Merge branch '0.2.0-wip' of https://github.com/twitter/clockworkraven …

…into 0.2.0-wip

app/controllers/application_controller.rb

@@ -21,13 +21,16 @@ class ApplicationController < ActionController::Base
   def current_user
     return @current_user if @current_user
 
+    # if an API key parameter was given, try to auth with that.
+    if params[:api_key]
+      return (@current_user = User.find_by_key(params[:api_key]))
+    end
+
     # we only load the user from a session cookie if we're using the same
     # database we were using when the cookie was issued
     if session[:db_sig] == DatabaseSignature.generate
-      @current_user = User.find_by_id(session[:user_id])
+      return (@current_user = User.find_by_id(session[:user_id]))
     end
-
-    return @current_user
   end
 
   private

app/controllers/users_controller.rb

@@ -14,7 +14,7 @@
 
 class UsersController < ApplicationController
   # Updating an account is only allowed with the password auth system.
-  before_filter :require_password_auth, :except => :show
+  before_filter :require_password_auth, :except => [:show, :reset_key]
 
   private
 
@@ -55,4 +55,17 @@ def update
       end
     end
   end
+
+  # POST /account/reset_key
+  def reset_key
+    current_user.generate_key
+
+    respond_to do |format|
+      if current_user.save
+        format.html { redirect_to account_path, :notice => 'Your API key has been reset.' }
+      else
+        format.html { redirect_to account_path, :error => 'Could not reset API key.' }
+      end
+    end
+  end
 end

app/views/users/show.html.haml

@@ -26,6 +26,13 @@
   %b Email:
   %span.email= current_user.email
 
+%p
+  %b API Key:
+  %span.apikey= current_user.key
+  = link_to 'Reset', reset_key_path,
+          :class => 'btn btn-danger btn-mini', :method => 'post',
+          :confirm => "Are you sure? You will no longer be able to perform API requests with your old key."
+
 %p
   %b Privileged:
   %span.priv= current_user.privileged? ? 'Yes' : 'No'

config/routes.rb

@@ -58,6 +58,7 @@
   get 'account' => 'users#show', :as => 'account'
   get 'account/edit' => 'users#edit', :as => 'edit_account'
   put 'account' => 'users#update', :as => 'update_account'
+  post 'account/reset_key' => 'users#reset_key', :as => 'reset_key'
 
   # default: /evaluations
   root :to => 'evaluations#index'

lib/tasks/users.rake

@@ -22,15 +22,23 @@ namespace :users do
   task :change_password => :environment do
     UserTasks.new.change_password
   end
+
+  desc "Reset all API keys in the system"
+  task :reset_keys => :environment do
+    UserTasks.new.reset_keys
+  end
 end
 
 class UserTasks
   NON_PASS_WARNING = <<END_S
 WARNING:
 You are not currently configured to use password authentication. Users created
-in this interface will not be usable unless you modify config/auth.yml to use
-password authentication. To do this, copy config/auth.example_password.yml
+in this interface will not be able to log in unless you modify config/auth.yml
+to use password authentication. To do this, copy config/auth.example_password.yml
 to config/auth.yml.
+
+Note that users created this way will be able to use the API, even if you don't
+use password authentication.
 END_S
 
   def initialize
@@ -96,6 +104,13 @@ END_S
     @in.choose do |menu|
       menu.layout = :one_line
       menu.header = "Successfully created user \"#{username}\""
+      menu.prompt = 'Show API key? '
+      menu.choice('yes') { puts "The user's API key is #{user.key}" }
+      menu.choice('no')  {                                          }
+    end
+
+    @in.choose do |menu|
+      menu.layout = :one_line
       menu.prompt = 'Create another? '
       menu.choice('yes') { add }
       menu.choice('no')  {     }
@@ -121,7 +136,23 @@ END_S
       menu.header = "Successfully changed password for \"#{username}\""
       menu.prompt = 'Change another? '
       menu.choice('yes') { change_password }
-      menu.choice('no')  {     }
+      menu.choice('no')  {                 }
+    end
+  end
+
+  def reset_keys
+    @in.choose do |menu|
+      menu.prompt = 'This will invalidate all API keys and prevent API calls using old keys. Are you sure you want to reset keys? '
+      menu.choice('yes') do
+        User.all.each do |u|
+          u.generate_key
+          u.save!
+          print '.'
+        end
+
+        puts "\nAPI keys have been reset."
+      end
+      menu.choice('no') {}
     end
   end
 

test/functional/controllers/logins_controller_test.rb

@@ -20,6 +20,7 @@ class NonLoginsControllerTest < ActionController::TestCase
 
   setup do
     @user = create :user
+    session.clear
   end
 
   test "no credentials" do
@@ -56,7 +57,7 @@ class NonLoginsControllerTest < ActionController::TestCase
     assert_forbidden
   end
 
-  test "valid" do
+  test "valid user id" do
     user = create :user
     session[:db_sig] = DatabaseSignature.generate
     session[:user_id] = user.id
@@ -65,6 +66,20 @@ class NonLoginsControllerTest < ActionController::TestCase
     assert_response :success
   end
 
+  test "invalid api key" do
+    user = create :user
+    get :index, :api_key => 'wrong'
+    assert_forbidden
+  end
+
+  test "valid api key" do
+    user = create :user
+    get :index, :api_key => user.key
+
+    get :index
+    assert_response :success
+  end
+
   # asserts that the user is redirected to the login screen when trying to
   # load a page
   def assert_forbidden

test/functional/controllers/users_controller_test.rb

@@ -100,4 +100,14 @@ def assert_validations_fail attrs
       assert_validations_fail :password => '1', :password_confirmation => ''
     end
   end
+
+  test "reset_key" do
+    old_key = @controller.current_user.key
+
+    post :reset_key
+
+    @controller.current_user.reload
+    assert_not_nil @controller.current_user.key
+    assert_not_equal old_key, @controller.current_user.key
+  end
 end

test/functional/views/users/show_test.rb

@@ -26,6 +26,7 @@ class UsersShowTest < ActionController::TestCase
     assert_select "span.username:content('#{@user.username}')"
     assert_select "span.realname:content('#{@user.name}')"
     assert_select "span.email:content('#{@user.email}')"
+    assert_select "span.apikey:content('#{@user.key}')"
     assert_select "span.priv:content('No')"
   end