From 973d62a25ebf22bf80663a8b6996f0dbe7d5289f Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Sun, 1 Sep 2024 15:26:35 +0100 Subject: [PATCH] Drop support for basic authentication --- app/controllers/api/permissions_controller.rb | 3 - app/controllers/api_controller.rb | 36 +---- app/controllers/application_controller.rb | 14 -- config/locales/en.yml | 2 - config/settings.yml | 2 - .../api/changeset_comments_controller_test.rb | 49 ++----- .../api/changesets_controller_test.rb | 130 +++++++++--------- test/controllers/api/nodes_controller_test.rb | 24 ++-- test/controllers/api/notes_controller_test.rb | 24 ++-- .../api/old_nodes_controller_test.rb | 24 ++-- .../api/old_relations_controller_test.rb | 20 +-- .../api/old_ways_controller_test.rb | 20 +-- .../api/permissions_controller_test.rb | 24 ---- .../api/relations_controller_test.rb | 34 ++--- .../controllers/api/traces_controller_test.rb | 52 +++---- .../api/user_preferences_controller_test.rb | 12 +- test/controllers/api/users_controller_test.rb | 6 +- test/controllers/api/ways_controller_test.rb | 36 ++--- test/integration/compressed_requests_test.rb | 20 ++- test/integration/user_blocks_test.rb | 8 +- test/integration/user_terms_seen_test.rb | 10 +- test/test_helper.rb | 17 +-- 22 files changed, 231 insertions(+), 336 deletions(-) diff --git a/app/controllers/api/permissions_controller.rb b/app/controllers/api/permissions_controller.rb index d7fb92ae6..637aa36a0 100644 --- a/app/controllers/api/permissions_controller.rb +++ b/app/controllers/api/permissions_controller.rb @@ -9,13 +9,10 @@ module Api # External apps that use the api are able to query which permissions # they have. This currently returns a list of permissions granted to the current user: # * if authenticated via OAuth, this list will contain all permissions granted by the user to the access_token. - # * if authenticated via basic auth all permissions are granted, so the list will contain all permissions. # * unauthenticated users have no permissions, so the list will be empty. def show @permissions = if doorkeeper_token.present? doorkeeper_token.scopes.map { |s| :"allow_#{s}" } - elsif current_user - Oauth.scopes.map { |s| :"allow_#{s.name}" } else [] end diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb index 1a8185a3e..5b264db97 100644 --- a/app/controllers/api_controller.rb +++ b/app/controllers/api_controller.rb @@ -47,19 +47,14 @@ class ApiController < ApplicationController end end - def authorize(realm = "Web Password", errormessage = "Couldn't authenticate you") + def authorize(errormessage = "Couldn't authenticate you") # make the current_user object from any auth sources we have setup_user_auth # handle authenticate pass/fail unless current_user # no auth, the user does not exist or the password was wrong - if Settings.basic_auth_support - response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\"" - render :plain => errormessage, :status => :unauthorized - else - render :plain => errormessage, :status => :forbidden - end + render :plain => errormessage, :status => :unauthorized false end @@ -80,13 +75,8 @@ class ApiController < ApplicationController report_error t("oauth.permissions.missing"), :forbidden elsif current_user head :forbidden - elsif Settings.basic_auth_support - realm = "Web Password" - errormessage = "Couldn't authenticate you" - response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\"" - render :plain => errormessage, :status => :unauthorized else - render :plain => errormessage, :status => :forbidden + head :unauthorized end end @@ -103,25 +93,7 @@ class ApiController < ApplicationController def setup_user_auth logger.info " setup_user_auth" # try and setup using OAuth - if doorkeeper_token&.accessible? - self.current_user = User.find(doorkeeper_token.resource_owner_id) - else - username, passwd = auth_data # parse from headers - # authenticate per-scheme - self.current_user = if username.nil? - nil # no authentication provided - perhaps first connect (client should retry after 401) - else - User.authenticate(:username => username, :password => passwd) # basic auth - end - if username && current_user - if Settings.basic_auth_support - # log if we have authenticated using basic auth - logger.info "Authenticated as user #{current_user.id} using basic authentication" - else - report_error t("application.basic_auth_disabled", :link => t("application.auth_disabled_link")), :forbidden - end - end - end + self.current_user = User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token&.accessible? # have we identified the user? if current_user diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index cc006c19c..4b36607bb 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -323,20 +323,6 @@ class ApplicationController < ActionController::Base end end - # extract authorisation credentials from headers, returns user = nil if none - def auth_data - if request.env.key? "X-HTTP_AUTHORIZATION" # where mod_rewrite might have put it - authdata = request.env["X-HTTP_AUTHORIZATION"].to_s.split - elsif request.env.key? "REDIRECT_X_HTTP_AUTHORIZATION" # mod_fcgi - authdata = request.env["REDIRECT_X_HTTP_AUTHORIZATION"].to_s.split - elsif request.env.key? "HTTP_AUTHORIZATION" # regular location - authdata = request.env["HTTP_AUTHORIZATION"].to_s.split - end - # only basic authentication supported - user, pass = Base64.decode64(authdata[1]).split(":", 2) if authdata && authdata[0] == "Basic" - [user, pass] - end - # clean any referer parameter def safe_referer(referer) begin diff --git a/config/locales/en.yml b/config/locales/en.yml index b9e7ee16a..08706e42b 100644 --- a/config/locales/en.yml +++ b/config/locales/en.yml @@ -2580,8 +2580,6 @@ en: other: "GPX file with %{count} points from %{user}" description_without_count: "GPX file from %{user}" application: - basic_auth_disabled: "HTTP Basic Authentication is disabled: %{link}" - auth_disabled_link: "https://wiki.openstreetmap.org/wiki/2024_authentication_update" permission_denied: You do not have permission to access that action require_cookies: cookies_needed: "You appear to have cookies disabled - please enable cookies in your browser before continuing." diff --git a/config/settings.yml b/config/settings.yml index e2ff88a41..b5a565b13 100644 --- a/config/settings.yml +++ b/config/settings.yml @@ -106,8 +106,6 @@ attachments_dir: ":rails_root/public/attachments" #logstash_path: "" # List of memcache servers to use for caching #memcache_servers: [] -# Enable HTTP basic authentication support -basic_auth_support: true # URL of Nominatim instance to use for geocoding nominatim_url: "https://nominatim.openstreetmap.org/" # Default editor diff --git a/test/controllers/api/changeset_comments_controller_test.rb b/test/controllers/api/changeset_comments_controller_test.rb index f479b24b3..ca7fc3407 100644 --- a/test/controllers/api/changeset_comments_controller_test.rb +++ b/test/controllers/api/changeset_comments_controller_test.rb @@ -41,7 +41,7 @@ module Api deleted_user = create(:user, :deleted) private_user_closed_changeset = create(:changeset, :closed, :user => private_user) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user assert_difference "ChangesetComment.count", 1 do assert_no_difference "ActionMailer::Base.deliveries.size" do @@ -74,7 +74,7 @@ module Api ActionMailer::Base.deliveries.clear - auth_header = basic_authorization_header user2.email, "test" + auth_header = bearer_authorization_header user2 assert_difference "ChangesetComment.count", 1 do assert_difference "ActionMailer::Base.deliveries.size", 2 do @@ -105,7 +105,7 @@ module Api post changeset_comment_path(create(:changeset, :closed), :text => "This is a comment") assert_response :unauthorized - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header # bad changeset id assert_no_difference "ChangesetComment.count" do @@ -138,7 +138,7 @@ module Api changeset = create(:changeset, :closed) user = create(:user) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user assert_difference "ChangesetComment.count", Settings.initial_changeset_comments_per_hour do 1.upto(Settings.initial_changeset_comments_per_hour) do |count| @@ -160,7 +160,7 @@ module Api user = create(:user) create_list(:changeset_comment, 200, :author_id => user.id, :created_at => Time.now.utc - 1.day) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user assert_difference "ChangesetComment.count", Settings.max_changeset_comments_per_hour do 1.upto(Settings.max_changeset_comments_per_hour) do |count| @@ -182,7 +182,7 @@ module Api user = create(:user) create(:issue_with_reports, :reportable => user, :reported_user => user) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user assert_difference "ChangesetComment.count", Settings.initial_changeset_comments_per_hour / 2 do 1.upto(Settings.initial_changeset_comments_per_hour / 2) do |count| @@ -203,7 +203,7 @@ module Api changeset = create(:changeset, :closed) user = create(:moderator_user) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user assert_difference "ChangesetComment.count", Settings.moderator_changeset_comments_per_hour do 1.upto(Settings.moderator_changeset_comments_per_hour) do |count| @@ -229,14 +229,14 @@ module Api assert_response :unauthorized assert comment.reload.visible - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header # not a moderator post changeset_comment_hide_path(comment), :headers => auth_header assert_response :forbidden assert comment.reload.visible - auth_header = basic_authorization_header create(:moderator_user).email, "test" + auth_header = bearer_authorization_header create(:moderator_user) # bad comment id post changeset_comment_hide_path(999111), :headers => auth_header @@ -250,7 +250,7 @@ module Api comment = create(:changeset_comment) assert comment.visible - auth_header = basic_authorization_header create(:moderator_user).email, "test" + auth_header = bearer_authorization_header create(:moderator_user) post changeset_comment_hide_path(comment), :headers => auth_header assert_response :success @@ -268,14 +268,14 @@ module Api assert_response :unauthorized assert_not comment.reload.visible - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header # not a moderator post changeset_comment_unhide_path(comment), :headers => auth_header assert_response :forbidden assert_not comment.reload.visible - auth_header = basic_authorization_header create(:moderator_user).email, "test" + auth_header = bearer_authorization_header create(:moderator_user) # bad comment id post changeset_comment_unhide_path(999111), :headers => auth_header @@ -289,7 +289,7 @@ module Api comment = create(:changeset_comment, :visible => false) assert_not comment.visible - auth_header = basic_authorization_header create(:moderator_user).email, "test" + auth_header = bearer_authorization_header create(:moderator_user) post changeset_comment_unhide_path(comment), :headers => auth_header assert_response :success @@ -320,28 +320,5 @@ module Api end assert_response :success end - - # This test does the same as above, but with basic auth, to similarly test that the - # abilities take into account terms agreement too. - def test_api_write_and_terms_agreed_via_basic_auth - user = create(:user, :terms_agreed => nil) - changeset = create(:changeset, :closed) - - auth_header = basic_authorization_header user.email, "test" - - assert_difference "ChangesetComment.count", 0 do - post changeset_comment_path(changeset, :text => "This is a comment"), :headers => auth_header - end - assert_response :forbidden - - # Try again, after agreement with the terms - user.terms_agreed = Time.now.utc - user.save! - - assert_difference "ChangesetComment.count", 1 do - post changeset_comment_path(changeset, :text => "This is a comment"), :headers => auth_header - end - assert_response :success - end end end diff --git a/test/controllers/api/changesets_controller_test.rb b/test/controllers/api/changesets_controller_test.rb index 1d7afa035..c0be42a21 100644 --- a/test/controllers/api/changesets_controller_test.rb +++ b/test/controllers/api/changesets_controller_test.rb @@ -64,7 +64,7 @@ module Api # ----------------------- def test_create - auth_header = basic_authorization_header create(:user, :data_public => false).email, "test" + auth_header = bearer_authorization_header create(:user, :data_public => false) # Create the first user's changeset xml = "" \ "" \ @@ -72,7 +72,7 @@ module Api put changeset_create_path, :params => xml, :headers => auth_header assert_require_public_data - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header # Create the first user's changeset xml = "" \ "" \ @@ -99,13 +99,13 @@ module Api end def test_create_invalid - auth_header = basic_authorization_header create(:user, :data_public => false).email, "test" + auth_header = bearer_authorization_header create(:user, :data_public => false) xml = "" put changeset_create_path, :params => xml, :headers => auth_header assert_require_public_data ## Try the public user - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header xml = "" put changeset_create_path, :params => xml, :headers => auth_header assert_response :bad_request, "creating a invalid changeset should fail" @@ -117,23 +117,23 @@ module Api assert_response :unauthorized, "shouldn't be able to create a changeset with no auth" ## Now try to with a non-public user - auth_header = basic_authorization_header create(:user, :data_public => false).email, "test" + auth_header = bearer_authorization_header create(:user, :data_public => false) put changeset_create_path, :headers => auth_header assert_require_public_data ## Try an inactive user - auth_header = basic_authorization_header create(:user, :pending).email, "test" + auth_header = bearer_authorization_header create(:user, :pending) put changeset_create_path, :headers => auth_header assert_inactive_user ## Now try to use a normal user - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header put changeset_create_path, :headers => auth_header assert_response :bad_request, "creating a changeset with no content should fail" end def test_create_wrong_method - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header get changeset_create_path, :headers => auth_header assert_response :not_found @@ -216,7 +216,7 @@ module Api # one hidden comment shown to moderators moderator_user = create(:moderator_user) - auth_header = basic_authorization_header moderator_user.email, "test" + auth_header = bearer_authorization_header moderator_user get changeset_show_path(changeset), :params => { :include_discussion => true, :show_hidden_comments => true }, :headers => auth_header assert_response :success, "cannot get closed changeset with comments" @@ -322,7 +322,7 @@ module Api # one hidden comment shown to moderators moderator_user = create(:moderator_user) - auth_header = basic_authorization_header moderator_user.email, "test" + auth_header = bearer_authorization_header moderator_user get changeset_show_path(changeset), :params => { :format => "json", :include_discussion => true, :show_hidden_comments => true }, :headers => auth_header assert_response :success, "cannot get closed changeset with comments" @@ -416,12 +416,12 @@ module Api assert_response :unauthorized ## Try using the non-public user - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user put changeset_close_path(private_changeset), :headers => auth_header assert_require_public_data ## The try with the public user - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user cs_id = changeset.id put changeset_close_path(cs_id), :headers => auth_header @@ -439,7 +439,7 @@ module Api user = create(:user) changeset = create(:changeset) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user put changeset_close_path(changeset), :headers => auth_header assert_response :conflict @@ -452,7 +452,7 @@ module Api user = create(:user) changeset = create(:changeset, :user => user) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user get changeset_close_path(changeset), :headers => auth_header assert_response :not_found @@ -477,7 +477,7 @@ module Api end # Now try with auth - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header cs_ids.each do |id| put changeset_close_path(id), :headers => auth_header assert_response :not_found, "The changeset #{id} doesn't exist, so can't be closed" @@ -534,7 +534,7 @@ module Api "shouldn't be able to upload a simple valid diff to changeset: #{@response.body}" ## Now try with a private user - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user changeset_id = private_changeset.id # simple diff to change a node, way and relation by removing @@ -563,7 +563,7 @@ module Api "can't upload a simple valid diff to changeset: #{@response.body}" ## Now try with the public user - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user changeset_id = changeset.id # simple diff to change a node, way and relation by removing @@ -606,7 +606,7 @@ module Api way = create(:way_with_nodes, :nodes_count => 2) relation = create(:relation) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # simple diff to create a node way and relation using placeholders diff = <<~CHANGESET @@ -677,7 +677,7 @@ module Api create(:relation_member, :relation => super_relation, :member => used_way) create(:relation_member, :relation => super_relation, :member => used_node) - auth_header = basic_authorization_header changeset.user.display_name, "test" + auth_header = bearer_authorization_header changeset.user diff = XML::Document.new diff.root = XML::Node.new "osmChange" @@ -719,7 +719,7 @@ module Api node = create(:node) changeset = create(:changeset) - auth_header = basic_authorization_header changeset.user.display_name, "test" + auth_header = bearer_authorization_header changeset.user diff = "" # upload it @@ -736,7 +736,7 @@ module Api def test_repeated_changeset_create 3.times do - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header # create a temporary changeset xml = "" \ @@ -751,7 +751,7 @@ module Api def test_upload_large_changeset user = create(:user) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # create an old changeset to ensure we have the maximum rate limit create(:changeset, :user => user, :created_at => Time.now.utc - 28.days) @@ -813,7 +813,7 @@ module Api create(:relation_member, :relation => relation, :member => used_way) create(:relation_member, :relation => relation, :member => used_node) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user diff = XML::Document.new diff.root = XML::Node.new "osmChange" @@ -855,7 +855,7 @@ module Api create(:relation_member, :relation => super_relation, :member => used_way) create(:relation_member, :relation => super_relation, :member => used_node) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user diff = XML::Document.new diff.root = XML::Node.new "osmChange" @@ -911,7 +911,7 @@ module Api def test_upload_invalid_too_long_tag changeset = create(:changeset) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user # simple diff to create a node way and relation using placeholders diff = <<~CHANGESET @@ -941,7 +941,7 @@ module Api changeset = create(:changeset) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user # simple diff to create a node way and relation using placeholders diff = <<~CHANGESET @@ -1000,7 +1000,7 @@ module Api relation = create(:relation) other_relation = create(:relation) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user # simple diff to create a node way and relation using placeholders diff = <<~CHANGESET @@ -1043,7 +1043,7 @@ module Api def test_upload_multiple_valid node = create(:node) changeset = create(:changeset) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user # change the location of a node multiple times, each time referencing # the last version. doesn't this depend on version numbers being @@ -1081,7 +1081,7 @@ module Api node = create(:node) changeset = create(:changeset) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user diff = <<~CHANGESET @@ -1103,7 +1103,7 @@ module Api def test_upload_missing_version changeset = create(:changeset) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user diff = <<~CHANGESET @@ -1124,7 +1124,7 @@ module Api def test_action_upload_invalid changeset = create(:changeset) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user diff = <<~CHANGESET @@ -1149,7 +1149,7 @@ module Api other_relation = create(:relation) create(:relation_tag, :relation => relation) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user diff = <<~CHANGESET @@ -1184,7 +1184,7 @@ module Api def test_upload_reuse_placeholder_valid changeset = create(:changeset) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user diff = <<~CHANGESET @@ -1218,7 +1218,7 @@ module Api def test_upload_placeholder_invalid changeset = create(:changeset) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user diff = <<~CHANGESET @@ -1256,7 +1256,7 @@ module Api def test_upload_process_order changeset = create(:changeset) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user diff = <<~CHANGESET @@ -1280,7 +1280,7 @@ module Api def test_upload_duplicate_delete changeset = create(:changeset) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user diff = <<~CHANGESET @@ -1327,7 +1327,7 @@ module Api changeset = create(:changeset) way = create(:way) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user diff = <<~CHANGESET @@ -1382,7 +1382,7 @@ module Api changeset = create(:changeset) relation = create(:relation) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user diff = <<~CHANGESET @@ -1434,7 +1434,7 @@ module Api # test what happens if a diff is uploaded containing only a node # move. def test_upload_node_move - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header xml = "" \ "" \ @@ -1471,7 +1471,7 @@ module Api ## # test what happens if a diff is uploaded adding a node to a way. def test_upload_way_extend - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header xml = "" \ "" \ @@ -1512,7 +1512,7 @@ module Api def test_upload_empty_invalid changeset = create(:changeset) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user ["", "", @@ -1532,7 +1532,7 @@ module Api node = create(:node) create(:relation_member, :member => node) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user # try and delete a node that is in use diff = XML::Document.new @@ -1556,7 +1556,7 @@ module Api def test_upload_not_found changeset = create(:changeset) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user # modify node diff = <<~CHANGESET @@ -1640,7 +1640,7 @@ module Api def test_upload_relation_placeholder_not_fix changeset = create(:changeset) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user # modify node diff = <<~CHANGESET @@ -1674,7 +1674,7 @@ module Api def test_upload_multiple_delete_block changeset = create(:changeset) - auth_header = basic_authorization_header changeset.user.email, "test" + auth_header = bearer_authorization_header changeset.user node = create(:node) way = create(:way) @@ -1717,7 +1717,7 @@ module Api :num_changes => Settings.initial_changes_per_hour - 2) # create authentication header - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # simple diff to create a node way and relation using placeholders diff = <<~CHANGESET @@ -1772,7 +1772,7 @@ module Api end # create authentication header - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # simple diff to create a node way and relation using placeholders diff = <<~CHANGESET @@ -1813,7 +1813,7 @@ module Api :max_lat => (0.5 * GeoRecord::SCALE).round, :max_lon => (2.5 * GeoRecord::SCALE).round) # create authentication header - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # simple diff to create a node diff = <<~CHANGESET @@ -1847,7 +1847,7 @@ module Api :max_lat => (0.5 * GeoRecord::SCALE).round, :max_lon => (2.5 * GeoRecord::SCALE).round) # create authentication header - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # simple diff to create a node way and relation using placeholders diff = <<~CHANGESET @@ -1873,7 +1873,7 @@ module Api node = create(:node) ## First try with a non-public user, which should get a forbidden - auth_header = basic_authorization_header create(:user, :data_public => false).email, "test" + auth_header = bearer_authorization_header create(:user, :data_public => false) # create a temporary changeset xml = "" \ @@ -1883,7 +1883,7 @@ module Api assert_response :forbidden ## Now try with a normal user - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header # create a temporary changeset xml = "" \ @@ -1928,7 +1928,7 @@ module Api # # NOTE: the error turned out to be something else completely! def test_josm_upload - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header # create a temporary changeset xml = "" \ @@ -1989,7 +1989,7 @@ module Api node = create(:node) node2 = create(:node) way = create(:way) - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header # create a temporary changeset xml = "" \ @@ -2104,7 +2104,7 @@ module Api way = create(:way) create(:way_node, :way => way, :node => create(:node, :lat => 0.3, :lon => 0.3)) - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header # create a new changeset xml = "" @@ -2193,7 +2193,7 @@ module Api assert_response :not_found, "shouldn't be able to get changesets by non-public user (name)" # but this should work - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user get changesets_path(:user => private_user.id), :headers => auth_header assert_response :success, "can't get changesets by user ID" assert_changesets_in_order [private_user_changeset, private_user_closed_changeset] @@ -2421,12 +2421,12 @@ module Api assert_response :unauthorized # try with the wrong authorization - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header put changeset_show_path(private_changeset), :params => new_changeset.to_s, :headers => auth_header assert_response :conflict # now this should get an unauthorized - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user put changeset_show_path(private_changeset), :params => new_changeset.to_s, :headers => auth_header assert_require_public_data "user with their data non-public, shouldn't be able to edit their changeset" @@ -2442,12 +2442,12 @@ module Api assert_response :unauthorized # try with the wrong authorization - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header put changeset_show_path(changeset), :params => new_changeset.to_s, :headers => auth_header assert_response :conflict # now this should work... - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user put changeset_show_path(changeset), :params => new_changeset.to_s, :headers => auth_header assert_response :success @@ -2460,7 +2460,7 @@ module Api # check that a user different from the one who opened the changeset # can't modify it. def test_changeset_update_invalid - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header changeset = create(:changeset) new_changeset = create_changeset_xml(:user => changeset.user, :id => changeset.id) @@ -2478,7 +2478,7 @@ module Api ## FIXME should be changed to an integration test due to the with_controller def test_changeset_limits user = create(:user) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # create an old changeset to ensure we have the maximum rate limit create(:changeset, :user => user, :created_at => Time.now.utc - 28.days) @@ -2559,7 +2559,7 @@ module Api ## # test subscribe success def test_subscribe_success - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header changeset = create(:changeset, :closed) assert_difference "changeset.subscribers.count", 1 do @@ -2587,7 +2587,7 @@ module Api end assert_response :unauthorized - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # bad changeset id assert_no_difference "changeset.subscribers.count" do @@ -2608,7 +2608,7 @@ module Api # test unsubscribe success def test_unsubscribe_success user = create(:user) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user changeset = create(:changeset, :closed) changeset.subscribers.push(user) @@ -2637,7 +2637,7 @@ module Api end assert_response :unauthorized - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header # bad changeset id assert_no_difference "changeset.subscribers.count" do diff --git a/test/controllers/api/nodes_controller_test.rb b/test/controllers/api/nodes_controller_test.rb index d9fabb012..9896c34a5 100644 --- a/test/controllers/api/nodes_controller_test.rb +++ b/test/controllers/api/nodes_controller_test.rb @@ -55,7 +55,7 @@ module Api assert_response :unauthorized, "node upload did not return unauthorized status" ## Now try with the user which doesn't have their data public - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user # create a minimal xml file xml = "" @@ -66,7 +66,7 @@ module Api assert_require_public_data "node create did not return forbidden status" ## Now try with the user that has the public data - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # create a minimal xml file xml = "" @@ -92,7 +92,7 @@ module Api user = create(:user) changeset = create(:changeset, :user => user) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user lat = 3.434 lon = 3.23 @@ -178,7 +178,7 @@ module Api assert_response :unauthorized ## now set auth for the non-data public user - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user # try to delete with an invalid (closed) changeset xml = update_changeset(xml_for_node(private_node), private_user_closed_changeset.id) @@ -226,7 +226,7 @@ module Api changeset = create(:changeset, :user => user) closed_changeset = create(:changeset, :closed, :user => user) node = create(:node, :changeset => changeset) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # try to delete with an invalid (closed) changeset xml = update_changeset(xml_for_node(node), closed_changeset.id) @@ -314,7 +314,7 @@ module Api ## Second test with the private user # setup auth - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user ## trying to break changesets @@ -356,7 +356,7 @@ module Api assert_response :forbidden # setup auth - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user ## trying to break changesets @@ -477,7 +477,7 @@ module Api existing_tag = create(:node_tag) assert existing_tag.node.changeset.user.data_public # setup auth - auth_header = basic_authorization_header existing_tag.node.changeset.user.email, "test" + auth_header = bearer_authorization_header existing_tag.node.changeset.user # add an identical tag to the node tag_xml = XML::Node.new("tag") @@ -503,7 +503,7 @@ module Api changeset = create(:changeset, :user => user) ## First try with the non-data public user - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user # try and put something into a string that the API might # use unquoted and therefore allow code injection... @@ -514,7 +514,7 @@ module Api assert_require_public_data "Shouldn't be able to create with non-public user" ## Then try with the public data user - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # try and put something into a string that the API might # use unquoted and therefore allow code injection... @@ -552,7 +552,7 @@ module Api :num_changes => Settings.initial_changes_per_hour - 1) # create authentication header - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # try creating a node xml = "" @@ -599,7 +599,7 @@ module Api end # create authentication header - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # try creating a node xml = "" diff --git a/test/controllers/api/notes_controller_test.rb b/test/controllers/api/notes_controller_test.rb index 42972e494..ed410e8c7 100644 --- a/test/controllers/api/notes_controller_test.rb +++ b/test/controllers/api/notes_controller_test.rb @@ -203,7 +203,7 @@ module Api def test_comment_success open_note_with_comment = create(:note_with_comments) user = create(:user) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user assert_difference "NoteComment.count", 1 do assert_no_difference "ActionMailer::Base.deliveries.size" do perform_enqueued_jobs do @@ -244,7 +244,7 @@ module Api create(:note_comment, :note => note, :author => second_user) end - auth_header = basic_authorization_header third_user.email, "test" + auth_header = bearer_authorization_header third_user assert_difference "NoteComment.count", 1 do assert_difference "ActionMailer::Base.deliveries.size", 2 do @@ -300,7 +300,7 @@ module Api assert_response :unauthorized end - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user assert_no_difference "NoteComment.count" do post comment_api_note_path(open_note_with_comment), :headers => auth_header @@ -344,7 +344,7 @@ module Api post close_api_note_path(open_note_with_comment, :text => "This is a close comment", :format => "json") assert_response :unauthorized - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user post close_api_note_path(open_note_with_comment, :text => "This is a close comment", :format => "json"), :headers => auth_header assert_response :success @@ -375,7 +375,7 @@ module Api post close_api_note_path(12345) assert_response :unauthorized - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header post close_api_note_path(12345), :headers => auth_header assert_response :not_found @@ -398,7 +398,7 @@ module Api post reopen_api_note_path(closed_note_with_comment, :text => "This is a reopen comment", :format => "json") assert_response :unauthorized - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user post reopen_api_note_path(closed_note_with_comment, :text => "This is a reopen comment", :format => "json"), :headers => auth_header assert_response :success @@ -431,7 +431,7 @@ module Api post reopen_api_note_path(hidden_note_with_comment) assert_response :unauthorized - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header post reopen_api_note_path(12345), :headers => auth_header assert_response :not_found @@ -550,12 +550,12 @@ module Api delete api_note_path(open_note_with_comment, :text => "This is a hide comment", :format => "json") assert_response :unauthorized - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user delete api_note_path(open_note_with_comment, :text => "This is a hide comment", :format => "json"), :headers => auth_header assert_response :forbidden - auth_header = basic_authorization_header moderator_user.email, "test" + auth_header = bearer_authorization_header moderator_user delete api_note_path(open_note_with_comment, :text => "This is a hide comment", :format => "json"), :headers => auth_header assert_response :success @@ -572,7 +572,7 @@ module Api get api_note_path(open_note_with_comment, :format => "json"), :headers => auth_header assert_response :success - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user get api_note_path(open_note_with_comment, :format => "json"), :headers => auth_header assert_response :gone @@ -585,12 +585,12 @@ module Api delete api_note_path(12345, :format => "json") assert_response :unauthorized - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user delete api_note_path(12345, :format => "json"), :headers => auth_header assert_response :forbidden - auth_header = basic_authorization_header moderator_user.email, "test" + auth_header = bearer_authorization_header moderator_user delete api_note_path(12345, :format => "json"), :headers => auth_header assert_response :not_found diff --git a/test/controllers/api/old_nodes_controller_test.rb b/test/controllers/api/old_nodes_controller_test.rb index 7855079cc..99c4dbb1b 100644 --- a/test/controllers/api/old_nodes_controller_test.rb +++ b/test/controllers/api/old_nodes_controller_test.rb @@ -48,7 +48,7 @@ module Api propagate_tags(node, node.old_nodes.last) ## First try this with a non-public user - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user # setup a simple XML node xml_doc = xml_for_node(private_node) @@ -95,7 +95,7 @@ module Api # probably should check that they didn't get written to the database ## Now do it with the public user - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # setup a simple XML node @@ -212,7 +212,7 @@ module Api # test the redaction of an old version of a node, while being # authorised as a normal user. def test_redact_node_normal_user - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header node = create(:node, :with_history, :version => 4) node_v3 = node.old_nodes.find_by(:version => 3) @@ -227,7 +227,7 @@ module Api # test that, even as moderator, the current version of a node # can't be redacted. def test_redact_node_current_version - auth_header = basic_authorization_header create(:moderator_user).email, "test" + auth_header = bearer_authorization_header create(:moderator_user) node = create(:node, :with_history, :version => 4) node_v4 = node.old_nodes.find_by(:version => 4) @@ -287,7 +287,7 @@ module Api assert_response :forbidden, "Redacted node shouldn't be visible via the version API." # not even to a logged-in user - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header get api_old_node_path(node_v1.node_id, node_v1.version), :headers => auth_header assert_response :forbidden, "Redacted node shouldn't be visible via the version API, even when logged in." end @@ -305,7 +305,7 @@ module Api "redacted node #{node_v1.node_id} version #{node_v1.version} shouldn't be present in the history." # not even to a logged-in user - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header get api_node_history_path(node), :headers => auth_header assert_response :success, "Redaction shouldn't have stopped history working." assert_select "osm node[id='#{node_v1.node_id}'][version='#{node_v1.version}']", 0, @@ -318,7 +318,7 @@ module Api def test_redact_node_moderator node = create(:node, :with_history, :version => 4) node_v3 = node.old_nodes.find_by(:version => 3) - auth_header = basic_authorization_header create(:moderator_user).email, "test" + auth_header = bearer_authorization_header create(:moderator_user) do_redact_node(node_v3, create(:redaction), auth_header) assert_response :success, "should be OK to redact old version as moderator." @@ -346,13 +346,13 @@ module Api def test_redact_node_is_redacted node = create(:node, :with_history, :version => 4) node_v3 = node.old_nodes.find_by(:version => 3) - auth_header = basic_authorization_header create(:moderator_user).email, "test" + auth_header = bearer_authorization_header create(:moderator_user) do_redact_node(node_v3, create(:redaction), auth_header) assert_response :success, "should be OK to redact old version as moderator." # re-auth as non-moderator - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header # check can't see the redacted data get api_old_node_path(node_v3.node_id, node_v3.version), :headers => auth_header @@ -386,7 +386,7 @@ module Api node_v1 = node.old_nodes.find_by(:version => 1) node_v1.redact!(create(:redaction)) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user post node_version_redact_path(node_v1.node_id, node_v1.version), :headers => auth_header assert_response :forbidden, "should need to be moderator to unredact." @@ -401,7 +401,7 @@ module Api node_v1 = node.old_nodes.find_by(:version => 1) node_v1.redact!(create(:redaction)) - auth_header = basic_authorization_header moderator_user.email, "test" + auth_header = bearer_authorization_header moderator_user post node_version_redact_path(node_v1.node_id, node_v1.version), :headers => auth_header assert_response :success, "should be OK to unredact old version as moderator." @@ -417,7 +417,7 @@ module Api assert_select "osm node[id='#{node_v1.node_id}'][version='#{node_v1.version}']", 1, "node #{node_v1.node_id} version #{node_v1.version} should now be present in the history for moderators without passing flag." - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header # check normal user can now see the redacted data get api_old_node_path(node_v1.node_id, node_v1.version), :headers => auth_header diff --git a/test/controllers/api/old_relations_controller_test.rb b/test/controllers/api/old_relations_controller_test.rb index 892e52991..446fb5f14 100644 --- a/test/controllers/api/old_relations_controller_test.rb +++ b/test/controllers/api/old_relations_controller_test.rb @@ -58,7 +58,7 @@ module Api relation = create(:relation, :with_history, :version => 4) relation_v3 = relation.old_relations.find_by(:version => 3) - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header do_redact_relation(relation_v3, create(:redaction), auth_header) assert_response :forbidden, "should need to be moderator to redact." @@ -71,7 +71,7 @@ module Api relation = create(:relation, :with_history, :version => 4) relation_latest = relation.old_relations.last - auth_header = basic_authorization_header create(:moderator_user).email, "test" + auth_header = bearer_authorization_header create(:moderator_user) do_redact_relation(relation_latest, create(:redaction), auth_header) assert_response :bad_request, "shouldn't be OK to redact current version as moderator." @@ -126,7 +126,7 @@ module Api assert_response :forbidden, "Redacted relation shouldn't be visible via the version API." # not even to a logged-in user - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header get api_old_relation_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header assert_response :forbidden, "Redacted relation shouldn't be visible via the version API, even when logged in." end @@ -144,7 +144,7 @@ module Api "redacted relation #{relation_v1.relation_id} version #{relation_v1.version} shouldn't be present in the history." # not even to a logged-in user - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header get api_old_relation_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header get api_relation_history_path(relation), :headers => auth_header assert_response :success, "Redaction shouldn't have stopped history working." @@ -159,7 +159,7 @@ module Api relation = create(:relation, :with_history, :version => 4) relation_v3 = relation.old_relations.find_by(:version => 3) - auth_header = basic_authorization_header create(:moderator_user).email, "test" + auth_header = bearer_authorization_header create(:moderator_user) do_redact_relation(relation_v3, create(:redaction), auth_header) assert_response :success, "should be OK to redact old version as moderator." @@ -188,13 +188,13 @@ module Api relation = create(:relation, :with_history, :version => 4) relation_v3 = relation.old_relations.find_by(:version => 3) - auth_header = basic_authorization_header create(:moderator_user).email, "test" + auth_header = bearer_authorization_header create(:moderator_user) do_redact_relation(relation_v3, create(:redaction), auth_header) assert_response :success, "should be OK to redact old version as moderator." # re-auth as non-moderator - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header # check can't see the redacted data get api_old_relation_path(relation_v3.relation_id, relation_v3.version), :headers => auth_header @@ -227,7 +227,7 @@ module Api relation_v1 = relation.old_relations.find_by(:version => 1) relation_v1.redact!(create(:redaction)) - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header post relation_version_redact_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header assert_response :forbidden, "should need to be moderator to unredact." @@ -241,7 +241,7 @@ module Api relation_v1 = relation.old_relations.find_by(:version => 1) relation_v1.redact!(create(:redaction)) - auth_header = basic_authorization_header create(:moderator_user).email, "test" + auth_header = bearer_authorization_header create(:moderator_user) post relation_version_redact_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header assert_response :success, "should be OK to unredact old version as moderator." @@ -257,7 +257,7 @@ module Api assert_select "osm relation[id='#{relation_v1.relation_id}'][version='#{relation_v1.version}']", 1, "relation #{relation_v1.relation_id} version #{relation_v1.version} should still be present in the history for moderators." - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header # check normal user can now see the redacted data get api_old_relation_path(relation_v1.relation_id, relation_v1.version), :headers => auth_header diff --git a/test/controllers/api/old_ways_controller_test.rb b/test/controllers/api/old_ways_controller_test.rb index 8081082cf..482655754 100644 --- a/test/controllers/api/old_ways_controller_test.rb +++ b/test/controllers/api/old_ways_controller_test.rb @@ -98,7 +98,7 @@ module Api # test the redaction of an old version of a way, while being # authorised as a normal user. def test_redact_way_normal_user - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header way = create(:way, :with_history, :version => 4) way_v3 = way.old_ways.find_by(:version => 3) @@ -110,7 +110,7 @@ module Api # test that, even as moderator, the current version of a way # can't be redacted. def test_redact_way_current_version - auth_header = basic_authorization_header create(:moderator_user).email, "test" + auth_header = bearer_authorization_header create(:moderator_user) way = create(:way, :with_history, :version => 4) way_latest = way.old_ways.last @@ -167,7 +167,7 @@ module Api assert_response :forbidden, "Redacted way shouldn't be visible via the version API." # not even to a logged-in user - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header get api_old_way_path(way_v1.way_id, way_v1.version), :headers => auth_header assert_response :forbidden, "Redacted way shouldn't be visible via the version API, even when logged in." end @@ -185,7 +185,7 @@ module Api "redacted way #{way_v1.way_id} version #{way_v1.version} shouldn't be present in the history." # not even to a logged-in user - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header get api_way_history_path(way), :headers => auth_header assert_response :success, "Redaction shouldn't have stopped history working." assert_select "osm way[id='#{way_v1.way_id}'][version='#{way_v1.version}']", 0, @@ -198,7 +198,7 @@ module Api def test_redact_way_moderator way = create(:way, :with_history, :version => 4) way_v3 = way.old_ways.find_by(:version => 3) - auth_header = basic_authorization_header create(:moderator_user).email, "test" + auth_header = bearer_authorization_header create(:moderator_user) do_redact_way(way_v3, create(:redaction), auth_header) assert_response :success, "should be OK to redact old version as moderator." @@ -226,13 +226,13 @@ module Api def test_redact_way_is_redacted way = create(:way, :with_history, :version => 4) way_v3 = way.old_ways.find_by(:version => 3) - auth_header = basic_authorization_header create(:moderator_user).email, "test" + auth_header = bearer_authorization_header create(:moderator_user) do_redact_way(way_v3, create(:redaction), auth_header) assert_response :success, "should be OK to redact old version as moderator." # re-auth as non-moderator - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header # check can't see the redacted data get api_old_way_path(way_v3.way_id, way_v3.version), :headers => auth_header @@ -265,7 +265,7 @@ module Api way_v1 = way.old_ways.find_by(:version => 1) way_v1.redact!(create(:redaction)) - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header post way_version_redact_path(way_v1.way_id, way_v1.version), :headers => auth_header assert_response :forbidden, "should need to be moderator to unredact." @@ -280,7 +280,7 @@ module Api way_v1 = way.old_ways.find_by(:version => 1) way_v1.redact!(create(:redaction)) - auth_header = basic_authorization_header moderator_user.email, "test" + auth_header = bearer_authorization_header moderator_user post way_version_redact_path(way_v1.way_id, way_v1.version), :headers => auth_header assert_response :success, "should be OK to unredact old version as moderator." @@ -296,7 +296,7 @@ module Api assert_select "osm way[id='#{way_v1.way_id}'][version='#{way_v1.version}']", 1, "way #{way_v1.way_id} version #{way_v1.version} should still be present in the history for moderators." - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header # check normal user can now see the unredacted data get api_old_way_path(way_v1.way_id, way_v1.version), :headers => auth_header diff --git a/test/controllers/api/permissions_controller_test.rb b/test/controllers/api/permissions_controller_test.rb index 3bc13cc04..1ee3365e7 100644 --- a/test/controllers/api/permissions_controller_test.rb +++ b/test/controllers/api/permissions_controller_test.rb @@ -32,30 +32,6 @@ module Api assert_equal 0, js["permissions"].count end - def test_permissions_basic_auth - auth_header = basic_authorization_header create(:user).email, "test" - get permissions_path, :headers => auth_header - assert_response :success - assert_select "osm > permissions", :count => 1 do - assert_select "permission", :count => Oauth.scopes.size - Oauth.scopes.each do |p| - assert_select "permission[name='allow_#{p.name}']", :count => 1 - end - end - - # Test json - get permissions_path(:format => "json"), :headers => auth_header - assert_response :success - assert_equal "application/json", @response.media_type - - js = ActiveSupport::JSON.decode(@response.body) - assert_not_nil js - assert_equal Oauth.scopes.size, js["permissions"].count - Oauth.scopes.each do |p| - assert_includes js["permissions"], "allow_#{p.name}" - end - end - def test_permissions_oauth2 user = create(:user) token = create(:oauth_access_token, diff --git a/test/controllers/api/relations_controller_test.rb b/test/controllers/api/relations_controller_test.rb index eba3d255e..6cbfe6045 100644 --- a/test/controllers/api/relations_controller_test.rb +++ b/test/controllers/api/relations_controller_test.rb @@ -221,7 +221,7 @@ module Api node = create(:node) way = create(:way_with_nodes, :nodes_count => 2) - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user # create an relation without members xml = "" @@ -263,7 +263,7 @@ module Api "relation upload did not return success status" ## Now try with the public user - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # create an relation without members xml = "" @@ -391,7 +391,7 @@ module Api relation = create(:relation) create_list(:relation_tag, 4, :relation => relation) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user with_relation(relation.id) do |rel| # alter one of the tags @@ -423,7 +423,7 @@ module Api relation = create(:relation) create_list(:relation_tag, 4, :relation => relation) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user with_relation(relation.id) do |rel| # alter one of the tags @@ -450,7 +450,7 @@ module Api relation = create(:relation) other_relation = create(:relation) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user with_relation(relation.id) do |rel| update_changeset(rel, changeset.id) put api_relation_path(other_relation), :params => rel.to_s, :headers => auth_header @@ -466,7 +466,7 @@ module Api user = create(:user) changeset = create(:changeset, :user => user) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # create a relation with non-existing node as member xml = "" \ @@ -487,7 +487,7 @@ module Api changeset = create(:changeset, :user => user) node = create(:node) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # create some xml that should return an error xml = "" \ @@ -522,7 +522,7 @@ module Api assert_response :unauthorized ## Then try with the private user, to make sure that you get a forbidden - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user # this shouldn't work, as we should need the payload... delete api_relation_path(relation), :headers => auth_header @@ -564,7 +564,7 @@ module Api assert_response :forbidden ## now set auth for the public user - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # this shouldn't work, as we should need the payload... delete api_relation_path(relation), :headers => auth_header @@ -743,7 +743,7 @@ module Api way1 = create(:way_with_nodes, :nodes_count => 2) way2 = create(:way_with_nodes, :nodes_count => 2) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user doc_str = <<~OSM @@ -816,13 +816,13 @@ module Api doc = XML::Parser.string(doc_str).parse ## First try with the private user - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user put relation_create_path, :params => doc.to_s, :headers => auth_header assert_response :forbidden ## Now try with the public user - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user put relation_create_path, :params => doc.to_s, :headers => auth_header assert_response :success, "can't create a relation: #{@response.body}" @@ -855,7 +855,7 @@ module Api OSM doc = XML::Parser.string(doc_str).parse - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user put relation_create_path, :params => doc.to_s, :headers => auth_header assert_response :success, "can't create a relation: #{@response.body}" @@ -922,7 +922,7 @@ module Api :num_changes => Settings.initial_changes_per_hour - 1) # create authentication header - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # try creating a relation xml = "" \ @@ -982,7 +982,7 @@ module Api end # create authentication header - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # try creating a relation xml = "" \ @@ -1062,7 +1062,7 @@ module Api # that the changeset bounding box is +bbox+. def check_changeset_modify(bbox) ## First test with the private user to check that you get a forbidden - auth_header = basic_authorization_header create(:user, :data_public => false).email, "test" + auth_header = bearer_authorization_header create(:user, :data_public => false) # create a new changeset for this operation, so we are assured # that the bounding box will be newly-generated. @@ -1073,7 +1073,7 @@ module Api end ## Now do the whole thing with the public user - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header # create a new changeset for this operation, so we are assured # that the bounding box will be newly-generated. diff --git a/test/controllers/api/traces_controller_test.rb b/test/controllers/api/traces_controller_test.rb index b26782a3f..de5c309a4 100644 --- a/test/controllers/api/traces_controller_test.rb +++ b/test/controllers/api/traces_controller_test.rb @@ -44,12 +44,12 @@ module Api assert_response :unauthorized # Now with some other user, which should work since the trace is public - auth_header = basic_authorization_header create(:user).display_name, "test" + auth_header = bearer_authorization_header get api_trace_path(public_trace_file), :headers => auth_header assert_response :success # And finally we should be able to do it with the owner of the trace - auth_header = basic_authorization_header public_trace_file.user.display_name, "test" + auth_header = bearer_authorization_header public_trace_file.user get api_trace_path(public_trace_file), :headers => auth_header assert_response :success assert_select "gpx_file[id='#{public_trace_file.id}'][uid='#{public_trace_file.user.id}']", 1 @@ -64,12 +64,12 @@ module Api assert_response :unauthorized # Now try with another user, which shouldn't work since the trace is anon - auth_header = basic_authorization_header create(:user).display_name, "test" + auth_header = bearer_authorization_header get api_trace_path(anon_trace_file), :headers => auth_header assert_response :forbidden # And finally we should be able to get the trace details with the trace owner - auth_header = basic_authorization_header anon_trace_file.user.display_name, "test" + auth_header = bearer_authorization_header anon_trace_file.user get api_trace_path(anon_trace_file), :headers => auth_header assert_response :success end @@ -83,12 +83,12 @@ module Api assert_response :unauthorized # Login, and try again - auth_header = basic_authorization_header deleted_trace_file.user.display_name, "test" + auth_header = bearer_authorization_header deleted_trace_file.user get api_trace_path(:id => 0), :headers => auth_header assert_response :not_found # Now try a trace which did exist but has been deleted - auth_header = basic_authorization_header deleted_trace_file.user.display_name, "test" + auth_header = bearer_authorization_header deleted_trace_file.user get api_trace_path(deleted_trace_file), :headers => auth_header assert_response :not_found end @@ -102,14 +102,14 @@ module Api assert_response :unauthorized # Now with some other user, which should work since the trace is public - auth_header = basic_authorization_header create(:user).display_name, "test" + auth_header = bearer_authorization_header get api_trace_data_path(public_trace_file), :headers => auth_header follow_redirect! follow_redirect! check_trace_data public_trace_file, "848caa72f2f456d1bd6a0fdf228aa1b9" # And finally we should be able to do it with the owner of the trace - auth_header = basic_authorization_header public_trace_file.user.display_name, "test" + auth_header = bearer_authorization_header public_trace_file.user get api_trace_data_path(public_trace_file), :headers => auth_header follow_redirect! follow_redirect! @@ -121,7 +121,7 @@ module Api identifiable_trace_file = create(:trace, :visibility => "identifiable", :fixture => "d") # Authenticate as the owner of the trace we will be using - auth_header = basic_authorization_header identifiable_trace_file.user.display_name, "test" + auth_header = bearer_authorization_header identifiable_trace_file.user # First get the data as is get api_trace_data_path(identifiable_trace_file), :headers => auth_header @@ -147,12 +147,12 @@ module Api assert_response :unauthorized # Now with some other user, which shouldn't work since the trace is anon - auth_header = basic_authorization_header create(:user).display_name, "test" + auth_header = bearer_authorization_header get api_trace_data_path(anon_trace_file), :headers => auth_header assert_response :forbidden # And finally we should be able to do it with the owner of the trace - auth_header = basic_authorization_header anon_trace_file.user.display_name, "test" + auth_header = bearer_authorization_header anon_trace_file.user get api_trace_data_path(anon_trace_file), :headers => auth_header follow_redirect! follow_redirect! @@ -168,12 +168,12 @@ module Api assert_response :unauthorized # Login, and try again - auth_header = basic_authorization_header create(:user).display_name, "test" + auth_header = bearer_authorization_header get api_trace_data_path(:id => 0), :headers => auth_header assert_response :not_found # Now try a trace which did exist but has been deleted - auth_header = basic_authorization_header deleted_trace_file.user.display_name, "test" + auth_header = bearer_authorization_header deleted_trace_file.user get api_trace_data_path(deleted_trace_file), :headers => auth_header assert_response :not_found end @@ -195,7 +195,7 @@ module Api # Now authenticated create(:user_preference, :user => user, :k => "gps.trace.visibility", :v => "identifiable") assert_not_equal "trackable", user.preferences.find_by(:k => "gps.trace.visibility").v - auth_header = basic_authorization_header user.display_name, "test" + auth_header = bearer_authorization_header user post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :visibility => "trackable" }, :headers => auth_header assert_response :success trace = Trace.find(response.body.to_i) @@ -213,7 +213,7 @@ module Api # Now authenticated, with the legacy public flag assert_not_equal "public", user.preferences.find_by(:k => "gps.trace.visibility").v - auth_header = basic_authorization_header user.display_name, "test" + auth_header = bearer_authorization_header user post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :public => 1 }, :headers => auth_header assert_response :success trace = Trace.find(response.body.to_i) @@ -232,7 +232,7 @@ module Api # Now authenticated, with the legacy private flag second_user = create(:user) assert_nil second_user.preferences.find_by(:k => "gps.trace.visibility") - auth_header = basic_authorization_header second_user.display_name, "test" + auth_header = bearer_authorization_header second_user post gpx_create_path, :params => { :file => file, :description => "New Trace", :tags => "new,trace", :public => 0 }, :headers => auth_header assert_response :success trace = Trace.find(response.body.to_i) @@ -257,28 +257,28 @@ module Api assert_response :unauthorized # Now with some other user, which should fail - auth_header = basic_authorization_header create(:user).display_name, "test" + auth_header = bearer_authorization_header put api_trace_path(public_trace_file), :params => create_trace_xml(public_trace_file), :headers => auth_header assert_response :forbidden # Now with a trace which doesn't exist - auth_header = basic_authorization_header create(:user).display_name, "test" + auth_header = bearer_authorization_header put api_trace_path(:id => 0), :params => create_trace_xml(public_trace_file), :headers => auth_header assert_response :not_found # Now with a trace which did exist but has been deleted - auth_header = basic_authorization_header deleted_trace_file.user.display_name, "test" + auth_header = bearer_authorization_header deleted_trace_file.user put api_trace_path(deleted_trace_file), :params => create_trace_xml(deleted_trace_file), :headers => auth_header assert_response :not_found # Now try an update with the wrong ID - auth_header = basic_authorization_header public_trace_file.user.display_name, "test" + auth_header = bearer_authorization_header public_trace_file.user put api_trace_path(public_trace_file), :params => create_trace_xml(anon_trace_file), :headers => auth_header assert_response :bad_request, "should not be able to update a trace with a different ID from the XML" # And finally try an update that should work - auth_header = basic_authorization_header public_trace_file.user.display_name, "test" + auth_header = bearer_authorization_header public_trace_file.user t = public_trace_file t.description = "Changed description" t.visibility = "private" @@ -293,7 +293,7 @@ module Api def test_update_tags tracetag = create(:tracetag) trace = tracetag.trace - auth_header = basic_authorization_header trace.user.display_name, "test" + auth_header = bearer_authorization_header trace.user put api_trace_path(trace), :params => create_trace_xml(trace), :headers => auth_header assert_response :success @@ -314,22 +314,22 @@ module Api assert_response :unauthorized # Now with some other user, which should fail - auth_header = basic_authorization_header create(:user).display_name, "test" + auth_header = bearer_authorization_header delete api_trace_path(public_trace_file), :headers => auth_header assert_response :forbidden # Now with a trace which doesn't exist - auth_header = basic_authorization_header create(:user).display_name, "test" + auth_header = bearer_authorization_header delete api_trace_path(:id => 0), :headers => auth_header assert_response :not_found # And finally we should be able to do it with the owner of the trace - auth_header = basic_authorization_header public_trace_file.user.display_name, "test" + auth_header = bearer_authorization_header public_trace_file.user delete api_trace_path(public_trace_file), :headers => auth_header assert_response :success # Try it a second time, which should fail - auth_header = basic_authorization_header public_trace_file.user.display_name, "test" + auth_header = bearer_authorization_header public_trace_file.user delete api_trace_path(public_trace_file), :headers => auth_header assert_response :not_found end diff --git a/test/controllers/api/user_preferences_controller_test.rb b/test/controllers/api/user_preferences_controller_test.rb index 41406e1b3..e2c573532 100644 --- a/test/controllers/api/user_preferences_controller_test.rb +++ b/test/controllers/api/user_preferences_controller_test.rb @@ -39,7 +39,7 @@ module Api assert_response :unauthorized, "should be authenticated" # authenticate as a user with no preferences - auth_header = basic_authorization_header create(:user).email, "test" + auth_header = bearer_authorization_header # try the read again get user_preferences_path, :headers => auth_header @@ -53,7 +53,7 @@ module Api user = create(:user) user_preference = create(:user_preference, :user => user) user_preference2 = create(:user_preference, :user => user) - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header(user) # try the read again get user_preferences_path, :headers => auth_header @@ -89,7 +89,7 @@ module Api assert_response :unauthorized, "should be authenticated" # authenticate as a user with preferences - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header(user) # try the read again get user_preference_path(:preference_key => "key"), :headers => auth_header @@ -121,7 +121,7 @@ module Api end # authenticate as a user with preferences - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header(user) # try the put again assert_no_difference "UserPreference.count" do @@ -181,7 +181,7 @@ module Api end # authenticate as a user with preferences - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header(user) # try adding a new preference assert_difference "UserPreference.count", 1 do @@ -225,7 +225,7 @@ module Api assert_equal "value", UserPreference.find([user.id, "key"]).v # authenticate as a user with preferences - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header(user) # try the delete again assert_difference "UserPreference.count", -1 do diff --git a/test/controllers/api/users_controller_test.rb b/test/controllers/api/users_controller_test.rb index 4ed7e7f77..5086a09b3 100644 --- a/test/controllers/api/users_controller_test.rb +++ b/test/controllers/api/users_controller_test.rb @@ -164,7 +164,7 @@ module Api assert_response :unauthorized # check that we get a response when logged in - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user get user_details_path, :headers => auth_header assert_response :success assert_equal "application/xml", response.media_type @@ -173,7 +173,7 @@ module Api check_xml_details(user, true, false) # check that data is returned properly in json - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user get user_details_path(:format => "json"), :headers => auth_header assert_response :success assert_equal "application/json", response.media_type @@ -427,7 +427,7 @@ module Api assert_response :unauthorized # check that we get a response when logged in - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user get user_gpx_files_path, :headers => auth_header assert_response :success assert_equal "application/xml", response.media_type diff --git a/test/controllers/api/ways_controller_test.rb b/test/controllers/api/ways_controller_test.rb index e11cceeb2..6aa4bdfa5 100644 --- a/test/controllers/api/ways_controller_test.rb +++ b/test/controllers/api/ways_controller_test.rb @@ -146,7 +146,7 @@ module Api changeset = create(:changeset, :user => user) ## First check that it fails when creating a way using a non-public user - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user # use the first user's open changeset changeset_id = private_changeset.id @@ -161,7 +161,7 @@ module Api "way upload did not return forbidden status" ## Now use a public user - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # use the first user's open changeset changeset_id = changeset.id @@ -207,7 +207,7 @@ module Api closed_changeset = create(:changeset, :closed, :user => user) ## First test with a private user to make sure that they are not authorized - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user # use the first user's open changeset # create a way with non-existing node @@ -235,7 +235,7 @@ module Api "way upload to closed changeset with a private user did not return 'forbidden'" ## Now test with a public user - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # use the first user's open changeset # create a way with non-existing node @@ -301,7 +301,7 @@ module Api assert_response :unauthorized # now set auth using the private user - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user # this shouldn't work as with the 0.6 api we need pay load to delete delete api_way_path(private_way), :headers => auth_header @@ -350,7 +350,7 @@ module Api ### Now check with a public user # now set auth - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # this shouldn't work as with the 0.6 api we need pay load to delete delete api_way_path(way), :headers => auth_header @@ -419,7 +419,7 @@ module Api ## Second test with the private user # setup auth - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user ## trying to break changesets @@ -457,7 +457,7 @@ module Api ## Finally test with the public user # setup auth - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user ## trying to break changesets @@ -541,7 +541,7 @@ module Api ## Try with the non-public user # setup auth - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user # add an identical tag to the way tag_xml = XML::Node.new("tag") @@ -559,7 +559,7 @@ module Api ## Now try with the public user # setup auth - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # add an identical tag to the way tag_xml = XML::Node.new("tag") @@ -589,7 +589,7 @@ module Api ## Try with the non-public user # setup auth - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user # add an identical tag to the way tag_xml = XML::Node.new("tag") @@ -607,7 +607,7 @@ module Api ## Now try with the public user # setup auth - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # add an identical tag to the way tag_xml = XML::Node.new("tag") @@ -635,7 +635,7 @@ module Api ## First test with the non-public user so should be rejected # setup auth - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user # create duplicate tag tag_xml = XML::Node.new("tag") @@ -655,7 +655,7 @@ module Api ## Now test with the public user # setup auth - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # create duplicate tag tag_xml = XML::Node.new("tag") @@ -687,7 +687,7 @@ module Api ## First make sure that you can't with a non-public user # setup auth - auth_header = basic_authorization_header private_user.email, "test" + auth_header = bearer_authorization_header private_user # add the tag into the existing xml way_str = "" @@ -702,7 +702,7 @@ module Api ## Now do it with a public user # setup auth - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # add the tag into the existing xml way_str = "" @@ -769,7 +769,7 @@ module Api :num_changes => Settings.initial_changes_per_hour - 1) # create authentication header - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # try creating a way xml = "" \ @@ -826,7 +826,7 @@ module Api end # create authentication header - auth_header = basic_authorization_header user.email, "test" + auth_header = bearer_authorization_header user # try creating a way xml = "" \ diff --git a/test/integration/compressed_requests_test.rb b/test/integration/compressed_requests_test.rb index ecffe3c46..3f6f13cc9 100644 --- a/test/integration/compressed_requests_test.rb +++ b/test/integration/compressed_requests_test.rb @@ -37,10 +37,9 @@ class CompressedRequestsTest < ActionDispatch::IntegrationTest # upload it post "/api/0.6/changeset/#{changeset.id}/upload", :params => diff, - :headers => { - "HTTP_AUTHORIZATION" => format("Basic %s", :auth => Base64.encode64("#{user.display_name}:test")), + :headers => bearer_authorization_header(user).merge( "HTTP_CONTENT_TYPE" => "application/xml" - } + ) assert_response :success, "can't upload an uncompressed diff to changeset: #{@response.body}" @@ -86,11 +85,10 @@ class CompressedRequestsTest < ActionDispatch::IntegrationTest # upload it post "/api/0.6/changeset/#{changeset.id}/upload", :params => gzip_content(diff), - :headers => { - "HTTP_AUTHORIZATION" => format("Basic %s", :auth => Base64.encode64("#{user.display_name}:test")), + :headers => bearer_authorization_header(user).merge( "HTTP_CONTENT_ENCODING" => "gzip", "HTTP_CONTENT_TYPE" => "application/xml" - } + ) assert_response :success, "can't upload a gzip compressed diff to changeset: #{@response.body}" @@ -136,11 +134,10 @@ class CompressedRequestsTest < ActionDispatch::IntegrationTest # upload it post "/api/0.6/changeset/#{changeset.id}/upload", :params => deflate_content(diff), - :headers => { - "HTTP_AUTHORIZATION" => format("Basic %s", :auth => Base64.encode64("#{user.display_name}:test")), + :headers => bearer_authorization_header(user).merge( "HTTP_CONTENT_ENCODING" => "deflate", "HTTP_CONTENT_TYPE" => "application/xml" - } + ) assert_response :success, "can't upload a deflate compressed diff to changeset: #{@response.body}" @@ -157,11 +154,10 @@ class CompressedRequestsTest < ActionDispatch::IntegrationTest # upload it post "/api/0.6/changeset/#{changeset.id}/upload", :params => "", - :headers => { - "HTTP_AUTHORIZATION" => format("Basic %s", :auth => Base64.encode64("#{user.display_name}:test")), + :headers => bearer_authorization_header(user).merge( "HTTP_CONTENT_ENCODING" => "unknown", "HTTP_CONTENT_TYPE" => "application/xml" - } + ) assert_response :unsupported_media_type end diff --git a/test/integration/user_blocks_test.rb b/test/integration/user_blocks_test.rb index 96717e092..5147733e3 100644 --- a/test/integration/user_blocks_test.rb +++ b/test/integration/user_blocks_test.rb @@ -7,7 +7,7 @@ class UserBlocksTest < ActionDispatch::IntegrationTest get "/api/#{Settings.api_version}/user/details" assert_response :unauthorized - get "/api/#{Settings.api_version}/user/details", :headers => basic_authorization_header(blocked_user.display_name, "test") + get "/api/#{Settings.api_version}/user/details", :headers => bearer_authorization_header(blocked_user) assert_response :success # now block the user @@ -18,7 +18,7 @@ class UserBlocksTest < ActionDispatch::IntegrationTest :ends_at => Time.now.utc + 5.minutes, :deactivates_at => Time.now.utc + 5.minutes ) - get "/api/#{Settings.api_version}/user/details", :headers => basic_authorization_header(blocked_user.display_name, "test") + get "/api/#{Settings.api_version}/user/details", :headers => bearer_authorization_header(blocked_user) assert_response :forbidden end @@ -33,7 +33,7 @@ class UserBlocksTest < ActionDispatch::IntegrationTest :ends_at => Time.now.utc + 5.minutes, :deactivates_at => Time.now.utc + 5.minutes ) - get "/api/#{Settings.api_version}/user/details", :headers => basic_authorization_header(blocked_user.display_name, "test") + get "/api/#{Settings.api_version}/user/details", :headers => bearer_authorization_header(blocked_user) assert_response :forbidden # revoke the ban @@ -53,7 +53,7 @@ class UserBlocksTest < ActionDispatch::IntegrationTest reset! # access the API again. this time it should work - get "/api/#{Settings.api_version}/user/details", :headers => basic_authorization_header(blocked_user.display_name, "test") + get "/api/#{Settings.api_version}/user/details", :headers => bearer_authorization_header(blocked_user) assert_response :success end end diff --git a/test/integration/user_terms_seen_test.rb b/test/integration/user_terms_seen_test.rb index 46db48388..d419003d9 100644 --- a/test/integration/user_terms_seen_test.rb +++ b/test/integration/user_terms_seen_test.rb @@ -4,14 +4,14 @@ class UserTermsSeenTest < ActionDispatch::IntegrationTest def test_api_blocked user = create(:user, :terms_seen => false, :terms_agreed => nil) - get "/api/#{Settings.api_version}/user/preferences", :headers => auth_header(user.display_name, "test") + get "/api/#{Settings.api_version}/user/preferences", :headers => bearer_authorization_header(user) assert_response :forbidden # touch it so that the user has seen the terms user.terms_seen = true user.save - get "/api/#{Settings.api_version}/user/preferences", :headers => auth_header(user.display_name, "test") + get "/api/#{Settings.api_version}/user/preferences", :headers => bearer_authorization_header(user) assert_response :success end @@ -58,10 +58,4 @@ class UserTermsSeenTest < ActionDispatch::IntegrationTest get "/traces/mine", :params => { :referer => "/diary/new" } assert_redirected_to :controller => :users, :action => :terms, :referer => "/diary/new" end - - private - - def auth_header(user, pass) - { "HTTP_AUTHORIZATION" => format("Basic %s", :auth => Base64.encode64("#{user}:#{pass}")) } - end end diff --git a/test/test_helper.rb b/test/test_helper.rb index c45c73465..171028f4b 100644 --- a/test/test_helper.rb +++ b/test/test_helper.rb @@ -133,15 +133,16 @@ module ActiveSupport assert_equal a.tags, b.tags, "tags on node #{a.id}" end - ## - # return request header for HTTP Basic Authorization - def basic_authorization_header(user, pass) - { "Authorization" => format("Basic %s", :auth => Base64.encode64("#{user}:#{pass}")) } - end - ## # return request header for HTTP Bearer Authorization - def bearer_authorization_header(token) + def bearer_authorization_header(token_or_user = nil, scopes: Oauth::SCOPES) + token = case token_or_user + when nil then create(:oauth_access_token, :scopes => scopes).token + when User then create(:oauth_access_token, :resource_owner_id => token_or_user.id, :scopes => scopes).token + when Doorkeeper::AccessToken then token_or_user.token + when String then token_or_user + end + { "Authorization" => "Bearer #{token}" } end @@ -168,7 +169,7 @@ module ActiveSupport ## # Not sure this is the best response we could give def assert_inactive_user(msg = "an inactive user shouldn't be able to access the API") - assert_response :unauthorized, msg + assert_response :forbidden, msg # assert_equal @response.headers['Error'], "" end -- 2.39.5