Support paired security requirements - e.g. basic and apiKey

2026-01-25 07:16:40 +00:00 · 2017-08-21 01:07:47 -07:00
parent d91601b02c
commit ad9cd5de66
8 changed files with 155 additions and 38 deletions
--- a/test-app/app/controllers/auth_tests_controller.rb
+++ b/test-app/app/controllers/auth_tests_controller.rb
@@ -2,10 +2,29 @@ class AuthTestsController < ApplicationController

  # POST /auth-tests/basic
  def basic
-    if authenticate_with_http_basic { |u, p| u == 'jsmith' && p == 'jspass' }
-      head :no_content
-    else
-      request_http_basic_authentication
-    end
+    return head :unauthorized unless authenticate_basic
+    head :no_content
+  end
+
+  # POST /auth-tests/api-key
+  def api_key
+    return head :unauthorized unless authenticate_api_key
+    head :no_content
+  end
+
+  # POST /auth-tests/basic-and-api-key
+  def basic_and_api_key
+    return head :unauthorized unless authenticate_basic and authenticate_api_key
+    head :no_content
+  end
+
+  private
+
+  def authenticate_basic
+    authenticate_with_http_basic { |u, p| u == 'jsmith' && p == 'jspass' }
+  end
+
+  def authenticate_api_key
+    params['api_key'] == 'foobar'
  end
 end
--- a/test-app/config/routes.rb
+++ b/test-app/config/routes.rb
@@ -3,6 +3,8 @@ TestApp::Application.routes.draw do
  put '/blogs/:id/upload', to: 'blogs#upload'

  post 'auth-tests/basic', to: 'auth_tests#basic'
+  post 'auth-tests/api-key', to: 'auth_tests#api_key'
+  post 'auth-tests/basic-and-api-key', to: 'auth_tests#basic_and_api_key'

  mount Rswag::Api::Engine => 'api-docs'
  mount Rswag::Ui::Engine => 'api-docs'
--- a/test-app/spec/integration/auth_tests_spec.rb
+++ b/test-app/spec/integration/auth_tests_spec.rb
@@ -4,7 +4,7 @@ describe 'Auth Tests API', type: :request, swagger_doc: 'v1/swagger.json' do

  path '/auth-tests/basic' do
    post 'Authenticates with basic auth' do
-      tags 'Auth Test'
+      tags 'Auth Tests'
      operationId 'testBasicAuth'
      security [ basic_auth: [] ]

@@ -19,4 +19,42 @@ describe 'Auth Tests API', type: :request, swagger_doc: 'v1/swagger.json' do
      end
    end
  end
+
+  path '/auth-tests/api-key' do
+    post 'Authenticates with an api key' do
+      tags 'Auth Tests'
+      operationId 'testApiKey'
+      security [ api_key: [] ]
+
+      response '204', 'Valid credentials' do
+        let(:api_key) { 'foobar' }
+        run_test!
+      end
+
+      response '401', 'Invalid credentials' do
+        let(:api_key) { 'barfoo' }
+        run_test!
+      end
+    end
+  end
+
+  path '/auth-tests/basic-and-api-key' do
+    post 'Authenticates with basic auth and api key' do
+      tags 'Auth Tests'
+      operationId 'testBasicAndApiKey'
+      security [ { basic_auth: [], api_key: [] } ]
+
+      response '204', 'Valid credentials' do
+        let(:Authorization) { "Basic #{::Base64.strict_encode64('jsmith:jspass')}" }
+        let(:api_key) { 'foobar' }
+        run_test!
+      end
+
+      response '401', 'Invalid credentials' do
+        let(:Authorization) { "Basic #{::Base64.strict_encode64('jsmith:jspass')}" }
+        let(:api_key) { 'barfoo' }
+        run_test!
+      end
+    end
+  end
 end
--- a/test-app/spec/integration/blogs_spec.rb
+++ b/test-app/spec/integration/blogs_spec.rb
@@ -91,7 +91,7 @@ describe 'Blogs API', type: :request, swagger_doc: 'v1/swagger.json' do
    let(:id) { blog.id }
    let(:blog) { Blog.create(title: 'foo', content: 'bar') }

-    put 'upload a blog thumbnail' do
+    put 'Uploads a blog thumbnail' do
      tags 'Blogs'
      description 'Upload a thumbnail for specific blog by id'
      operationId 'uploadThumbnailBlog'
--- a/test-app/spec/swagger_helper.rb
+++ b/test-app/spec/swagger_helper.rb
@@ -54,10 +54,7 @@ RSpec.configure do |config|
          name: 'api_key',
          in: :query
        }
-      },
-      security: [
-        { api_key: [] }
-      ]
+      }
    }
  }
 end
--- a/test-app/swagger/v1/swagger.json
+++ b/test-app/swagger/v1/swagger.json
@@ -9,7 +9,7 @@
      "post": {
        "summary": "Authenticates with basic auth",
        "tags": [
-          "Auth Test"
+          "Auth Tests"
        ],
        "operationId": "testBasicAuth",
        "security": [
@@ -29,6 +29,57 @@
        }
      }
    },
+    "/auth-tests/api-key": {
+      "post": {
+        "summary": "Authenticates with an api key",
+        "tags": [
+          "Auth Tests"
+        ],
+        "operationId": "testApiKey",
+        "security": [
+          {
+            "api_key": [
+
+            ]
+          }
+        ],
+        "responses": {
+          "204": {
+            "description": "Valid credentials"
+          },
+          "401": {
+            "description": "Invalid credentials"
+          }
+        }
+      }
+    },
+    "/auth-tests/basic-and-api-key": {
+      "post": {
+        "summary": "Authenticates with basic auth and api key",
+        "tags": [
+          "Auth Tests"
+        ],
+        "operationId": "testBasicAndApiKey",
+        "security": [
+          {
+            "basic_auth": [
+
+            ],
+            "api_key": [
+
+            ]
+          }
+        ],
+        "responses": {
+          "204": {
+            "description": "Valid credentials"
+          },
+          "401": {
+            "description": "Invalid credentials"
+          }
+        }
+      }
+    },
    "/blogs": {
      "post": {
        "summary": "Creates a blog",
@@ -149,7 +200,7 @@
        }
      ],
      "put": {
-        "summary": "upload a blog thumbnail",
+        "summary": "Uploads a blog thumbnail",
        "tags": [
          "Blogs"
        ],
@@ -226,12 +277,5 @@
      "name": "api_key",
      "in": "query"
    }
-  },
-  "security": [
-    {
-      "api_key": [
-
-      ]
-    }
-  ]
+  }
 }