diff --git a/NEWS.md b/NEWS.md index 9ccc69fa..6d6134d4 100644 --- a/NEWS.md +++ b/NEWS.md @@ -3,6 +3,8 @@ * Configurable logging format (#4) * Detailed error on missing user metadata * ./Configure script +* Accept "api_key" in addition to "map_key", + both in query_string and POST body (#38) 1.0.0 (03/10/12) ----- diff --git a/lib/cartodb/carto_data.js b/lib/cartodb/carto_data.js index 86336b09..87a8bf8c 100644 --- a/lib/cartodb/carto_data.js +++ b/lib/cartodb/carto_data.js @@ -77,7 +77,13 @@ module.exports = function() { var redisKey = "rails:users:" + username; this.retrieve(this.user_metadata_db, redisKey, "map_key", function(err, val) { var valid = 0; - if ( val && val == req.query.map_key ) valid = 1; + if ( val ) { + if ( val == req.query.map_key ) valid = 1; + else if ( val == req.query.api_key ) valid = 1; + // check also in request body + else if ( req.body && req.body.map_key && val == req.body.map_key ) valid = 1; + else if ( req.body && req.body.api_key && val == req.body.api_key ) valid = 1; + } callback(err, valid); }); }; diff --git a/lib/cartodb/server_options.js b/lib/cartodb/server_options.js index 5761a776..b65bf5da 100644 --- a/lib/cartodb/server_options.js +++ b/lib/cartodb/server_options.js @@ -49,7 +49,7 @@ module.exports = function(){ me.req2params = function(req, callback){ // Whitelist query parameters and attach format - var good_query = ['sql', 'geom_type', 'cache_buster','callback', 'interactivity', 'map_key', 'style']; + var good_query = ['sql', 'geom_type', 'cache_buster','callback', 'interactivity', 'map_key', 'api_key', 'style']; var bad_query = _.difference(_.keys(req.query), good_query); _.each(bad_query, function(key){ delete req.query[key]; }); diff --git a/test/acceptance/server.js b/test/acceptance/server.js index d1904063..c896d2a9 100644 --- a/test/acceptance/server.js +++ b/test/acceptance/server.js @@ -146,7 +146,21 @@ suite('server', function() { done(); }); }); - + + // See https://github.com/Vizzuality/Windshaft-cartodb/issues/38 + test("post'ing good style with auth passed as api_key returns 200", function(done){ + assert.response(server, { + url: '/tiles/my_table5/style?api_key=1234', + method: 'POST', + headers: {host: 'localhost', 'Content-Type': 'application/x-www-form-urlencoded' }, + data: querystring.stringify({style: 'Map {background-color:#fff;}'}) + },{}, function(res) { + assert.equal(res.statusCode, 200, res.body); + done(); + }); + }); + + // See https://github.com/Vizzuality/cartodb-management/issues/155 test("post'ing good style with no authentication returns an error", function(done){ assert.response(server, { url: '/tiles/my_table5/style?map_key=1234', @@ -268,6 +282,18 @@ suite('server', function() { }); }); + // See https://github.com/Vizzuality/Windshaft-cartodb/issues/38 + test("delete'ing style with api_key is accepted", function(done){ + assert.response(server, { + url: '/tiles/my_table5/style?api_key=1234', + method: 'DELETE', + headers: {host: 'localhost'}, + },{}, function(res) { + assert.equal(res.statusCode, 200, res.body); + done(); + }); + }); + ///////////////////////////////////////////////////////////////////////////////// // // GET INFOWINDOW @@ -456,6 +482,20 @@ suite('server', function() { }, function() { done(); }); }); + // See https://github.com/Vizzuality/Windshaft-cartodb/issues/38 + test("get'ing a tile with data from private table should succeed when authenticated with api_key", function(done){ + // NOTE: may fail if grainstore < 0.3.0 is used by Windshaft + var sql = querystring.stringify({sql: "SELECT * FROM test_table_private_1", api_key: 1234}) + assert.response(server, { + headers: {host: 'localhost'}, + url: '/tiles/gadm4/6/31/24.png?' + sql, + method: 'GET' + },{ + status: 200, + headers: { 'Content-Type': 'image/png' } + }, function() { done(); }); + }); + test("get'ing a tile with data from private table should fail when unauthenticated", function(done){ var sql = querystring.stringify({ sql: "SELECT * FROM test_table_private_1",