Use the correct redis variable for checking map key (closes #44)

Includes testcase
2012-08-02 12:18:54 +02:00 · 2012-08-02 12:18:54 +02:00 · 4723c028c9
commit 4723c028c9
parent 639eea00cc
3 changed files with 19 additions and 4 deletions
--- a/app/models/apikey_auth.js
+++ b/app/models/apikey_auth.js
@ -12,7 +12,6 @@ module.exports = (function() {
        user_metadata_db: 5,
        table_metadata_db: 0,
        user_key: "rails:users:<%= username %>",
-        map_key: "rails:users:<%= username %>:map_key",
        table_key: "rails:<%= database_name %>:<%= table_name %>"
    };

@ -76,9 +75,13 @@ module.exports = (function() {
    me.checkAPIKey= function(req, callback) {
        // strip subdomain from header host
        var username = req.headers.host.split('.')[0];
-        var redisKey = _.template(this.map_key, {username: username});
+        var redisKey = "rails:users:" + username;
        var api_key = req.query.api_key || req.body.api_key;
-        this.inSet(this.user_metadata_db, redisKey, api_key, callback);
+        this.retrieve(this.user_metadata_db, redisKey, "map_key", function(err, val) {
+          var allow = 0;
+          if ( val && val == api_key ) allow = 1;
+          callback(err, allow);
+        });
    };

    /**
--- a/test/acceptance/app.auth.test.js
+++ b/test/acceptance/app.auth.test.js
@ -33,5 +33,16 @@ test('invalid api key should NOT allow insert in protected tables', function(don
    }, function() { done(); });
 });

+test('invalid api key (old redis location) should NOT allow insert in protected tables', function(done){
+    assert.response(app, {
+        // view prepare_db.sh to see where to set api_key
+        url: "/api/v1/sql?api_key=1235&q=INSERT%20INTO%20private_table%20(name)%20VALUES%20('RAMBO')",
+
+        headers: {host: 'vizzuality.cartodb.com' },
+        method: 'GET'
+    },{
+        status: 400
+    }, function() { done(); });
+});

 });
--- a/test/prepare_db.sh
+++ b/test/prepare_db.sh
@ -38,7 +38,8 @@ psql -f test.sql ${TEST_DB}
 echo "preparing redis..."
 echo "HSET rails:users:vizzuality id 1" | redis-cli -p ${REDIS_PORT} -n 5
 echo "HSET rails:users:vizzuality database_name ${TEST_DB}" | redis-cli -p ${REDIS_PORT} -n 5
-echo "SADD rails:users:vizzuality:map_key 1234" | redis-cli -p ${REDIS_PORT} -n 5
+echo "HSET rails:users:vizzuality" "map_key" "1234" | redis-cli -p ${REDIS_PORT} -n 5
+echo "SADD rails:users:vizzuality:map_key 1235" | redis-cli -p ${REDIS_PORT} -n 5
 echo "hset rails:oauth_access_tokens:l0lPbtP68ao8NfStCiA3V3neqfM03JKhToxhUQTR consumer_key fZeNGv5iYayvItgDYHUbot1Ukb5rVyX6QAg8GaY2" | redis-cli -p ${REDIS_PORT} -n 3
 echo "hset rails:oauth_access_tokens:l0lPbtP68ao8NfStCiA3V3neqfM03JKhToxhUQTR consumer_secret IBLCvPEefxbIiGZhGlakYV4eM8AbVSwsHxwEYpzx" | redis-cli -p ${REDIS_PORT} -n 3
 echo "hset rails:oauth_access_tokens:l0lPbtP68ao8NfStCiA3V3neqfM03JKhToxhUQTR access_token_token l0lPbtP68ao8NfStCiA3V3neqfM03JKhToxhUQTR" | redis-cli -p ${REDIS_PORT} -n 3