cartodb4/Windshaft-cartodb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Accept "api_key" as "map_key", in both query_string and POST body

Browse Source 
Closes #38
This commit is contained in:
Sandro Santilli 2012-10-05 16:16:48 +02:00
parent 6ca726ae24
commit dc9286b610
4 changed files with 51 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
NEWS.md
View File

@ -3,6 +3,8 @@
* Configurable logging format (#4)
* Detailed error on missing user metadata
* ./Configure script
* Accept "api_key" in addition to "map_key",
both in query_string and POST body (#38)
1.0.0 (03/10/12)
-----

8
lib/cartodb/carto_data.js
View File

@ -77,7 +77,13 @@ module.exports = function() {
var redisKey = "rails:users:" + username;
this.retrieve(this.user_metadata_db, redisKey, "map_key", function(err, val) {
var valid = 0;
if ( val && val == req.query.map_key ) valid = 1;
if ( val ) {
if ( val == req.query.map_key ) valid = 1;
else if ( val == req.query.api_key ) valid = 1;
// check also in request body
else if ( req.body && req.body.map_key && val == req.body.map_key ) valid = 1;
else if ( req.body && req.body.api_key && val == req.body.api_key ) valid = 1;
}
callback(err, valid);
});
};

2
lib/cartodb/server_options.js
View File

@ -49,7 +49,7 @@ module.exports = function(){
me.req2params = function(req, callback){
// Whitelist query parameters and attach format
var good_query = ['sql', 'geom_type', 'cache_buster','callback', 'interactivity', 'map_key', 'style'];
var good_query = ['sql', 'geom_type', 'cache_buster','callback', 'interactivity', 'map_key', 'api_key', 'style'];
var bad_query = _.difference(_.keys(req.query), good_query);
_.each(bad_query, function(key){ delete req.query[key]; });

42
test/acceptance/server.js
View File

@ -146,7 +146,21 @@ suite('server', function() {
done();
});
});
// See https://github.com/Vizzuality/Windshaft-cartodb/issues/38
test("post'ing good style with auth passed as api_key returns 200", function(done){
assert.response(server, {
url: '/tiles/my_table5/style?api_key=1234',
method: 'POST',
headers: {host: 'localhost', 'Content-Type': 'application/x-www-form-urlencoded' },
data: querystring.stringify({style: 'Map {background-color:#fff;}'})
},{}, function(res) {
assert.equal(res.statusCode, 200, res.body);
done();
});
});
// See https://github.com/Vizzuality/cartodb-management/issues/155
test("post'ing good style with no authentication returns an error", function(done){
assert.response(server, {
url: '/tiles/my_table5/style?map_key=1234',
@ -268,6 +282,18 @@ suite('server', function() {
});
});
// See https://github.com/Vizzuality/Windshaft-cartodb/issues/38
test("delete'ing style with api_key is accepted", function(done){
assert.response(server, {
url: '/tiles/my_table5/style?api_key=1234',
method: 'DELETE',
headers: {host: 'localhost'},
},{}, function(res) {
assert.equal(res.statusCode, 200, res.body);
done();
});
});
/////////////////////////////////////////////////////////////////////////////////
//
// GET INFOWINDOW
@ -456,6 +482,20 @@ suite('server', function() {
}, function() { done(); });
});
// See https://github.com/Vizzuality/Windshaft-cartodb/issues/38
test("get'ing a tile with data from private table should succeed when authenticated with api_key", function(done){
// NOTE: may fail if grainstore < 0.3.0 is used by Windshaft
var sql = querystring.stringify({sql: "SELECT * FROM test_table_private_1", api_key: 1234})
assert.response(server, {
headers: {host: 'localhost'},
url: '/tiles/gadm4/6/31/24.png?' + sql,
method: 'GET'
},{
status: 200,
headers: { 'Content-Type': 'image/png' }
}, function() { done(); });
});
test("get'ing a tile with data from private table should fail when unauthenticated", function(done){
var sql = querystring.stringify({
sql: "SELECT * FROM test_table_private_1",