Accept API key in query string for api/v1/overland/batches

2026-01-10 01:01:39 -05:00 · 2024-05-25 12:47:25 +02:00 · 2024-05-25 12:47:25 +02:00 · 8c1d8a1470
commit 8c1d8a1470
parent add1eb2539
6 changed files with 60 additions and 11 deletions
--- a/app/controllers/api/v1/overland/batches_controller.rb
+++ b/app/controllers/api/v1/overland/batches_controller.rb
@ -2,6 +2,7 @@

 class Api::V1::Overland::BatchesController < ApplicationController
  skip_forgery_protection
+  before_action :authenticate_api_key

  def create
    Overland::BatchCreatingJob.perform_later(batch_params)
@ -12,6 +13,6 @@ class Api::V1::Overland::BatchesController < ApplicationController
  private

  def batch_params
-    params.permit(locations: [:type, geometry: {}, properties: {}], batch: {})
+    params.permit(locations: [:type, { geometry: {}, properties: {} }], batch: {})
  end
 end
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -1,3 +1,17 @@
+# frozen_string_literal: true
+
 class ApplicationController < ActionController::Base
  include Pundit::Authorization
+
+  protected
+
+  def authenticate_api_key
+    return head :unauthorized unless current_api_user
+
+    true
+  end
+
+  def current_api_user
+    @current_api_user ||= User.find_by(api_key: params[:api_key])
+  end
 end
--- a/app/views/devise/registrations/edit.html.erb
+++ b/app/views/devise/registrations/edit.html.erb
@ -2,7 +2,7 @@
  <div class="hero-content flex-col lg:flex-row-reverse w-full my-10">
    <div class="text-center lg:text-left">
      <h1 class="text-5xl font-bold">Edit your account!</h1>
-      <%#= render 'devise/registrations/api_key' %>
+      <%= render 'devise/registrations/api_key' %>
    </div>
    <div class="card flex-shrink-0 w-full max-w-sm shadow-2xl bg-base-100 px-5 py-5">
      <%= form_for(resource, as: resource_name, url: registration_path(resource_name), class: 'form-body', html: { method: :put }) do |f| %>
--- a/spec/requests/api/v1/overland/batches_spec.rb
+++ b/spec/requests/api/v1/overland/batches_spec.rb
@ -9,16 +9,28 @@ RSpec.describe 'Api::V1::Overland::Batches', type: :request do
    let(:json) { JSON.parse(file.read) }
    let(:params) { json }

-    it 'returns http success' do
-      post '/api/v1/overland/batches', params: params
+    context 'with invalid api key' do
+      it 'returns http unauthorized' do
+        post '/api/v1/overland/batches', params: params

-      expect(response).to have_http_status(:created)
+        expect(response).to have_http_status(:unauthorized)
+      end
    end

-    it 'enqueues a job' do
-      expect do
-        post '/api/v1/overland/batches', params: params
-      end.to have_enqueued_job(Overland::BatchCreatingJob)
+    context 'with valid api key' do
+      let(:user) { create(:user) }
+
+      it 'returns http success' do
+        post "/api/v1/overland/batches?api_key=#{user.api_key}", params: params
+
+        expect(response).to have_http_status(:created)
+      end
+
+      it 'enqueues a job' do
+        expect do
+          post "/api/v1/overland/batches?api_key=#{user.api_key}", params: params
+        end.to have_enqueued_job(Overland::BatchCreatingJob)
+      end
    end
  end
 end
--- a/spec/swagger/api/v1/overland/batches_controller_spec.rb
+++ b/spec/swagger/api/v1/overland/batches_controller_spec.rb
@ -72,12 +72,26 @@ describe 'Batches API', type: :request do
        }
      }

+      parameter name: :api_key, in: :query, type: :string, required: true, description: 'API Key'
+
      response '201', 'Batch of points created' do
        let(:file_path) { 'spec/fixtures/files/overland/geodata.json' }
        let(:file) { File.open(file_path) }
        let(:json) { JSON.parse(file.read) }
        let(:params) { json }
        let(:locations) { params['locations'] }
+        let(:api_key) { create(:user).api_key }
+
+        run_test!
+      end
+
+      response '401', 'Unauthorized' do
+        let(:file_path) { 'spec/fixtures/files/overland/geodata.json' }
+        let(:file) { File.open(file_path) }
+        let(:json) { JSON.parse(file.read) }
+        let(:params) { json }
+        let(:locations) { params['locations'] }
+        let(:api_key) { nil }

        run_test!
      end
--- a/swagger/v1/swagger.yaml
+++ b/swagger/v1/swagger.yaml
@ -9,10 +9,18 @@ paths:
      summary: Creates a batch of points
      tags:
      - Batches
-      parameters: []
+      parameters:
+      - name: api_key
+        in: query
+        required: true
+        description: API Key
+        schema:
+          type: string
      responses:
        '201':
          description: Batch of points created
+        '401':
+          description: Unauthorized
      requestBody:
        content:
          application/json:
@ -172,7 +180,7 @@ paths:
                  lat: 52.502397
                  lon: 13.356718
                  tid: Swagger
-                  tst: 1716488929
+                  tst: 1716633953
 servers:
 - url: http://{defaultHost}
  variables: