dawarich/app/controllers/api_controller.rb

# frozen_string_literal: true

class ApiController < ApplicationController
  skip_before_action :verify_authenticity_token
  before_action :set_version_header
  before_action :authenticate_api_key

  rescue_from ActiveRecord::RecordNotFound, with: :record_not_found

  private

  def record_not_found
    render json: { error: 'Record not found' }, status: :not_found
  end

  def set_version_header
    message = "Hey, I\'m alive#{current_api_user ? ' and authenticated' : ''}!"

    response.set_header('X-Dawarich-Response', message)
    response.set_header('X-Dawarich-Version', APP_VERSION)
  end

  def authenticate_api_key
    return head :unauthorized unless current_api_user

    true
  end

  def authenticate_active_api_user!
    if current_api_user.nil?
      render json: { error: 'User account is not active or has been deleted' }, status: :unauthorized

      return false
    end

    if current_api_user.active_until&.past?
      render json: { error: 'User subscription is not active' }, status: :unauthorized

      return false
    end

    true
  end

  def current_api_user
    @current_api_user ||= begin
      user = User.active_accounts.find_by(api_key:)
      user if user&.active_for_authentication?
    end
  end

  def api_key
    params[:api_key] || request.headers['Authorization']&.split(' ')&.last
  end

  def validate_params
    missing_params = required_params.select { |param| params[param].blank? }

    if missing_params.any?
      render json: {
        error: "Missing required parameters: #{missing_params.join(', ')}"
      }, status: :bad_request and return
    end

    params.permit(*required_params)
  end

  def required_params
    []
  end

  def validate_points_limit
    limit_exceeded = PointsLimitExceeded.new(current_api_user).call

    render json: { error: 'Points limit exceeded' }, status: :unauthorized if limit_exceeded
  end
end
Add places page 2024-08-25 14:19:02 -04:00			`# frozen_string_literal: true`

			`class ApiController < ApplicationController`
			`skip_before_action :verify_authenticity_token`
Return dawarich headers on all API responses 2025-08-10 18:21:58 -04:00			`before_action :set_version_header`
Add places page 2024-08-25 14:19:02 -04:00			`before_action :authenticate_api_key`

0.36.0 (#1952) * Implement OmniAuth GitHub authentication * Fix omniauth GitHub scope to include user email access * Remove margin-bottom * Implement Google OAuth2 authentication * Implement OIDC authentication for Dawarich using omniauth_openid_connect gem. * Add patreon account linking and patron checking service * Update docker-compose.yml to use boolean values instead of strings * Add support for KML files * Add tests * Update changelog * Remove patreon OAuth integration * Move omniauthable to a concern * Update an icon in integrations * Update changelog * Update app version * Fix family location sharing toggle * Move family location sharing to its own controller * Update changelog * Implement basic tagging functionality for places, allowing users to categorize and label places with custom tags. * Add places management API and tags feature * Add some changes related to places management feature * Fix some tests * Fix sometests * Add places layer * Update places layer to use Leaflet.Control.Layers.Tree for hierarchical layer control * Rework tag form * Add hashtag * Add privacy zones to tags * Add notes to places and manage place tags * Update changelog * Update e2e tests * Extract tag serializer to its own file * Fix some tests * Fix tags request specs * Fix some tests * Fix rest of the tests * Revert some changes * Add missing specs * Revert changes in place export/import code * Fix some specs * Fix PlaceFinder to only consider global places when finding existing places * Fix few more specs * Fix visits creator spec * Fix last tests * Update place creating modal * Add home location based on "Home" tagged place * Save enabled tag layers * Some fixes * Fix bug where enabling place tag layers would trigger saving enabled layers, overwriting with incomplete data * Update migration to use disable_ddl_transaction! and add up/down methods * Fix tag layers restoration and filtering logic * Update OIDC auto-registration and email/password registration settings * Fix potential xss 2025-11-24 13:45:09 -05:00			`rescue_from ActiveRecord::RecordNotFound, with: :record_not_found`

Add places page 2024-08-25 14:19:02 -04:00			`private`

0.36.0 (#1952) * Implement OmniAuth GitHub authentication * Fix omniauth GitHub scope to include user email access * Remove margin-bottom * Implement Google OAuth2 authentication * Implement OIDC authentication for Dawarich using omniauth_openid_connect gem. * Add patreon account linking and patron checking service * Update docker-compose.yml to use boolean values instead of strings * Add support for KML files * Add tests * Update changelog * Remove patreon OAuth integration * Move omniauthable to a concern * Update an icon in integrations * Update changelog * Update app version * Fix family location sharing toggle * Move family location sharing to its own controller * Update changelog * Implement basic tagging functionality for places, allowing users to categorize and label places with custom tags. * Add places management API and tags feature * Add some changes related to places management feature * Fix some tests * Fix sometests * Add places layer * Update places layer to use Leaflet.Control.Layers.Tree for hierarchical layer control * Rework tag form * Add hashtag * Add privacy zones to tags * Add notes to places and manage place tags * Update changelog * Update e2e tests * Extract tag serializer to its own file * Fix some tests * Fix tags request specs * Fix some tests * Fix rest of the tests * Revert some changes * Add missing specs * Revert changes in place export/import code * Fix some specs * Fix PlaceFinder to only consider global places when finding existing places * Fix few more specs * Fix visits creator spec * Fix last tests * Update place creating modal * Add home location based on "Home" tagged place * Save enabled tag layers * Some fixes * Fix bug where enabling place tag layers would trigger saving enabled layers, overwriting with incomplete data * Update migration to use disable_ddl_transaction! and add up/down methods * Fix tag layers restoration and filtering logic * Update OIDC auto-registration and email/password registration settings * Fix potential xss 2025-11-24 13:45:09 -05:00			`def record_not_found`
			`render json: { error: 'Record not found' }, status: :not_found`
			`end`

Return dawarich headers on all API responses 2025-08-10 18:21:58 -04:00			`def set_version_header`
			`message = "Hey, I\'m alive#{current_api_user ? ' and authenticated' : ''}!"`

			`response.set_header('X-Dawarich-Response', message)`
			`response.set_header('X-Dawarich-Version', APP_VERSION)`
			`end`

Add places page 2024-08-25 14:19:02 -04:00			`def authenticate_api_key`
			`return head :unauthorized unless current_api_user`

			`true`
			`end`

Restrict to some functionality access for inactive users 2025-02-19 15:23:11 -05:00			`def authenticate_active_api_user!`
Move user deletions to background job 2026-01-08 14:29:28 -05:00			`if current_api_user.nil?`
			`render json: { error: 'User account is not active or has been deleted' }, status: :unauthorized`
Rework some parts 2026-01-08 15:12:47 -05:00
Move user deletions to background job 2026-01-08 14:29:28 -05:00			`return false`
			`end`

Rework some parts 2026-01-08 15:12:47 -05:00			`if current_api_user.active_until&.past?`
Move user deletions to background job 2026-01-08 14:29:28 -05:00			`render json: { error: 'User subscription is not active' }, status: :unauthorized`
Rework some parts 2026-01-08 15:12:47 -05:00
Move user deletions to background job 2026-01-08 14:29:28 -05:00			`return false`
			`end`
Restrict to some functionality access for inactive users 2025-02-19 15:23:11 -05:00
			`true`
			`end`

Add places page 2024-08-25 14:19:02 -04:00			`def current_api_user`
Move user deletions to background job 2026-01-08 14:29:28 -05:00			`@current_api_user \|\|= begin`
			`user = User.active_accounts.find_by(api_key:)`
			`user if user&.active_for_authentication?`
			`end`
Support API key in Authorization header 2024-12-20 10:02:17 -05:00			`end`

			`def api_key`
			`params[:api_key] \|\| request.headers['Authorization']&.split(' ')&.last`
Add places page 2024-08-25 14:19:02 -04:00			`end`
Fix some swagger specs and remove unused code 2024-12-16 09:42:26 -05:00
			`def validate_params`
			`missing_params = required_params.select { \|param\| params[param].blank? }`

			`if missing_params.any?`
			`render json: {`
			`error: "Missing required parameters: #{missing_params.join(', ')}"`
			`}, status: :bad_request and return`
			`end`

			`params.permit(*required_params)`
			`end`

			`def required_params`
			`[]`
			`end`
Put countries into database 2025-05-16 12:51:48 -04:00
			`def validate_points_limit`
			`limit_exceeded = PointsLimitExceeded.new(current_api_user).call`

			`render json: { error: 'Points limit exceeded' }, status: :unauthorized if limit_exceeded`
			`end`
Add places page 2024-08-25 14:19:02 -04:00			`end`