diff options
author | Rémy Coutable <remy@gitlab.com> | 2016-09-19 16:04:04 +0300 |
---|---|---|
committer | Rémy Coutable <remy@rymai.me> | 2016-09-19 16:39:21 +0300 |
commit | 3a713ef1badabd8ab91bee24b88bad54267d4df1 (patch) | |
tree | 86de2ae6798ba90a84d0f108158ff18a9f610b79 /spec | |
parent | 410d75139541ee2a2cda04debcdbb6767a9c01bc (diff) |
Merge branch '18302-use-rails-cookie-in-api' into 'master'
Allow the Rails cookie to be used for API authentication
Makes the Rails cookie into a valid authentication token for the Grape
API, and uses it instead of token authentication in frontend code that
uses the API.
Rendering the private token into client-side javascript is a security
risk; it may be stolen through XSS or other attacks. In general,
re-using API code in the frontend is more desirable than implementing
endless actions that return JSON.
Closes #18302
See merge request !1995
Signed-off-by: Rémy Coutable <remy@rymai.me>
Diffstat (limited to 'spec')
-rw-r--r-- | spec/requests/api/api_helpers_spec.rb | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/spec/requests/api/api_helpers_spec.rb b/spec/requests/api/api_helpers_spec.rb index c65510fadec..9a7809c4227 100644 --- a/spec/requests/api/api_helpers_spec.rb +++ b/spec/requests/api/api_helpers_spec.rb @@ -35,11 +35,36 @@ describe API::Helpers, api: true do params.delete(API::Helpers::SUDO_PARAM) end + def warden_authenticate_returns(value) + warden = double("warden", authenticate: value) + env['warden'] = warden + end + + def doorkeeper_guard_returns(value) + allow_any_instance_of(self.class).to receive(:doorkeeper_guard){ value } + end + def error!(message, status) raise Exception end describe ".current_user" do + subject { current_user } + + describe "when authenticating via Warden" do + before { doorkeeper_guard_returns false } + + context "fails" do + it { is_expected.to be_nil } + end + + context "succeeds" do + before { warden_authenticate_returns user } + + it { is_expected.to eq(user) } + end + end + describe "when authenticating using a user's private token" do it "returns nil for an invalid token" do env[API::Helpers::PRIVATE_TOKEN_HEADER] = 'invalid token' |