers.push(user)
 


@@ -2637,7 +2637,7 @@ module Api
       end
       assert_response :unauthorized
 
       end
       assert_response :unauthorized
 

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       # bad changeset id
       assert_no_difference "changeset.subscribers.count" do
 
       # bad changeset id
       assert_no_difference "changeset.subscribers.count" do

diff --git a/test/controllers/api/nodes_controller_test.rb b/test/controllers/api/nodes_controller_test.rb
index d9fabb012e18b21d0152cb2653e0a7f37e9dc470..9896c34a5a70ac491e27e600694237cc22e7abc6 100644 (file)
--- a/test/controllers/api/nodes_controller_test.rb
+++ b/test/controllers/api/nodes_controller_test.rb
@@ -55,7 +55,7 @@ module Api
       assert_response :unauthorized, "node upload did not return unauthorized status"
 
       ## Now try with the user which doesn't have their data public
       assert_response :unauthorized, "node upload did not return unauthorized status"
 
       ## Now try with the user which doesn't have their data public

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

 
       # create a minimal xml file
       xml = "<osm><node lat='#{lat}' lon='#{lon}' changeset='#{private_changeset.id}'/></osm>"
 
       # create a minimal xml file
       xml = "<osm><node lat='#{lat}' lon='#{lon}' changeset='#{private_changeset.id}'/></osm>"


@@ -66,7 +66,7 @@ module Api
       assert_require_public_data "node create did not return forbidden status"
 
       ## Now try with the user that has the public data
       assert_require_public_data "node create did not return forbidden status"
 
       ## Now try with the user that has the public data

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # create a minimal xml file
       xml = "<osm><node lat='#{lat}' lon='#{lon}' changeset='#{changeset.id}'/></osm>"
 
       # create a minimal xml file
       xml = "<osm><node lat='#{lat}' lon='#{lon}' changeset='#{changeset.id}'/></osm>"


@@ -92,7 +92,7 @@ module Api
       user = create(:user)
       changeset = create(:changeset, :user => user)
 
       user = create(:user)
       changeset = create(:changeset, :user => user)
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

       lat = 3.434
       lon = 3.23
 
       lat = 3.434
       lon = 3.23
 


@@ -178,7 +178,7 @@ module Api
       assert_response :unauthorized
 
       ## now set auth for the non-data public user
       assert_response :unauthorized
 
       ## now set auth for the non-data public user

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

 
       # try to delete with an invalid (closed) changeset
       xml = update_changeset(xml_for_node(private_node), private_user_closed_changeset.id)
 
       # try to delete with an invalid (closed) changeset
       xml = update_changeset(xml_for_node(private_node), private_user_closed_changeset.id)


@@ -226,7 +226,7 @@ module Api
       changeset = create(:changeset, :user => user)
       closed_changeset = create(:changeset, :closed, :user => user)
       node = create(:node, :changeset => changeset)
       changeset = create(:changeset, :user => user)
       closed_changeset = create(:changeset, :closed, :user => user)
       node = create(:node, :changeset => changeset)

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # try to delete with an invalid (closed) changeset
       xml = update_changeset(xml_for_node(node), closed_changeset.id)
 
       # try to delete with an invalid (closed) changeset
       xml = update_changeset(xml_for_node(node), closed_changeset.id)


@@ -314,7 +314,7 @@ module Api
       ## Second test with the private user
 
       # setup auth
       ## Second test with the private user
 
       # setup auth

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

 
       ## trying to break changesets
 
 
       ## trying to break changesets
 


@@ -356,7 +356,7 @@ module Api
       assert_response :forbidden
 
       # setup auth
       assert_response :forbidden
 
       # setup auth

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       ## trying to break changesets
 
 
       ## trying to break changesets
 


@@ -477,7 +477,7 @@ module Api
       existing_tag = create(:node_tag)
       assert existing_tag.node.changeset.user.data_public
       # setup auth
       existing_tag = create(:node_tag)
       assert existing_tag.node.changeset.user.data_public
       # setup auth

-      auth_header = basic_authorization_header existing_tag.node.changeset.user.email, "test"
+      auth_header = bearer_authorization_header existing_tag.node.changeset.user

 
       # add an identical tag to the node
       tag_xml = XML::Node.new("tag")
 
       # add an identical tag to the node
       tag_xml = XML::Node.new("tag")


@@ -503,7 +503,7 @@ module Api
       changeset = create(:changeset, :user => user)
 
       ## First try with the non-data public user
       changeset = create(:changeset, :user => user)
 
       ## First try with the non-data public user

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

 
       # try and put something into a string that the API might
       # use unquoted and therefore allow code injection...
 
       # try and put something into a string that the API might
       # use unquoted and therefore allow code injection...


@@ -514,7 +514,7 @@ module Api
       assert_require_public_data "Shouldn't be able to create with non-public user"
 
       ## Then try with the public data user
       assert_require_public_data "Shouldn't be able to create with non-public user"
 
       ## Then try with the public data user

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # try and put something into a string that the API might
       # use unquoted and therefore allow code injection...
 
       # try and put something into a string that the API might
       # use unquoted and therefore allow code injection...


@@ -552,7 +552,7 @@ module Api
                                      :num_changes => Settings.initial_changes_per_hour - 1)
 
       # create authentication header
                                      :num_changes => Settings.initial_changes_per_hour - 1)
 
       # create authentication header

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # try creating a node
       xml = "<osm><node lat='0' lon='0' changeset='#{changeset.id}'/></osm>"
 
       # try creating a node
       xml = "<osm><node lat='0' lon='0' changeset='#{changeset.id}'/></osm>"


@@ -599,7 +599,7 @@ module Api
       end
 
       # create authentication header
       end
 
       # create authentication header

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # try creating a node
       xml = "<osm><node lat='0' lon='0' changeset='#{changeset.id}'/></osm>"
 
       # try creating a node
       xml = "<osm><node lat='0' lon='0' changeset='#{changeset.id}'/></osm>"

diff --git a/test/controllers/api/notes_controller_test.rb b/test/controllers/api/notes_controller_test.rb
index 42972e494d85033c13f90b23faea40bef0c88f2f..ed410e8c75b7f51ba83eeb5d1f1bf062d3f40b97 100644 (file)
--- a/test/controllers/api/notes_controller_test.rb
+++ b/test/controllers/api/notes_controller_test.rb
@@ -203,7 +203,7 @@ module Api
     def test_comment_success
       open_note_with_comment = create(:note_with_comments)
       user = create(:user)
     def test_comment_success
       open_note_with_comment = create(:note_with_comments)
       user = create(:user)

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

       assert_difference "NoteComment.count", 1 do
         assert_no_difference "ActionMailer::Base.deliveries.size" do
           perform_enqueued_jobs do
       assert_difference "NoteComment.count", 1 do
         assert_no_difference "ActionMailer::Base.deliveries.size" do
           perform_enqueued_jobs do


@@ -244,7 +244,7 @@ module Api
         create(:note_comment, :note => note, :author => second_user)
       end
 
         create(:note_comment, :note => note, :author => second_user)
       end
 

-      auth_header = basic_authorization_header third_user.email, "test"
+      auth_header = bearer_authorization_header third_user

 
       assert_difference "NoteComment.count", 1 do
         assert_difference "ActionMailer::Base.deliveries.size", 2 do
 
       assert_difference "NoteComment.count", 1 do
         assert_difference "ActionMailer::Base.deliveries.size", 2 do


@@ -300,7 +300,7 @@ module Api
         assert_response :unauthorized
       end
 
         assert_response :unauthorized
       end
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       assert_no_difference "NoteComment.count" do
         post comment_api_note_path(open_note_with_comment), :headers => auth_header
 
       assert_no_difference "NoteComment.count" do
         post comment_api_note_path(open_note_with_comment), :headers => auth_header


@@ -344,7 +344,7 @@ module Api
       post close_api_note_path(open_note_with_comment, :text => "This is a close comment", :format => "json")
       assert_response :unauthorized
 
       post close_api_note_path(open_note_with_comment, :text => "This is a close comment", :format => "json")
       assert_response :unauthorized
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       post close_api_note_path(open_note_with_comment, :text => "This is a close comment", :format => "json"), :headers => auth_header
       assert_response :success
 
       post close_api_note_path(open_note_with_comment, :text => "This is a close comment", :format => "json"), :headers => auth_header
       assert_response :success


@@ -375,7 +375,7 @@ module Api
       post close_api_note_path(12345)
       assert_response :unauthorized
 
       post close_api_note_path(12345)
       assert_response :unauthorized
 

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       post close_api_note_path(12345), :headers => auth_header
       assert_response :not_found
 
       post close_api_note_path(12345), :headers => auth_header
       assert_response :not_found


@@ -398,7 +398,7 @@ module Api
       post reopen_api_note_path(closed_note_with_comment, :text => "This is a reopen comment", :format => "json")
       assert_response :unauthorized
 
       post reopen_api_note_path(closed_note_with_comment, :text => "This is a reopen comment", :format => "json")
       assert_response :unauthorized
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       post reopen_api_note_path(closed_note_with_comment, :text => "This is a reopen comment", :format => "json"), :headers => auth_header
       assert_response :success
 
       post reopen_api_note_path(closed_note_with_comment, :text => "This is a reopen comment", :format => "json"), :headers => auth_header
       assert_response :success


@@ -431,7 +431,7 @@ module Api
       post reopen_api_note_path(hidden_note_with_comment)
       assert_response :unauthorized
 
       post reopen_api_note_path(hidden_note_with_comment)
       assert_response :unauthorized
 

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       post reopen_api_note_path(12345), :headers => auth_header
       assert_response :not_found
 
       post reopen_api_note_path(12345), :headers => auth_header
       assert_response :not_found


@@ -550,12 +550,12 @@ module Api
       delete api_note_path(open_note_with_comment, :text => "This is a hide comment", :format => "json")
       assert_response :unauthorized
 
       delete api_note_path(open_note_with_comment, :text => "This is a hide comment", :format => "json")
       assert_response :unauthorized
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       delete api_note_path(open_note_with_comment, :text => "This is a hide comment", :format => "json"), :headers => auth_header
       assert_response :forbidden
 
 
       delete api_note_path(open_note_with_comment, :text => "This is a hide comment", :format => "json"), :headers => auth_header
       assert_response :forbidden
 

-      auth_header = basic_authorization_header moderator_user.email, "test"
+      auth_header = bearer_authorization_header moderator_user

 
       delete api_note_path(open_note_with_comment, :text => "This is a hide comment", :format => "json"), :headers => auth_header
       assert_response :success
 
       delete api_note_path(open_note_with_comment, :text => "This is a hide comment", :format => "json"), :headers => auth_header
       assert_response :success


@@ -572,7 +572,7 @@ module Api
       get api_note_path(open_note_with_comment, :format => "json"), :headers => auth_header
       assert_response :success
 
       get api_note_path(open_note_with_comment, :format => "json"), :headers => auth_header
       assert_response :success
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       get api_note_path(open_note_with_comment, :format => "json"), :headers => auth_header
       assert_response :gone
 
       get api_note_path(open_note_with_comment, :format => "json"), :headers => auth_header
       assert_response :gone


@@ -585,12 +585,12 @@ module Api
       delete api_note_path(12345, :format => "json")
       assert_response :unauthorized
 
       delete api_note_path(12345, :format => "json")
       assert_response :unauthorized
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       delete api_note_path(12345, :format => "json"), :headers => auth_header
       assert_response :forbidden
 
 
       delete api_note_path(12345, :format => "json"), :headers => auth_header
       assert_response :forbidden
 

-      auth_header = basic_authorization_header moderator_user.email, "test"
+      auth_header = bearer_authorization_header moderator_user

 
       delete api_note_path(12345, :format => "json"), :headers => auth_header
       assert_response :not_found
 
       delete api_note_path(12345, :format => "json"), :headers => auth_header
       assert_response :not_found

diff --git a/test/controllers/api/old_nodes_controller_test.rb b/test/controllers/api/old_nodes_controller_test.rb
index 7855079cc1af2ba515fa909f87d5503eb2480716..99c4dbb1b317acb8ffd7c2bcf2a2c236ac90fd64 100644 (file)
--- a/test/controllers/api/old_nodes_controller_test.rb
+++ b/test/controllers/api/old_nodes_controller_test.rb
@@ -48,7 +48,7 @@ module Api
       propagate_tags(node, node.old_nodes.last)
 
       ## First try this with a non-public user
       propagate_tags(node, node.old_nodes.last)
 
       ## First try this with a non-public user

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

 
       # setup a simple XML node
       xml_doc = xml_for_node(private_node)
 
       # setup a simple XML node
       xml_doc = xml_for_node(private_node)


@@ -95,7 +95,7 @@ module Api
       # probably should check that they didn't get written to the database
 
       ## Now do it with the public user
       # probably should check that they didn't get written to the database
 
       ## Now do it with the public user

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # setup a simple XML node
 
 
       # setup a simple XML node
 


@@ -212,7 +212,7 @@ module Api
     # test the redaction of an old version of a node, while being
     # authorised as a normal user.
     def test_redact_node_normal_user
     # test the redaction of an old version of a node, while being
     # authorised as a normal user.
     def test_redact_node_normal_user

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       node = create(:node, :with_history, :version => 4)
       node_v3 = node.old_nodes.find_by(:version => 3)
 
       node = create(:node, :with_history, :version => 4)
       node_v3 = node.old_nodes.find_by(:version => 3)


@@ -227,7 +227,7 @@ module Api
     # test that, even as moderator, the current version of a node
     # can't be redacted.
     def test_redact_node_current_version
     # test that, even as moderator, the current version of a node
     # can't be redacted.
     def test_redact_node_current_version

-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)

 
       node = create(:node, :with_history, :version => 4)
       node_v4 = node.old_nodes.find_by(:version => 4)
 
       node = create(:node, :with_history, :version => 4)
       node_v4 = node.old_nodes.find_by(:version => 4)


@@ -287,7 +287,7 @@ module Api
       assert_response :forbidden, "Redacted node shouldn't be visible via the version API."
 
       # not even to a logged-in user
       assert_response :forbidden, "Redacted node shouldn't be visible via the version API."
 
       # not even to a logged-in user

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

       get api_old_node_path(node_v1.node_id, node_v1.version), :headers => auth_header
       assert_response :forbidden, "Redacted node shouldn't be visible via the version API, even when logged in."
     end
       get api_old_node_path(node_v1.node_id, node_v1.version), :headers => auth_header
       assert_response :forbidden, "Redacted node shouldn't be visible via the version API, even when logged in."
     end


@@ -305,7 +305,7 @@ module Api
                     "redacted node #{node_v1.node_id} version #{node_v1.version} shouldn't be present in the history."
 
       # not even to a logged-in user
                     "redacted node #{node_v1.node_id} version #{node_v1.version} shouldn't be present in the history."
 
       # not even to a logged-in user

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

       get api_node_history_path(node), :headers => auth_header
       assert_response :success, "Redaction shouldn't have stopped history working."
       assert_select "osm node[id='#{node_v1.node_id}'][version='#{node_v1.version}']", 0,
       get api_node_history_path(node), :headers => auth_header
       assert_response :success, "Redaction shouldn't have stopped history working."
       assert_select "osm node[id='#{node_v1.node_id}'][version='#{node_v1.version}']", 0,


@@ -318,7 +318,7 @@ module Api
     def test_redact_node_moderator
       node = create(:node, :with_history, :version => 4)
       node_v3 = node.old_nodes.find_by(:version => 3)
     def test_redact_node_moderator
       node = create(:node, :with_history, :version => 4)
       node_v3 = node.old_nodes.find_by(:version => 3)

-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)

 
       do_redact_node(node_v3, create(:redaction), auth_header)
       assert_response :success, "should be OK to redact old version as moderator."
 
       do_redact_node(node_v3, create(:redaction), auth_header)
       assert_response :success, "should be OK to redact old version as moderator."


@@ -346,13 +346,13 @@ module Api
     def test_redact_node_is_redacted
       node = create(:node, :with_history, :version => 4)
       node_v3 = node.old_nodes.find_by(:version => 3)
     def test_redact_node_is_redacted
       node = create(:node, :with_history, :version => 4)
       node_v3 = node.old_nodes.find_by(:version => 3)

-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)

 
       do_redact_node(node_v3, create(:redaction), auth_header)
       assert_response :success, "should be OK to redact old version as moderator."
 
       # re-auth as non-moderator
 
       do_redact_node(node_v3, create(:redaction), auth_header)
       assert_response :success, "should be OK to redact old version as moderator."
 
       # re-auth as non-moderator

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       # check can't see the redacted data
       get api_old_node_path(node_v3.node_id, node_v3.version), :headers => auth_header
 
       # check can't see the redacted data
       get api_old_node_path(node_v3.node_id, node_v3.version), :headers => auth_header


@@ -386,7 +386,7 @@ module Api
       node_v1 = node.old_nodes.find_by(:version => 1)
       node_v1.redact!(create(:redaction))
 
       node_v1 = node.old_nodes.find_by(:version => 1)
       node_v1.redact!(create(:redaction))
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       post node_version_redact_path(node_v1.node_id, node_v1.version), :headers => auth_header
       assert_response :forbidden, "should need to be moderator to unredact."
 
       post node_version_redact_path(node_v1.node_id, node_v1.version), :headers => auth_header
       assert_response :forbidden, "should need to be moderator to unredact."


@@ -401,7 +401,7 @@ module Api
       node_v1 = node.old_nodes.find_by(:version => 1)
       node_v1.redact!(create(:redaction))
 
       node_v1 = node.old_nodes.find_by(:version => 1)
       node_v1.redact!(create(:redaction))
 

-      auth_header = basic_authorization_header moderator_user.email, "test"
+      auth_header = bearer_authorization_header moderator_user

 
       post node_version_redact_path(node_v1.node_id, node_v1.version), :headers => auth_header
       assert_response :success, "should be OK to unredact old version as moderator."
 
       post node_version_redact_path(node_v1.node_id, node_v1.version), :headers => auth_header
       assert_response :success, "should be OK to unredact old version as moderator."


@@ -417,7 +417,7 @@ module Api
       assert_select "osm node[id='#{node_v1.node_id}'][version='#{node_v1.version}']", 1,
                     "node #{node_v1.node_id} version #{node_v1.version} should now be present in the history for moderators without passing flag."
 
       assert_select "osm node[id='#{node_v1.node_id}'][version='#{node_v1.version}']", 1,
                     "node #{node_v1.node_id} version #{node_v1.version} should now be present in the history for moderators without passing flag."
 

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       # check normal user can now see the redacted data
       get api_old_node_path(node_v1.node_id, node_v1.version), :headers => auth_header
 
       # check normal user can now see the redacted data
       get api_old_node_path(node_v1.node_id, node_v1.version), :headers => auth_header

diff --git a/test/controllers/api/old_relations_controller_test.rb b/test/controllers/api/old_relations_controller_test.rb
index 892e52991a1feef0a5df0386c32d3c710444780d..446fb5f14011464b2380be80109860972b383c6e 100644 (file)
--- a/test/controllers/api/old_relations_controller_test.rb
+++ b/test/controllers/api/old_relations_controller_test.rb
@@ -58,7 +58,7 @@ module Api
       relation = create(:relation, :with_history, :version => 4)
       relation_v3 = relation.old_relations.find_by(:version => 3)
 
       relation = create(:relation, :with_history, :version => 4)
       relation_v3 = relation.old_relations.find_by(:version => 3)
 

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       do_redact_relation(relation_v3, create(:redaction), auth_header)
       assert_response :forbidden, "should need to be moderator to redact."
 
       do_redact_relation(relation_v3, create(:redaction), auth_header)
       assert_response :forbidden, "should need to be moderator to redact."


@@ -71,7 +71,7 @@ module Api
       relation = create(:relation, :with_history, :version => 4)
       relation_latest = relation.old_relations.last
 
       relation = create(:relation, :with_history, :version => 4)
       relation_latest = relation.old_relations.last
 

-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)

 
       do_redact_relation(relation_latest, create(:redaction), auth_header)
       assert_response :bad_request, "shouldn't be OK to redact current version as moderator."
 
       do_redact_relation(relation_latest, create(:redaction), auth_header)
       assert_response :bad_request, "shouldn't be OK to redact current version as moderator."


@@ -126,7 +126,7 @@ module Api
       assert_response :forbidden, "Redacted relation shouldn't be visible via the version API."
 
       # not even to a logged-in user
       assert_response :forbidden, "Redacted relation shouldn't be visible via the version API."
 
       # not even to a logged-in user

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

       get api_old_relation_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
       assert_response :forbidden, "Redacted relation shouldn't be visible via the version API, even when logged in."
     end
       get api_old_relation_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
       assert_response :forbidden, "Redacted relation shouldn't be visible via the version API, even when logged in."
     end


@@ -144,7 +144,7 @@ module Api
                     "redacted relation #{relation_v1.relation_id} version #{relation_v1.version} shouldn't be present in the history."
 
       # not even to a logged-in user
                     "redacted relation #{relation_v1.relation_id} version #{relation_v1.version} shouldn't be present in the history."
 
       # not even to a logged-in user

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

       get api_old_relation_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
       get api_relation_history_path(relation), :headers => auth_header
       assert_response :success, "Redaction shouldn't have stopped history working."
       get api_old_relation_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
       get api_relation_history_path(relation), :headers => auth_header
       assert_response :success, "Redaction shouldn't have stopped history working."


@@ -159,7 +159,7 @@ module Api
       relation = create(:relation, :with_history, :version => 4)
       relation_v3 = relation.old_relations.find_by(:version => 3)
 
       relation = create(:relation, :with_history, :version => 4)
       relation_v3 = relation.old_relations.find_by(:version => 3)
 

-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)

 
       do_redact_relation(relation_v3, create(:redaction), auth_header)
       assert_response :success, "should be OK to redact old version as moderator."
 
       do_redact_relation(relation_v3, create(:redaction), auth_header)
       assert_response :success, "should be OK to redact old version as moderator."


@@ -188,13 +188,13 @@ module Api
       relation = create(:relation, :with_history, :version => 4)
       relation_v3 = relation.old_relations.find_by(:version => 3)
 
       relation = create(:relation, :with_history, :version => 4)
       relation_v3 = relation.old_relations.find_by(:version => 3)
 

-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)

 
       do_redact_relation(relation_v3, create(:redaction), auth_header)
       assert_response :success, "should be OK to redact old version as moderator."
 
       # re-auth as non-moderator
 
       do_redact_relation(relation_v3, create(:redaction), auth_header)
       assert_response :success, "should be OK to redact old version as moderator."
 
       # re-auth as non-moderator

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       # check can't see the redacted data
       get api_old_relation_path(relation_v3.relation_id, relation_v3.version), :headers => auth_header
 
       # check can't see the redacted data
       get api_old_relation_path(relation_v3.relation_id, relation_v3.version), :headers => auth_header


@@ -227,7 +227,7 @@ module Api
       relation_v1 = relation.old_relations.find_by(:version => 1)
       relation_v1.redact!(create(:redaction))
 
       relation_v1 = relation.old_relations.find_by(:version => 1)
       relation_v1.redact!(create(:redaction))
 

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       post relation_version_redact_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
       assert_response :forbidden, "should need to be moderator to unredact."
 
       post relation_version_redact_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
       assert_response :forbidden, "should need to be moderator to unredact."


@@ -241,7 +241,7 @@ module Api
       relation_v1 = relation.old_relations.find_by(:version => 1)
       relation_v1.redact!(create(:redaction))
 
       relation_v1 = relation.old_relations.find_by(:version => 1)
       relation_v1.redact!(create(:redaction))
 

-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)

 
       post relation_version_redact_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
       assert_response :success, "should be OK to unredact old version as moderator."
 
       post relation_version_redact_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
       assert_response :success, "should be OK to unredact old version as moderator."


@@ -257,7 +257,7 @@ module Api
       assert_select "osm relation[id='#{relation_v1.relation_id}'][version='#{relation_v1.version}']", 1,
                     "relation #{relation_v1.relation_id} version #{relation_v1.version} should still be present in the history for moderators."
 
       assert_select "osm relation[id='#{relation_v1.relation_id}'][version='#{relation_v1.version}']", 1,
                     "relation #{relation_v1.relation_id} version #{relation_v1.version} should still be present in the history for moderators."
 

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       # check normal user can now see the redacted data
       get api_old_relation_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header
 
       # check normal user can now see the redacted data
       get api_old_relation_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header

diff --git a/test/controllers/api/old_ways_controller_test.rb b/test/controllers/api/old_ways_controller_test.rb
index 8081082cf54bd405f9f3a6965e39b7502dfda835..48265575459cd4a2e170ccc1e7f8ad6b664e09e4 100644 (file)
--- a/test/controllers/api/old_ways_controller_test.rb
+++ b/test/controllers/api/old_ways_controller_test.rb
@@ -98,7 +98,7 @@ module Api
     # test the redaction of an old version of a way, while being
     # authorised as a normal user.
     def test_redact_way_normal_user
     # test the redaction of an old version of a way, while being
     # authorised as a normal user.
     def test_redact_way_normal_user

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

       way = create(:way, :with_history, :version => 4)
       way_v3 = way.old_ways.find_by(:version => 3)
 
       way = create(:way, :with_history, :version => 4)
       way_v3 = way.old_ways.find_by(:version => 3)
 


@@ -110,7 +110,7 @@ module Api
     # test that, even as moderator, the current version of a way
     # can't be redacted.
     def test_redact_way_current_version
     # test that, even as moderator, the current version of a way
     # can't be redacted.
     def test_redact_way_current_version

-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)

       way = create(:way, :with_history, :version => 4)
       way_latest = way.old_ways.last
 
       way = create(:way, :with_history, :version => 4)
       way_latest = way.old_ways.last
 


@@ -167,7 +167,7 @@ module Api
       assert_response :forbidden, "Redacted way shouldn't be visible via the version API."
 
       # not even to a logged-in user
       assert_response :forbidden, "Redacted way shouldn't be visible via the version API."
 
       # not even to a logged-in user

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

       get api_old_way_path(way_v1.way_id, way_v1.version), :headers => auth_header
       assert_response :forbidden, "Redacted way shouldn't be visible via the version API, even when logged in."
     end
       get api_old_way_path(way_v1.way_id, way_v1.version), :headers => auth_header
       assert_response :forbidden, "Redacted way shouldn't be visible via the version API, even when logged in."
     end


@@ -185,7 +185,7 @@ module Api
                     "redacted way #{way_v1.way_id} version #{way_v1.version} shouldn't be present in the history."
 
       # not even to a logged-in user
                     "redacted way #{way_v1.way_id} version #{way_v1.version} shouldn't be present in the history."
 
       # not even to a logged-in user

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

       get api_way_history_path(way), :headers => auth_header
       assert_response :success, "Redaction shouldn't have stopped history working."
       assert_select "osm way[id='#{way_v1.way_id}'][version='#{way_v1.version}']", 0,
       get api_way_history_path(way), :headers => auth_header
       assert_response :success, "Redaction shouldn't have stopped history working."
       assert_select "osm way[id='#{way_v1.way_id}'][version='#{way_v1.version}']", 0,


@@ -198,7 +198,7 @@ module Api
     def test_redact_way_moderator
       way = create(:way, :with_history, :version => 4)
       way_v3 = way.old_ways.find_by(:version => 3)
     def test_redact_way_moderator
       way = create(:way, :with_history, :version => 4)
       way_v3 = way.old_ways.find_by(:version => 3)

-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)

 
       do_redact_way(way_v3, create(:redaction), auth_header)
       assert_response :success, "should be OK to redact old version as moderator."
 
       do_redact_way(way_v3, create(:redaction), auth_header)
       assert_response :success, "should be OK to redact old version as moderator."


@@ -226,13 +226,13 @@ module Api
     def test_redact_way_is_redacted
       way = create(:way, :with_history, :version => 4)
       way_v3 = way.old_ways.find_by(:version => 3)
     def test_redact_way_is_redacted
       way = create(:way, :with_history, :version => 4)
       way_v3 = way.old_ways.find_by(:version => 3)

-      auth_header = basic_authorization_header create(:moderator_user).email, "test"
+      auth_header = bearer_authorization_header create(:moderator_user)

 
       do_redact_way(way_v3, create(:redaction), auth_header)
       assert_response :success, "should be OK to redact old version as moderator."
 
       # re-auth as non-moderator
 
       do_redact_way(way_v3, create(:redaction), auth_header)
       assert_response :success, "should be OK to redact old version as moderator."
 
       # re-auth as non-moderator

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       # check can't see the redacted data
       get api_old_way_path(way_v3.way_id, way_v3.version), :headers => auth_header
 
       # check can't see the redacted data
       get api_old_way_path(way_v3.way_id, way_v3.version), :headers => auth_header


@@ -265,7 +265,7 @@ module Api
       way_v1 = way.old_ways.find_by(:version => 1)
       way_v1.redact!(create(:redaction))
 
       way_v1 = way.old_ways.find_by(:version => 1)
       way_v1.redact!(create(:redaction))
 

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       post way_version_redact_path(way_v1.way_id, way_v1.version), :headers => auth_header
       assert_response :forbidden, "should need to be moderator to unredact."
 
       post way_version_redact_path(way_v1.way_id, way_v1.version), :headers => auth_header
       assert_response :forbidden, "should need to be moderator to unredact."


@@ -280,7 +280,7 @@ module Api
       way_v1 = way.old_ways.find_by(:version => 1)
       way_v1.redact!(create(:redaction))
 
       way_v1 = way.old_ways.find_by(:version => 1)
       way_v1.redact!(create(:redaction))
 

-      auth_header = basic_authorization_header moderator_user.email, "test"
+      auth_header = bearer_authorization_header moderator_user

 
       post way_version_redact_path(way_v1.way_id, way_v1.version), :headers => auth_header
       assert_response :success, "should be OK to unredact old version as moderator."
 
       post way_version_redact_path(way_v1.way_id, way_v1.version), :headers => auth_header
       assert_response :success, "should be OK to unredact old version as moderator."


@@ -296,7 +296,7 @@ module Api
       assert_select "osm way[id='#{way_v1.way_id}'][version='#{way_v1.version}']", 1,
                     "way #{way_v1.way_id} version #{way_v1.version} should still be present in the history for moderators."
 
       assert_select "osm way[id='#{way_v1.way_id}'][version='#{way_v1.version}']", 1,
                     "way #{way_v1.way_id} version #{way_v1.version} should still be present in the history for moderators."
 

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       # check normal user can now see the unredacted data
       get api_old_way_path(way_v1.way_id, way_v1.version), :headers => auth_header
 
       # check normal user can now see the unredacted data
       get api_old_way_path(way_v1.way_id, way_v1.version), :headers => auth_header

diff --git a/test/controllers/api/permissions_controller_test.rb b/test/controllers/api/permissions_controller_test.rb
index 3bc13cc04b4634041c315aad601464d113b7319e..1ee3365e70bd931e6189d547189c5b813054cf48 100644 (file)
--- a/test/controllers/api/permissions_controller_test.rb
+++ b/test/controllers/api/permissions_controller_test.rb
@@ -32,30 +32,6 @@ module Api
       assert_equal 0, js["permissions"].count
     end
 
       assert_equal 0, js["permissions"].count
     end
 

-    def test_permissions_basic_auth
-      auth_header = basic_authorization_header create(:user).email, "test"
-      get permissions_path, :headers => auth_header
-      assert_response :success
-      assert_select "osm > permissions", :count => 1 do
-        assert_select "permission", :count => Oauth.scopes.size
-        Oauth.scopes.each do |p|
-          assert_select "permission[name='allow_#{p.name}']", :count => 1
-        end
-      end
-
-      # Test json
-      get permissions_path(:format => "json"), :headers => auth_header
-      assert_response :success
-      assert_equal "application/json", @response.media_type
-
-      js = ActiveSupport::JSON.decode(@response.body)
-      assert_not_nil js
-      assert_equal Oauth.scopes.size, js["permissions"].count
-      Oauth.scopes.each do |p|
-        assert_includes js["permissions"], "allow_#{p.name}"
-      end
-    end
-

     def test_permissions_oauth2
       user = create(:user)
       token = create(:oauth_access_token,
     def test_permissions_oauth2
       user = create(:user)
       token = create(:oauth_access_token,

diff --git a/test/controllers/api/relations_controller_test.rb b/test/controllers/api/relations_controller_test.rb
index eba3d255ef800d28cab49956699fd25237ffb132..6cbfe6045f48f656b7b9037cb0e25741fdf3789c 100644 (file)
--- a/test/controllers/api/relations_controller_test.rb
+++ b/test/controllers/api/relations_controller_test.rb
@@ -221,7 +221,7 @@ module Api
       node = create(:node)
       way = create(:way_with_nodes, :nodes_count => 2)
 
       node = create(:node)
       way = create(:way_with_nodes, :nodes_count => 2)
 

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

 
       # create an relation without members
       xml = "<osm><relation changeset='#{private_changeset.id}'><tag k='test' v='yes' /></relation></osm>"
 
       # create an relation without members
       xml = "<osm><relation changeset='#{private_changeset.id}'><tag k='test' v='yes' /></relation></osm>"


@@ -263,7 +263,7 @@ module Api
                       "relation upload did not return success status"
 
       ## Now try with the public user
                       "relation upload did not return success status"
 
       ## Now try with the public user

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # create an relation without members
       xml = "<osm><relation changeset='#{changeset.id}'><tag k='test' v='yes' /></relation></osm>"
 
       # create an relation without members
       xml = "<osm><relation changeset='#{changeset.id}'><tag k='test' v='yes' /></relation></osm>"


@@ -391,7 +391,7 @@ module Api
       relation = create(:relation)
       create_list(:relation_tag, 4, :relation => relation)
 
       relation = create(:relation)
       create_list(:relation_tag, 4, :relation => relation)
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       with_relation(relation.id) do |rel|
         # alter one of the tags
 
       with_relation(relation.id) do |rel|
         # alter one of the tags


@@ -423,7 +423,7 @@ module Api
       relation = create(:relation)
       create_list(:relation_tag, 4, :relation => relation)
 
       relation = create(:relation)
       create_list(:relation_tag, 4, :relation => relation)
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       with_relation(relation.id) do |rel|
         # alter one of the tags
 
       with_relation(relation.id) do |rel|
         # alter one of the tags


@@ -450,7 +450,7 @@ module Api
       relation = create(:relation)
       other_relation = create(:relation)
 
       relation = create(:relation)
       other_relation = create(:relation)
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

       with_relation(relation.id) do |rel|
         update_changeset(rel, changeset.id)
         put api_relation_path(other_relation), :params => rel.to_s, :headers => auth_header
       with_relation(relation.id) do |rel|
         update_changeset(rel, changeset.id)
         put api_relation_path(other_relation), :params => rel.to_s, :headers => auth_header


@@ -466,7 +466,7 @@ module Api
       user = create(:user)
       changeset = create(:changeset, :user => user)
 
       user = create(:user)
       changeset = create(:changeset, :user => user)
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # create a relation with non-existing node as member
       xml = "<osm><relation changeset='#{changeset.id}'>" \
 
       # create a relation with non-existing node as member
       xml = "<osm><relation changeset='#{changeset.id}'>" \


@@ -487,7 +487,7 @@ module Api
       changeset = create(:changeset, :user => user)
       node = create(:node)
 
       changeset = create(:changeset, :user => user)
       node = create(:node)
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # create some xml that should return an error
       xml = "<osm><relation changeset='#{changeset.id}'>" \
 
       # create some xml that should return an error
       xml = "<osm><relation changeset='#{changeset.id}'>" \


@@ -522,7 +522,7 @@ module Api
       assert_response :unauthorized
 
       ## Then try with the private user, to make sure that you get a forbidden
       assert_response :unauthorized
 
       ## Then try with the private user, to make sure that you get a forbidden

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

 
       # this shouldn't work, as we should need the payload...
       delete api_relation_path(relation), :headers => auth_header
 
       # this shouldn't work, as we should need the payload...
       delete api_relation_path(relation), :headers => auth_header


@@ -564,7 +564,7 @@ module Api
       assert_response :forbidden
 
       ## now set auth for the public user
       assert_response :forbidden
 
       ## now set auth for the public user

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # this shouldn't work, as we should need the payload...
       delete api_relation_path(relation), :headers => auth_header
 
       # this shouldn't work, as we should need the payload...
       delete api_relation_path(relation), :headers => auth_header


@@ -743,7 +743,7 @@ module Api
       way1 = create(:way_with_nodes, :nodes_count => 2)
       way2 = create(:way_with_nodes, :nodes_count => 2)
 
       way1 = create(:way_with_nodes, :nodes_count => 2)
       way2 = create(:way_with_nodes, :nodes_count => 2)
 

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       doc_str = <<~OSM
         <osm>
 
       doc_str = <<~OSM
         <osm>


@@ -816,13 +816,13 @@ module Api
       doc = XML::Parser.string(doc_str).parse
 
       ## First try with the private user
       doc = XML::Parser.string(doc_str).parse
 
       ## First try with the private user

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

 
       put relation_create_path, :params => doc.to_s, :headers => auth_header
       assert_response :forbidden
 
       ## Now try with the public user
 
       put relation_create_path, :params => doc.to_s, :headers => auth_header
       assert_response :forbidden
 
       ## Now try with the public user

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       put relation_create_path, :params => doc.to_s, :headers => auth_header
       assert_response :success, "can't create a relation: #{@response.body}"
 
       put relation_create_path, :params => doc.to_s, :headers => auth_header
       assert_response :success, "can't create a relation: #{@response.body}"


@@ -855,7 +855,7 @@ module Api
         </osm>
       OSM
       doc = XML::Parser.string(doc_str).parse
         </osm>
       OSM
       doc = XML::Parser.string(doc_str).parse

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       put relation_create_path, :params => doc.to_s, :headers => auth_header
       assert_response :success, "can't create a relation: #{@response.body}"
 
       put relation_create_path, :params => doc.to_s, :headers => auth_header
       assert_response :success, "can't create a relation: #{@response.body}"


@@ -922,7 +922,7 @@ module Api
                                      :num_changes => Settings.initial_changes_per_hour - 1)
 
       # create authentication header
                                      :num_changes => Settings.initial_changes_per_hour - 1)
 
       # create authentication header

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # try creating a relation
       xml = "<osm><relation changeset='#{changeset.id}'>" \
 
       # try creating a relation
       xml = "<osm><relation changeset='#{changeset.id}'>" \


@@ -982,7 +982,7 @@ module Api
       end
 
       # create authentication header
       end
 
       # create authentication header

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # try creating a relation
       xml = "<osm><relation changeset='#{changeset.id}'>" \
 
       # try creating a relation
       xml = "<osm><relation changeset='#{changeset.id}'>" \


@@ -1062,7 +1062,7 @@ module Api
     # that the changeset bounding box is +bbox+.
     def check_changeset_modify(bbox)
       ## First test with the private user to check that you get a forbidden
     # that the changeset bounding box is +bbox+.
     def check_changeset_modify(bbox)
       ## First test with the private user to check that you get a forbidden

-      auth_header = basic_authorization_header create(:user, :data_public => false).email, "test"
+      auth_header = bearer_authorization_header create(:user, :data_public => false)

 
       # create a new changeset for this operation, so we are assured
       # that the bounding box will be newly-generated.
 
       # create a new changeset for this operation, so we are assured
       # that the bounding box will be newly-generated.


@@ -1073,7 +1073,7 @@ module Api
       end
 
       ## Now do the whole thing with the public user
       end
 
       ## Now do the whole thing with the public user

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       # create a new changeset for this operation, so we are assured
       # that the bounding box will be newly-generated.
 
       # create a new changeset for this operation, so we are assured
       # that the bounding box will be newly-generated.

diff --git a/test/controllers/api/traces_controller_test.rb b/test/controllers/api/traces_controller_test.rb
index b26782a3f015bdee3c30b98d7570a77375be45b0..de5c309a49868e0425922f9c30a11a96e1f25132 100644 (file)
--- a/test/controllers/api/traces_controller_test.rb
+++ b/test/controllers/api/traces_controller_test.rb
@@ -44,12 +44,12 @@ module Api
       assert_response :unauthorized
 
       # Now with some other user, which should work since the trace is public
       assert_response :unauthorized
 
       # Now with some other user, which should work since the trace is public

-      auth_header = basic_authorization_header create(:user).display_name, "test"
+      auth_header = bearer_authorization_header

       get api_trace_path(public_trace_file), :headers => auth_header
       assert_response :success
 
       # And finally we should be able to do it with the owner of the trace
       get api_trace_path(public_trace_file), :headers => auth_header
       assert_response :success
 
       # And finally we should be able to do it with the owner of the trace

-      auth_header = basic_authorization_header public_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header public_trace_file.user

       get api_trace_path(public_trace_file), :headers => auth_header
       assert_response :success
       assert_select "gpx_file[id='#{public_trace_file.id}'][uid='#{public_trace_file.user.id}']", 1
       get api_trace_path(public_trace_file), :headers => auth_header
       assert_response :success
       assert_select "gpx_file[id='#{public_trace_file.id}'][uid='#{public_trace_file.user.id}']", 1


@@ -64,12 +64,12 @@ module Api
       assert_response :unauthorized
 
       # Now try with another user, which shouldn't work since the trace is anon
       assert_response :unauthorized
 
       # Now try with another user, which shouldn't work since the trace is anon

-      auth_header = basic_authorization_header create(:user).display_name, "test"
+      auth_header = bearer_authorization_header

       get api_trace_path(anon_trace_file), :headers => auth_header
       assert_response :forbidden
 
       # And finally we should be able to get the trace details with the trace owner
       get api_trace_path(anon_trace_file), :headers => auth_header
       assert_response :forbidden
 
       # And finally we should be able to get the trace details with the trace owner

-      auth_header = basic_authorization_header anon_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header anon_trace_file.user

       get api_trace_path(anon_trace_file), :headers => auth_header
       assert_response :success
     end
       get api_trace_path(anon_trace_file), :headers => auth_header
       assert_response :success
     end


@@ -83,12 +83,12 @@ module Api
       assert_response :unauthorized
 
       # Login, and try again
       assert_response :unauthorized
 
       # Login, and try again

-      auth_header = basic_authorization_header deleted_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header deleted_trace_file.user

       get api_trace_path(:id => 0), :headers => auth_header
       assert_response :not_found
 
       # Now try a trace which did exist but has been deleted
       get api_trace_path(:id => 0), :headers => auth_header
       assert_response :not_found
 
       # Now try a trace which did exist but has been deleted

-      auth_header = basic_authorization_header deleted_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header deleted_trace_file.user

       get api_trace_path(deleted_trace_file), :headers => auth_header
       assert_response :not_found
     end
       get api_trace_path(deleted_trace_file), :headers => auth_header
       assert_response :not_found
     end


@@ -102,14 +102,14 @@ module Api
       assert_response :unauthorized
 
       # Now with some other user, which should work since the trace is public
       assert_response :unauthorized
 
       # Now with some other user, which should work since the trace is public

-      auth_header = basic_authorization_header create(:user).display_name, "test"
+      auth_header = bearer_authorization_header

       get api_trace_data_path(public_trace_file), :headers => auth_header
       follow_redirect!
       follow_redirect!
       check_trace_data public_trace_file, "848caa72f2f456d1bd6a0fdf228aa1b9"
 
       # And finally we should be able to do it with the owner of the trace
       get api_trace_data_path(public_trace_file), :headers => auth_header
       follow_redirect!
       follow_redirect!
       check_trace_data public_trace_file, "848caa72f2f456d1bd6a0fdf228aa1b9"
 
       # And finally we should be able to do it with the owner of the trace

-      auth_header = basic_authorization_header public_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header public_trace_file.user

       get api_trace_data_path(public_trace_file), :headers => auth_header
       follow_redirect!
       follow_redirect!
       get api_trace_data_path(public_trace_file), :headers => auth_header
       follow_redirect!
       follow_redirect!


@@ -121,7 +121,7 @@ module Api
       identifiable_trace_file = create(:trace, :visibility => "identifiable", :fixture => "d")
 
       # Authenticate as the owner of the trace we will be using
       identifiable_trace_file = create(:trace, :visibility => "identifiable", :fixture => "d")
 
       # Authenticate as the owner of the trace we will be using

-      auth_header = basic_authorization_header identifiable_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header identifiable_trace_file.user

 
       # First get the data as is
       get api_trace_data_path(identifiable_trace_file), :headers => auth_header
 
       # First get the data as is
       get api_trace_data_path(identifiable_trace_file), :headers => auth_header


@@ -147,12 +147,12 @@ module Api
       assert_response :unauthorized
 
       # Now with some other user, which shouldn't work since the trace is anon
       assert_response :unauthorized
 
       # Now with some other user, which shouldn't work since the trace is anon

-      auth_header = basic_authorization_header create(:user).display_name, "test"
+      auth_header = bearer_authorization_header

       get api_trace_data_path(anon_trace_file), :headers => auth_header
       assert_response :forbidden
 
       # And finally we should be able to do it with the owner of the trace
       get api_trace_data_path(anon_trace_file), :headers => auth_header
       assert_response :forbidden
 
       # And finally we should be able to do it with the owner of the trace

-      auth_header = basic_authorization_header anon_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header anon_trace_file.user

       get api_trace_data_path(anon_trace_file), :headers => auth_header
       follow_redirect!
       follow_redirect!
       get api_trace_data_path(anon_trace_file), :headers => auth_header
       follow_redirect!
       follow_redirect!


@@ -168,12 +168,12 @@ module Api
       assert_response :unauthorized
 
       # Login, and try again
       assert_response :unauthorized
 
       # Login, and try again

-      auth_header = basic_authorization_header create(:user).display_name, "test"
+      auth_header = bearer_authorization_header

       get api_trace_data_path(:id => 0), :headers => auth_header
       assert_response :not_found
 
       # Now try a trace which did exist but has been deleted
       get api_trace_data_path(:id => 0), :headers => auth_header
       assert_response :not_found
 
       # Now try a trace which did exist but has been deleted

-      auth_header = basic_authorization_header deleted_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header deleted_trace_file.user

       get api_trace_data_path(deleted_trace_file), :headers => auth_header
       assert_response :not_found
     end
       get api_trace_data_path(deleted_trace_file), :headers => auth_header
       assert_response :not_found
     end


@@ -195,7 +195,7 @@ module Api
       # Now authenticated
       create(:user_preference, :user => user, :k => "gps.trace.visibility", :v => "identifiable")
       assert_not_equal "trackable", user.preferences.find_by(:k => "gps.trace.visibility").v
       # Now authenticated
       create(:user_preference, :user => user, :k => "gps.trace.visibility", :v => "identifiable")
       assert_not_equal "trackable", user.preferences.find_by(:k => "gps.trace.visibility").v

-      auth_header = basic_authorization_header user.display_name, "test"
+      auth_header = bearer_authorization_header user

       post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :visibility => "trackable" }, :headers => auth_header
       assert_response :success
       trace = Trace.find(response.body.to_i)
       post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :visibility => "trackable" }, :headers => auth_header
       assert_response :success
       trace = Trace.find(response.body.to_i)


@@ -213,7 +213,7 @@ module Api
 
       # Now authenticated, with the legacy public flag
       assert_not_equal "public", user.preferences.find_by(:k => "gps.trace.visibility").v
 
       # Now authenticated, with the legacy public flag
       assert_not_equal "public", user.preferences.find_by(:k => "gps.trace.visibility").v

-      auth_header = basic_authorization_header user.display_name, "test"
+      auth_header = bearer_authorization_header user

       post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :public => 1 }, :headers => auth_header
       assert_response :success
       trace = Trace.find(response.body.to_i)
       post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :public => 1 }, :headers => auth_header
       assert_response :success
       trace = Trace.find(response.body.to_i)


@@ -232,7 +232,7 @@ module Api
       # Now authenticated, with the legacy private flag
       second_user = create(:user)
       assert_nil second_user.preferences.find_by(:k => "gps.trace.visibility")
       # Now authenticated, with the legacy private flag
       second_user = create(:user)
       assert_nil second_user.preferences.find_by(:k => "gps.trace.visibility")

-      auth_header = basic_authorization_header second_user.display_name, "test"
+      auth_header = bearer_authorization_header second_user

       post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :public => 0 }, :headers => auth_header
       assert_response :success
       trace = Trace.find(response.body.to_i)
       post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :public => 0 }, :headers => auth_header
       assert_response :success
       trace = Trace.find(response.body.to_i)


@@ -257,28 +257,28 @@ module Api
       assert_response :unauthorized
 
       # Now with some other user, which should fail
       assert_response :unauthorized
 
       # Now with some other user, which should fail

-      auth_header = basic_authorization_header create(:user).display_name, "test"
+      auth_header = bearer_authorization_header

       put api_trace_path(public_trace_file), :params => create_trace_xml(public_trace_file), :headers => auth_header
       assert_response :forbidden
 
       # Now with a trace which doesn't exist
       put api_trace_path(public_trace_file), :params => create_trace_xml(public_trace_file), :headers => auth_header
       assert_response :forbidden
 
       # Now with a trace which doesn't exist

-      auth_header = basic_authorization_header create(:user).display_name, "test"
+      auth_header = bearer_authorization_header

       put api_trace_path(:id => 0), :params => create_trace_xml(public_trace_file), :headers => auth_header
       assert_response :not_found
 
       # Now with a trace which did exist but has been deleted
       put api_trace_path(:id => 0), :params => create_trace_xml(public_trace_file), :headers => auth_header
       assert_response :not_found
 
       # Now with a trace which did exist but has been deleted

-      auth_header = basic_authorization_header deleted_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header deleted_trace_file.user

       put api_trace_path(deleted_trace_file), :params => create_trace_xml(deleted_trace_file), :headers => auth_header
       assert_response :not_found
 
       # Now try an update with the wrong ID
       put api_trace_path(deleted_trace_file), :params => create_trace_xml(deleted_trace_file), :headers => auth_header
       assert_response :not_found
 
       # Now try an update with the wrong ID

-      auth_header = basic_authorization_header public_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header public_trace_file.user

       put api_trace_path(public_trace_file), :params => create_trace_xml(anon_trace_file), :headers => auth_header
       assert_response :bad_request,
                       "should not be able to update a trace with a different ID from the XML"
 
       # And finally try an update that should work
       put api_trace_path(public_trace_file), :params => create_trace_xml(anon_trace_file), :headers => auth_header
       assert_response :bad_request,
                       "should not be able to update a trace with a different ID from the XML"
 
       # And finally try an update that should work

-      auth_header = basic_authorization_header public_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header public_trace_file.user

       t = public_trace_file
       t.description = "Changed description"
       t.visibility = "private"
       t = public_trace_file
       t.description = "Changed description"
       t.visibility = "private"


@@ -293,7 +293,7 @@ module Api
     def test_update_tags
       tracetag = create(:tracetag)
       trace = tracetag.trace
     def test_update_tags
       tracetag = create(:tracetag)
       trace = tracetag.trace

-      auth_header = basic_authorization_header trace.user.display_name, "test"
+      auth_header = bearer_authorization_header trace.user

 
       put api_trace_path(trace), :params => create_trace_xml(trace), :headers => auth_header
       assert_response :success
 
       put api_trace_path(trace), :params => create_trace_xml(trace), :headers => auth_header
       assert_response :success


@@ -314,22 +314,22 @@ module Api
       assert_response :unauthorized
 
       # Now with some other user, which should fail
       assert_response :unauthorized
 
       # Now with some other user, which should fail

-      auth_header = basic_authorization_header create(:user).display_name, "test"
+      auth_header = bearer_authorization_header

       delete api_trace_path(public_trace_file), :headers => auth_header
       assert_response :forbidden
 
       # Now with a trace which doesn't exist
       delete api_trace_path(public_trace_file), :headers => auth_header
       assert_response :forbidden
 
       # Now with a trace which doesn't exist

-      auth_header = basic_authorization_header create(:user).display_name, "test"
+      auth_header = bearer_authorization_header

       delete api_trace_path(:id => 0), :headers => auth_header
       assert_response :not_found
 
       # And finally we should be able to do it with the owner of the trace
       delete api_trace_path(:id => 0), :headers => auth_header
       assert_response :not_found
 
       # And finally we should be able to do it with the owner of the trace

-      auth_header = basic_authorization_header public_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header public_trace_file.user

       delete api_trace_path(public_trace_file), :headers => auth_header
       assert_response :success
 
       # Try it a second time, which should fail
       delete api_trace_path(public_trace_file), :headers => auth_header
       assert_response :success
 
       # Try it a second time, which should fail

-      auth_header = basic_authorization_header public_trace_file.user.display_name, "test"
+      auth_header = bearer_authorization_header public_trace_file.user

       delete api_trace_path(public_trace_file), :headers => auth_header
       assert_response :not_found
     end
       delete api_trace_path(public_trace_file), :headers => auth_header
       assert_response :not_found
     end

diff --git a/test/controllers/api/user_preferences_controller_test.rb b/test/controllers/api/user_preferences_controller_test.rb
index 41406e1b3d22413b50e07850dadf3ac91f29aacc..e2c573532ecac7e0c0ae8c955de989e639948886 100644 (file)
--- a/test/controllers/api/user_preferences_controller_test.rb
+++ b/test/controllers/api/user_preferences_controller_test.rb
@@ -39,7 +39,7 @@ module Api
       assert_response :unauthorized, "should be authenticated"
 
       # authenticate as a user with no preferences
       assert_response :unauthorized, "should be authenticated"
 
       # authenticate as a user with no preferences

-      auth_header = basic_authorization_header create(:user).email, "test"
+      auth_header = bearer_authorization_header

 
       # try the read again
       get user_preferences_path, :headers => auth_header
 
       # try the read again
       get user_preferences_path, :headers => auth_header


@@ -53,7 +53,7 @@ module Api
       user = create(:user)
       user_preference = create(:user_preference, :user => user)
       user_preference2 = create(:user_preference, :user => user)
       user = create(:user)
       user_preference = create(:user_preference, :user => user)
       user_preference2 = create(:user_preference, :user => user)

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header(user)

 
       # try the read again
       get user_preferences_path, :headers => auth_header
 
       # try the read again
       get user_preferences_path, :headers => auth_header


@@ -89,7 +89,7 @@ module Api
       assert_response :unauthorized, "should be authenticated"
 
       # authenticate as a user with preferences
       assert_response :unauthorized, "should be authenticated"
 
       # authenticate as a user with preferences

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header(user)

 
       # try the read again
       get user_preference_path(:preference_key => "key"), :headers => auth_header
 
       # try the read again
       get user_preference_path(:preference_key => "key"), :headers => auth_header


@@ -121,7 +121,7 @@ module Api
       end
 
       # authenticate as a user with preferences
       end
 
       # authenticate as a user with preferences

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header(user)

 
       # try the put again
       assert_no_difference "UserPreference.count" do
 
       # try the put again
       assert_no_difference "UserPreference.count" do


@@ -181,7 +181,7 @@ module Api
       end
 
       # authenticate as a user with preferences
       end
 
       # authenticate as a user with preferences

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header(user)

 
       # try adding a new preference
       assert_difference "UserPreference.count", 1 do
 
       # try adding a new preference
       assert_difference "UserPreference.count", 1 do


@@ -225,7 +225,7 @@ module Api
       assert_equal "value", UserPreference.find([user.id, "key"]).v
 
       # authenticate as a user with preferences
       assert_equal "value", UserPreference.find([user.id, "key"]).v
 
       # authenticate as a user with preferences

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header(user)

 
       # try the delete again
       assert_difference "UserPreference.count", -1 do
 
       # try the delete again
       assert_difference "UserPreference.count", -1 do

diff --git a/test/controllers/api/users_controller_test.rb b/test/controllers/api/users_controller_test.rb
index 4ed7e7f77643931bb8e526bff992ee2e96ed3314..5086a09b3c217b0010d198c1370d4596c7c656bc 100644 (file)
--- a/test/controllers/api/users_controller_test.rb
+++ b/test/controllers/api/users_controller_test.rb
@@ -164,7 +164,7 @@ module Api
       assert_response :unauthorized
 
       # check that we get a response when logged in
       assert_response :unauthorized
 
       # check that we get a response when logged in

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

       get user_details_path, :headers => auth_header
       assert_response :success
       assert_equal "application/xml", response.media_type
       get user_details_path, :headers => auth_header
       assert_response :success
       assert_equal "application/xml", response.media_type


@@ -173,7 +173,7 @@ module Api
       check_xml_details(user, true, false)
 
       # check that data is returned properly in json
       check_xml_details(user, true, false)
 
       # check that data is returned properly in json

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

       get user_details_path(:format => "json"), :headers => auth_header
       assert_response :success
       assert_equal "application/json", response.media_type
       get user_details_path(:format => "json"), :headers => auth_header
       assert_response :success
       assert_equal "application/json", response.media_type


@@ -427,7 +427,7 @@ module Api
       assert_response :unauthorized
 
       # check that we get a response when logged in
       assert_response :unauthorized
 
       # check that we get a response when logged in

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

       get user_gpx_files_path, :headers => auth_header
       assert_response :success
       assert_equal "application/xml", response.media_type
       get user_gpx_files_path, :headers => auth_header
       assert_response :success
       assert_equal "application/xml", response.media_type

diff --git a/test/controllers/api/ways_controller_test.rb b/test/controllers/api/ways_controller_test.rb
index e11cceeb2de7d194ec0c1ef523be129b5fa90e75..6aa4bdfa5d3b17173edfe8f7abbe8fa3f08c148a 100644 (file)
--- a/test/controllers/api/ways_controller_test.rb
+++ b/test/controllers/api/ways_controller_test.rb
@@ -146,7 +146,7 @@ module Api
       changeset = create(:changeset, :user => user)
 
       ## First check that it fails when creating a way using a non-public user
       changeset = create(:changeset, :user => user)
 
       ## First check that it fails when creating a way using a non-public user

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

 
       # use the first user's open changeset
       changeset_id = private_changeset.id
 
       # use the first user's open changeset
       changeset_id = private_changeset.id


@@ -161,7 +161,7 @@ module Api
                       "way upload did not return forbidden status"
 
       ## Now use a public user
                       "way upload did not return forbidden status"
 
       ## Now use a public user

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # use the first user's open changeset
       changeset_id = changeset.id
 
       # use the first user's open changeset
       changeset_id = changeset.id


@@ -207,7 +207,7 @@ module Api
       closed_changeset = create(:changeset, :closed, :user => user)
 
       ## First test with a private user to make sure that they are not authorized
       closed_changeset = create(:changeset, :closed, :user => user)
 
       ## First test with a private user to make sure that they are not authorized

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

 
       # use the first user's open changeset
       # create a way with non-existing node
 
       # use the first user's open changeset
       # create a way with non-existing node


@@ -235,7 +235,7 @@ module Api
                       "way upload to closed changeset with a private user did not return 'forbidden'"
 
       ## Now test with a public user
                       "way upload to closed changeset with a private user did not return 'forbidden'"
 
       ## Now test with a public user

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # use the first user's open changeset
       # create a way with non-existing node
 
       # use the first user's open changeset
       # create a way with non-existing node


@@ -301,7 +301,7 @@ module Api
       assert_response :unauthorized
 
       # now set auth using the private user
       assert_response :unauthorized
 
       # now set auth using the private user

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

 
       # this shouldn't work as with the 0.6 api we need pay load to delete
       delete api_way_path(private_way), :headers => auth_header
 
       # this shouldn't work as with the 0.6 api we need pay load to delete
       delete api_way_path(private_way), :headers => auth_header


@@ -350,7 +350,7 @@ module Api
 
       ### Now check with a public user
       # now set auth
 
       ### Now check with a public user
       # now set auth

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # this shouldn't work as with the 0.6 api we need pay load to delete
       delete api_way_path(way), :headers => auth_header
 
       # this shouldn't work as with the 0.6 api we need pay load to delete
       delete api_way_path(way), :headers => auth_header


@@ -419,7 +419,7 @@ module Api
       ## Second test with the private user
 
       # setup auth
       ## Second test with the private user
 
       # setup auth

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

 
       ## trying to break changesets
 
 
       ## trying to break changesets
 


@@ -457,7 +457,7 @@ module Api
       ## Finally test with the public user
 
       # setup auth
       ## Finally test with the public user
 
       # setup auth

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       ## trying to break changesets
 
 
       ## trying to break changesets
 


@@ -541,7 +541,7 @@ module Api
 
       ## Try with the non-public user
       # setup auth
 
       ## Try with the non-public user
       # setup auth

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

 
       # add an identical tag to the way
       tag_xml = XML::Node.new("tag")
 
       # add an identical tag to the way
       tag_xml = XML::Node.new("tag")


@@ -559,7 +559,7 @@ module Api
 
       ## Now try with the public user
       # setup auth
 
       ## Now try with the public user
       # setup auth

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # add an identical tag to the way
       tag_xml = XML::Node.new("tag")
 
       # add an identical tag to the way
       tag_xml = XML::Node.new("tag")


@@ -589,7 +589,7 @@ module Api
 
       ## Try with the non-public user
       # setup auth
 
       ## Try with the non-public user
       # setup auth

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

 
       # add an identical tag to the way
       tag_xml = XML::Node.new("tag")
 
       # add an identical tag to the way
       tag_xml = XML::Node.new("tag")


@@ -607,7 +607,7 @@ module Api
 
       ## Now try with the public user
       # setup auth
 
       ## Now try with the public user
       # setup auth

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # add an identical tag to the way
       tag_xml = XML::Node.new("tag")
 
       # add an identical tag to the way
       tag_xml = XML::Node.new("tag")


@@ -635,7 +635,7 @@ module Api
 
       ## First test with the non-public user so should be rejected
       # setup auth
 
       ## First test with the non-public user so should be rejected
       # setup auth

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

 
       # create duplicate tag
       tag_xml = XML::Node.new("tag")
 
       # create duplicate tag
       tag_xml = XML::Node.new("tag")


@@ -655,7 +655,7 @@ module Api
 
       ## Now test with the public user
       # setup auth
 
       ## Now test with the public user
       # setup auth

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # create duplicate tag
       tag_xml = XML::Node.new("tag")
 
       # create duplicate tag
       tag_xml = XML::Node.new("tag")


@@ -687,7 +687,7 @@ module Api
 
       ## First make sure that you can't with a non-public user
       # setup auth
 
       ## First make sure that you can't with a non-public user
       # setup auth

-      auth_header = basic_authorization_header private_user.email, "test"
+      auth_header = bearer_authorization_header private_user

 
       # add the tag into the existing xml
       way_str = "<osm><way changeset='#{private_changeset.id}'>"
 
       # add the tag into the existing xml
       way_str = "<osm><way changeset='#{private_changeset.id}'>"


@@ -702,7 +702,7 @@ module Api
 
       ## Now do it with a public user
       # setup auth
 
       ## Now do it with a public user
       # setup auth

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # add the tag into the existing xml
       way_str = "<osm><way changeset='#{changeset.id}'>"
 
       # add the tag into the existing xml
       way_str = "<osm><way changeset='#{changeset.id}'>"


@@ -769,7 +769,7 @@ module Api
                                      :num_changes => Settings.initial_changes_per_hour - 1)
 
       # create authentication header
                                      :num_changes => Settings.initial_changes_per_hour - 1)
 
       # create authentication header

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # try creating a way
       xml = "<osm><way changeset='#{changeset.id}'>" \
 
       # try creating a way
       xml = "<osm><way changeset='#{changeset.id}'>" \


@@ -826,7 +826,7 @@ module Api
       end
 
       # create authentication header
       end
 
       # create authentication header

-      auth_header = basic_authorization_header user.email, "test"
+      auth_header = bearer_authorization_header user

 
       # try creating a way
       xml = "<osm><way changeset='#{changeset.id}'>" \
 
       # try creating a way
       xml = "<osm><way changeset='#{changeset.id}'>" \

diff --git a/test/integration/compressed_requests_test.rb b/test/integration/compressed_requests_test.rb
index ecffe3c46781e9edfac50e1208300489986e3e13..3f6f13cc9ae39a38058a4dd27c15363e8cb3f92b 100644 (file)
--- a/test/integration/compressed_requests_test.rb
+++ b/test/integration/compressed_requests_test.rb
@@ -37,10 +37,9 @@ class CompressedRequestsTest < ActionDispatch::IntegrationTest
     # upload it
     post "/api/0.6/changeset/#{changeset.id}/upload",
          :params => diff,
     # upload it
     post "/api/0.6/changeset/#{changeset.id}/upload",
          :params => diff,

-         :headers => {
-           "HTTP_AUTHORIZATION" => format("Basic %<auth>s", :auth => Base64.encode64("#{user.display_name}:test")),
+         :headers => bearer_authorization_header(user).merge(

            "HTTP_CONTENT_TYPE" => "application/xml"
            "HTTP_CONTENT_TYPE" => "application/xml"

-         }
+         )

     assert_response :success,
                     "can't upload an uncompressed diff to changeset: #{@response.body}"
 
     assert_response :success,
                     "can't upload an uncompressed diff to changeset: #{@response.body}"
 


@@ -86,11 +85,10 @@ class CompressedRequestsTest < ActionDispatch::IntegrationTest
     # upload it
     post "/api/0.6/changeset/#{changeset.id}/upload",
          :params => gzip_content(diff),
     # upload it
     post "/api/0.6/changeset/#{changeset.id}/upload",
          :params => gzip_content(diff),

-         :headers => {
-           "HTTP_AUTHORIZATION" => format("Basic %<auth>s", :auth => Base64.encode64("#{user.display_name}:test")),
+         :headers => bearer_authorization_header(user).merge(

            "HTTP_CONTENT_ENCODING" => "gzip",
            "HTTP_CONTENT_TYPE" => "application/xml"
            "HTTP_CONTENT_ENCODING" => "gzip",
            "HTTP_CONTENT_TYPE" => "application/xml"

-         }
+         )

     assert_response :success,
                     "can't upload a gzip compressed diff to changeset: #{@response.body}"
 
     assert_response :success,
                     "can't upload a gzip compressed diff to changeset: #{@response.body}"
 


@@ -136,11 +134,10 @@ class CompressedRequestsTest < ActionDispatch::IntegrationTest
     # upload it
     post "/api/0.6/changeset/#{changeset.id}/upload",
          :params => deflate_content(diff),
     # upload it
     post "/api/0.6/changeset/#{changeset.id}/upload",
          :params => deflate_content(diff),

-         :headers => {
-           "HTTP_AUTHORIZATION" => format("Basic %<auth>s", :auth => Base64.encode64("#{user.display_name}:test")),
+         :headers => bearer_authorization_header(user).merge(

            "HTTP_CONTENT_ENCODING" => "deflate",
            "HTTP_CONTENT_TYPE" => "application/xml"
            "HTTP_CONTENT_ENCODING" => "deflate",
            "HTTP_CONTENT_TYPE" => "application/xml"

-         }
+         )

     assert_response :success,
                     "can't upload a deflate compressed diff to changeset: #{@response.body}"
 
     assert_response :success,
                     "can't upload a deflate compressed diff to changeset: #{@response.body}"
 


@@ -157,11 +154,10 @@ class CompressedRequestsTest < ActionDispatch::IntegrationTest
     # upload it
     post "/api/0.6/changeset/#{changeset.id}/upload",
          :params => "",
     # upload it
     post "/api/0.6/changeset/#{changeset.id}/upload",
          :params => "",

-         :headers => {
-           "HTTP_AUTHORIZATION" => format("Basic %<auth>s", :auth => Base64.encode64("#{user.display_name}:test")),
+         :headers => bearer_authorization_header(user).merge(

            "HTTP_CONTENT_ENCODING" => "unknown",
            "HTTP_CONTENT_TYPE" => "application/xml"
            "HTTP_CONTENT_ENCODING" => "unknown",
            "HTTP_CONTENT_TYPE" => "application/xml"

-         }
+         )

     assert_response :unsupported_media_type
   end
 
     assert_response :unsupported_media_type
   end
 

diff --git a/test/integration/user_blocks_test.rb b/test/integration/user_blocks_test.rb
index 96717e092a79e4ae2dc3e5383aa5b8d83e7393e5..5147733e3edc4c50d46b9ac49992f050f976d100 100644 (file)
--- a/test/integration/user_blocks_test.rb
+++ b/test/integration/user_blocks_test.rb
@@ -7,7 +7,7 @@ class UserBlocksTest < ActionDispatch::IntegrationTest
     get "/api/#{Settings.api_version}/user/details"
     assert_response :unauthorized
 
     get "/api/#{Settings.api_version}/user/details"
     assert_response :unauthorized
 

-    get "/api/#{Settings.api_version}/user/details", :headers => basic_authorization_header(blocked_user.display_name, "test")
+    get "/api/#{Settings.api_version}/user/details", :headers => bearer_authorization_header(blocked_user)

     assert_response :success
 
     # now block the user
     assert_response :success
 
     # now block the user


@@ -18,7 +18,7 @@ class UserBlocksTest < ActionDispatch::IntegrationTest
       :ends_at => Time.now.utc + 5.minutes,
       :deactivates_at => Time.now.utc + 5.minutes
     )
       :ends_at => Time.now.utc + 5.minutes,
       :deactivates_at => Time.now.utc + 5.minutes
     )

-    get "/api/#{Settings.api_version}/user/details", :headers => basic_authorization_header(blocked_user.display_name, "test")
+    get "/api/#{Settings.api_version}/user/details", :headers => bearer_authorization_header(blocked_user)

     assert_response :forbidden
   end
 
     assert_response :forbidden
   end
 


@@ -33,7 +33,7 @@ class UserBlocksTest < ActionDispatch::IntegrationTest
       :ends_at => Time.now.utc + 5.minutes,
       :deactivates_at => Time.now.utc + 5.minutes
     )
       :ends_at => Time.now.utc + 5.minutes,
       :deactivates_at => Time.now.utc + 5.minutes
     )

-    get "/api/#{Settings.api_version}/user/details", :headers => basic_authorization_header(blocked_user.display_name, "test")
+    get "/api/#{Settings.api_version}/user/details", :headers => bearer_authorization_header(blocked_user)

     assert_response :forbidden
 
     # revoke the ban
     assert_response :forbidden
 
     # revoke the ban


@@ -53,7 +53,7 @@ class UserBlocksTest < ActionDispatch::IntegrationTest
     reset!
 
     # access the API again. this time it should work
     reset!
 
     # access the API again. this time it should work

-    get "/api/#{Settings.api_version}/user/details", :headers => basic_authorization_header(blocked_user.display_name, "test")
+    get "/api/#{Settings.api_version}/user/details", :headers => bearer_authorization_header(blocked_user)

     assert_response :success
   end
 end
     assert_response :success
   end
 end

diff --git a/test/integration/user_terms_seen_test.rb b/test/integration/user_terms_seen_test.rb
index 46db4838808359832682765bb04d5271803975cf..d419003d9bcab15283570fa0817a540da1086c8b 100644 (file)
--- a/test/integration/user_terms_seen_test.rb
+++ b/test/integration/user_terms_seen_test.rb
@@ -4,14 +4,14 @@ class UserTermsSeenTest < ActionDispatch::IntegrationTest
   def test_api_blocked
     user = create(:user, :terms_seen => false, :terms_agreed => nil)
 
   def test_api_blocked
     user = create(:user, :terms_seen => false, :terms_agreed => nil)
 

-    get "/api/#{Settings.api_version}/user/preferences", :headers => auth_header(user.display_name, "test")
+    get "/api/#{Settings.api_version}/user/preferences", :headers => bearer_authorization_header(user)

     assert_response :forbidden
 
     # touch it so that the user has seen the terms
     user.terms_seen = true
     user.save
 
     assert_response :forbidden
 
     # touch it so that the user has seen the terms
     user.terms_seen = true
     user.save
 

-    get "/api/#{Settings.api_version}/user/preferences", :headers => auth_header(user.display_name, "test")
+    get "/api/#{Settings.api_version}/user/preferences", :headers => bearer_authorization_header(user)

     assert_response :success
   end
 
     assert_response :success
   end
 


@@ -58,10 +58,4 @@ class UserTermsSeenTest < ActionDispatch::IntegrationTest
     get "/traces/mine", :params => { :referer => "/diary/new" }
     assert_redirected_to :controller => :users, :action => :terms, :referer => "/diary/new"
   end
     get "/traces/mine", :params => { :referer => "/diary/new" }
     assert_redirected_to :controller => :users, :action => :terms, :referer => "/diary/new"
   end

-
-  private
-
-  def auth_header(user, pass)
-    { "HTTP_AUTHORIZATION" => format("Basic %<auth>s", :auth => Base64.encode64("#{user}:#{pass}")) }
-  end

 end
 end

diff --git a/test/test_helper.rb b/test/test_helper.rb
index c45c7346541aa420dd760e7d86627a2b5e442d55..171028f4bbabbb376a356137fdb737ede028316d 100644 (file)
--- a/test/test_helper.rb
+++ b/test/test_helper.rb
@@ -133,15 +133,16 @@ module ActiveSupport
       assert_equal a.tags, b.tags, "tags on node #{a.id}"
     end
 
       assert_equal a.tags, b.tags, "tags on node #{a.id}"
     end
 

-    ##
-    # return request header for HTTP Basic Authorization
-    def basic_authorization_header(user, pass)
-      { "Authorization" => format("Basic %<auth>s", :auth => Base64.encode64("#{user}:#{pass}")) }
-    end
-

     ##
     # return request header for HTTP Bearer Authorization
     ##
     # return request header for HTTP Bearer Authorization

-    def bearer_authorization_header(token)
+    def bearer_authorization_header(token_or_user = nil, scopes: Oauth::SCOPES)
+      token = case token_or_user
+              when nil then create(:oauth_access_token, :scopes => scopes).token
+              when User then create(:oauth_access_token, :resource_owner_id => token_or_user.id, :scopes => scopes).token
+              when Doorkeeper::AccessToken then token_or_user.token
+              when String then token_or_user
+              end
+

       { "Authorization" => "Bearer #{token}" }
     end
 
       { "Authorization" => "Bearer #{token}" }
     end
 


@@ -168,7 +169,7 @@ module ActiveSupport
     ##
     # Not sure this is the best response we could give
     def assert_inactive_user(msg = "an inactive user shouldn't be able to access the API")
     ##
     # Not sure this is the best response we could give
     def assert_inactive_user(msg = "an inactive user shouldn't be able to access the API")

-      assert_response :unauthorized, msg
+      assert_response :forbidden, msg

       # assert_equal @response.headers['Error'], ""
     end
 
       # assert_equal @response.headers['Error'], ""
     end