From 9c84335d1b5a7400f42f4a8df008ce31c4f09924 Mon Sep 17 00:00:00 2001
From: Ben Weissmann <bweissmann@twitter.com>
Date: Thu, 16 Aug 2012 15:49:46 -0700
Subject: [PATCH 1/2] Add authentication via API token

---
 app/controllers/application_controller.rb     |  9 +++--
 app/controllers/users_controller.rb           | 15 +++++++-
 app/views/users/show.html.haml                |  7 ++++
 config/routes.rb                              |  1 +
 lib/tasks/users.rake                          | 35 +++++++++++++++++--
 .../controllers/logins_controller_test.rb     | 17 ++++++++-
 .../controllers/users_controller_test.rb      | 10 ++++++
 test/functional/views/users/show_test.rb      |  1 +
 8 files changed, 88 insertions(+), 7 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 6b09711..ab50bab 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -21,13 +21,16 @@ class ApplicationController < ActionController::Base
   def current_user
     return @current_user if @current_user
 
+    # if an API key parameter was given, try to auth with that.
+    if params[:api_key]
+      return (@current_user = User.find_by_key(params[:api_key]))
+    end
+
     # we only load the user from a session cookie if we're using the same
     # database we were using when the cookie was issued
     if session[:db_sig] == DatabaseSignature.generate
-      @current_user = User.find_by_id(session[:user_id])
+      return (@current_user = User.find_by_id(session[:user_id]))
     end
-
-    return @current_user
   end
 
   private
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 3589ebe..fac14d8 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -14,7 +14,7 @@
 
 class UsersController < ApplicationController
   # Updating an account is only allowed with the password auth system.
-  before_filter :require_password_auth, :except => :show
+  before_filter :require_password_auth, :except => [:show, :reset_key]
 
   private
 
@@ -55,4 +55,17 @@ def update
       end
     end
   end
+
+  # POST /account/reset_key
+  def reset_key
+    current_user.generate_key
+
+    respond_to do |format|
+      if current_user.save
+        format.html { redirect_to account_path, :notice => 'Your API key has been reset.' }
+      else
+        format.html { redirect_to account_path, :error => 'Could not reset API key.' }
+      end
+    end
+  end
 end
diff --git a/app/views/users/show.html.haml b/app/views/users/show.html.haml
index 3327875..40be30d 100644
--- a/app/views/users/show.html.haml
+++ b/app/views/users/show.html.haml
@@ -26,6 +26,13 @@
   %b Email:
   %span.email= current_user.email
 
+%p
+  %b API Key:
+  %span.apikey= current_user.key
+  = link_to 'Reset', reset_key_path,
+          :class => 'btn btn-danger btn-mini', :method => 'post',
+          :confirm => "Are you sure? You will no longer be able to perform API requests with your old key."
+
 %p
   %b Privileged:
   %span.priv= current_user.privileged? ? 'Yes' : 'No'
diff --git a/config/routes.rb b/config/routes.rb
index 5e2d4b2..e25a934 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -58,6 +58,7 @@
   get 'account' => 'users#show', :as => 'account'
   get 'account/edit' => 'users#edit', :as => 'edit_account'
   put 'account' => 'users#update', :as => 'update_account'
+  post 'account/reset_key' => 'users#reset_key', :as => 'reset_key'
 
   # default: /evaluations
   root :to => 'evaluations#index'
diff --git a/lib/tasks/users.rake b/lib/tasks/users.rake
index 3599268..4cbc271 100644
--- a/lib/tasks/users.rake
+++ b/lib/tasks/users.rake
@@ -22,15 +22,23 @@ namespace :users do
   task :change_password => :environment do
     UserTasks.new.change_password
   end
+
+  desc "Reset all API keys in the system"
+  task :reset_keys => :environment do
+    UserTasks.new.reset_keys
+  end
 end
 
 class UserTasks
   NON_PASS_WARNING = <<END_S
 WARNING:
 You are not currently configured to use password authentication. Users created
-in this interface will not be usable unless you modify config/auth.yml to use
-password authentication. To do this, copy config/auth.example_password.yml
+in this interface will not be able to log in unless you modify config/auth.yml
+to use password authentication. To do this, copy config/auth.example_password.yml
 to config/auth.yml.
+
+Note that users created this way will be able to use the API, even if you don't
+use password authentication.
 END_S
 
   def initialize
@@ -96,6 +104,13 @@ END_S
     @in.choose do |menu|
       menu.layout = :one_line
       menu.header = "Successfully created user \"#{username}\""
+      menu.prompt = 'Show API key? '
+      menu.choice('yes') { puts "The user's API key is #{user.key}" }
+      menu.choice('no')  {                                               }
+    end
+
+    @in.choose do |menu|
+      menu.layout = :one_line
       menu.prompt = 'Create another? '
       menu.choice('yes') { add }
       menu.choice('no')  {     }
@@ -125,6 +140,22 @@ END_S
     end
   end
 
+  def reset_keys
+    @in.choose do |menu|
+      menu.prompt = 'This will invalidate all API keys and prevent API calls using old keys. Are you sure you want to reset keys? '
+      menu.choice('yes') do
+        User.all.each do |u|
+          u.generate_key
+          u.save!
+          print '.'
+        end
+
+        puts "\nAPI keys have been reset."
+      end
+      menu.choice('no')  {     }
+    end
+  end
+
   def validate field
     proc do |val|
       if (FactoryGirl.build :password_user, field => val).valid?
diff --git a/test/functional/controllers/logins_controller_test.rb b/test/functional/controllers/logins_controller_test.rb
index 849d67f..79a3e79 100644
--- a/test/functional/controllers/logins_controller_test.rb
+++ b/test/functional/controllers/logins_controller_test.rb
@@ -20,6 +20,7 @@ class NonLoginsControllerTest < ActionController::TestCase
 
   setup do
     @user = create :user
+    session.clear
   end
 
   test "no credentials" do
@@ -56,7 +57,7 @@ class NonLoginsControllerTest < ActionController::TestCase
     assert_forbidden
   end
 
-  test "valid" do
+  test "valid user id" do
     user = create :user
     session[:db_sig] = DatabaseSignature.generate
     session[:user_id] = user.id
@@ -65,6 +66,20 @@ class NonLoginsControllerTest < ActionController::TestCase
     assert_response :success
   end
 
+  test "invalid api key" do
+    user = create :user
+    get :index, :api_key => 'wrong'
+    assert_forbidden
+  end
+
+  test "valid api key" do
+    user = create :user
+    get :index, :api_key => user.key
+
+    get :index
+    assert_response :success
+  end
+
   # asserts that the user is redirected to the login screen when trying to
   # load a page
   def assert_forbidden
diff --git a/test/functional/controllers/users_controller_test.rb b/test/functional/controllers/users_controller_test.rb
index f5035f2..cb02b34 100644
--- a/test/functional/controllers/users_controller_test.rb
+++ b/test/functional/controllers/users_controller_test.rb
@@ -100,4 +100,14 @@ def assert_validations_fail attrs
       assert_validations_fail :password => '1', :password_confirmation => ''
     end
   end
+
+  test "reset_key" do
+    old_key = @controller.current_user.key
+
+    post :reset_key
+
+    @controller.current_user.reload
+    assert_not_nil @controller.current_user.key
+    assert_not_equal old_key, @controller.current_user.key
+  end
 end
\ No newline at end of file
diff --git a/test/functional/views/users/show_test.rb b/test/functional/views/users/show_test.rb
index ae8c2a7..8a0e20a 100644
--- a/test/functional/views/users/show_test.rb
+++ b/test/functional/views/users/show_test.rb
@@ -26,6 +26,7 @@ class UsersShowTest < ActionController::TestCase
     assert_select "span.username:content('#{@user.username}')"
     assert_select "span.realname:content('#{@user.name}')"
     assert_select "span.email:content('#{@user.email}')"
+    assert_select "span.apikey:content('#{@user.key}')"
     assert_select "span.priv:content('No')"
   end
 

From 8508d2bf0bb9920db8e8a60cc5e43fbbe4041fbf Mon Sep 17 00:00:00 2001
From: Ben Weissmann <bweissmann@twitter.com>
Date: Thu, 16 Aug 2012 16:49:17 -0700
Subject: [PATCH 2/2] fix whitespace

---
 lib/tasks/users.rake | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/tasks/users.rake b/lib/tasks/users.rake
index 4cbc271..df5b2d5 100644
--- a/lib/tasks/users.rake
+++ b/lib/tasks/users.rake
@@ -106,7 +106,7 @@ END_S
       menu.header = "Successfully created user \"#{username}\""
       menu.prompt = 'Show API key? '
       menu.choice('yes') { puts "The user's API key is #{user.key}" }
-      menu.choice('no')  {                                               }
+      menu.choice('no')  {                                          }
     end
 
     @in.choose do |menu|
@@ -136,7 +136,7 @@ END_S
       menu.header = "Successfully changed password for \"#{username}\""
       menu.prompt = 'Change another? '
       menu.choice('yes') { change_password }
-      menu.choice('no')  {     }
+      menu.choice('no')  {                 }
     end
   end
 
@@ -152,7 +152,7 @@ END_S
 
         puts "\nAPI keys have been reset."
       end
-      menu.choice('no')  {     }
+      menu.choice('no') {}
     end
   end