From d04ba4b3b2e4c750d3f4bd32a2263cd6e405eb69 Mon Sep 17 00:00:00 2001 From: Blake Erickson Date: Mon, 6 Apr 2020 16:55:44 -0600 Subject: [PATCH] DEPRECATION: Remove support for api creds in query params (#9106) * DEPRECATION: Remove support for api creds in query params This commit removes support for api credentials in query params except for a few whitelisted routes like rss/json feeds and the handle_mail route. Several tests were written to valid these changes, but the bulk of the spec changes are just switching them over to use header based auth so that they will pass without changing what they were actually testing. Original commit that notified admins this change was coming was created over 3 months ago: 2db20031879dbafd1a90cbb1a43bca55d51c1b08 * fix tests * Also allow iCalendar feeds Co-authored-by: Rafael dos Santos Silva --- lib/auth/default_current_user_provider.rb | 11 +- .../default_current_user_provider_spec.rb | 109 +++++++++++++---- .../invite_only_registration_spec.rb | 17 +-- spec/integration/rate_limiting_spec.rb | 12 +- spec/requests/admin/users_controller_spec.rb | 5 +- spec/requests/embed_controller_spec.rb | 6 +- spec/requests/posts_controller_spec.rb | 113 ++++++------------ spec/requests/uploads_controller_spec.rb | 5 +- spec/requests/user_badges_controller_spec.rb | 10 +- spec/requests/users_controller_spec.rb | 25 ++-- 10 files changed, 170 insertions(+), 143 deletions(-) diff --git a/lib/auth/default_current_user_provider.rb b/lib/auth/default_current_user_provider.rb index 3e293dcb77e..c43580c042e 100644 --- a/lib/auth/default_current_user_provider.rb +++ b/lib/auth/default_current_user_provider.rb @@ -286,12 +286,8 @@ class Auth::DefaultCurrentUserProvider if api_key = ApiKey.active.with_key(api_key_value).includes(:user).first api_username = header_api_key? ? @env[HEADER_API_USERNAME] : request[API_USERNAME] - # Check for deprecated api auth if !header_api_key? - unless is_whitelisted_query_param_auth_route?(request) - # Notify admins of deprecated auth method - AdminDashboardData.add_problem_message('dashboard.deprecated_api_usage', 1.day) - end + raise Discourse::InvalidAccess unless is_whitelisted_query_param_auth_route?(request) end if api_key.allowed_ips.present? && !api_key.allowed_ips.any? { |ip| ip.include?(request.ip) } @@ -321,12 +317,13 @@ class Auth::DefaultCurrentUserProvider private def is_whitelisted_query_param_auth_route?(request) - (is_rss_feed?(request) || is_handle_mail?(request)) + (is_user_feed?(request) || is_handle_mail?(request)) end - def is_rss_feed?(request) + def is_user_feed?(request) return true if request.path.match?(/\/(c|t){1}\/\S*.(rss|json)/) && request.get? # topic or category route return true if request.path.match?(/\/(latest|top|categories).(rss|json)/) && request.get? # specific routes with rss + return true if request.path.match?(/\/u\/\S*\/bookmarks.(ics|json)/) && request.get? # specific routes with ics end def is_handle_mail?(request) diff --git a/spec/components/auth/default_current_user_provider_spec.rb b/spec/components/auth/default_current_user_provider_spec.rb index f0c6fbc90e5..621ece61e09 100644 --- a/spec/components/auth/default_current_user_provider_spec.rb +++ b/spec/components/auth/default_current_user_provider_spec.rb @@ -33,7 +33,8 @@ describe Auth::DefaultCurrentUserProvider do it "finds a user for a correct per-user api key" do user = Fabricate(:user) api_key = ApiKey.create!(user_id: user.id, created_by_id: -1) - good_provider = provider("/?api_key=#{api_key.key}") + params = { "HTTP_API_KEY" => api_key.key } + good_provider = provider("/", params) expect(good_provider.current_user.id).to eq(user.id) expect(good_provider.is_api?).to eq(true) expect(good_provider.is_user_api?).to eq(false) @@ -67,20 +68,22 @@ describe Auth::DefaultCurrentUserProvider do it "raises for a revoked key" do user = Fabricate(:user) - key = ApiKey.create! + api_key = ApiKey.create! + params = { "HTTP_API_USERNAME" => user.username.downcase, "HTTP_API_KEY" => api_key.key } expect( - provider("/?api_key=#{key.key}&api_username=#{user.username.downcase}").current_user.id + provider("/", params).current_user.id ).to eq(user.id) - key.reload.update(revoked_at: Time.zone.now, last_used_at: nil) - expect(key.reload.last_used_at).to eq(nil) + api_key.reload.update(revoked_at: Time.zone.now, last_used_at: nil) + expect(api_key.reload.last_used_at).to eq(nil) + params = { "HTTP_API_USERNAME" => user.username.downcase, "HTTP_API_KEY" => api_key.key } expect { - provider("/?api_key=#{key.key}&api_username=#{user.username.downcase}").current_user + provider("/", params).current_user }.to raise_error(Discourse::InvalidAccess) - key.reload - expect(key.last_used_at).to eq(nil) + api_key.reload + expect(api_key.last_used_at).to eq(nil) end it "raises for a user with a mismatching ip" do @@ -97,25 +100,35 @@ describe Auth::DefaultCurrentUserProvider do freeze_time user = Fabricate(:user) - key = ApiKey.create!(user_id: user.id, created_by_id: -1, allowed_ips: ['100.0.0.0/24']) + api_key = ApiKey.create!(user_id: user.id, created_by_id: -1, allowed_ips: ['100.0.0.0/24']) + params = { + "HTTP_API_USERNAME" => user.username.downcase, + "HTTP_API_KEY" => api_key.key, + "REMOTE_ADDR" => "100.0.0.22" + } - found_user = provider("/?api_key=#{key.key}&api_username=#{user.username.downcase}", - "REMOTE_ADDR" => "100.0.0.22").current_user + found_user = provider("/", params).current_user expect(found_user.id).to eq(user.id) - found_user = provider("/?api_key=#{key.key}&api_username=#{user.username.downcase}", - "HTTP_X_FORWARDED_FOR" => "10.1.1.1, 100.0.0.22").current_user + params = { + "HTTP_API_USERNAME" => user.username.downcase, + "HTTP_API_KEY" => api_key.key, + "HTTP_X_FORWARDED_FOR" => "10.1.1.1, 100.0.0.22" + } + + found_user = provider("/", params).current_user expect(found_user.id).to eq(user.id) - key.reload - expect(key.last_used_at).to eq_time(Time.zone.now) + api_key.reload + expect(api_key.last_used_at).to eq_time(Time.zone.now) end it "finds a user for a correct system api key" do user = Fabricate(:user) api_key = ApiKey.create!(created_by_id: -1) - expect(provider("/?api_key=#{api_key.key}&api_username=#{user.username.downcase}").current_user.id).to eq(user.id) + params = { "HTTP_API_USERNAME" => user.username.downcase, "HTTP_API_KEY" => api_key.key } + expect(provider("/", params).current_user.id).to eq(user.id) end it "raises for a mismatched api_key param and header username" do @@ -130,8 +143,9 @@ describe Auth::DefaultCurrentUserProvider do it "finds a user for a correct system api key with external id" do user = Fabricate(:user) api_key = ApiKey.create!(created_by_id: -1) + params = { "HTTP_API_KEY" => api_key.key, "HTTP_API_USER_EXTERNAL_ID" => "abc" } SingleSignOnRecord.create(user_id: user.id, external_id: "abc", last_payload: '') - expect(provider("/?api_key=#{api_key.key}&api_user_external_id=abc").current_user.id).to eq(user.id) + expect(provider("/", params).current_user.id).to eq(user.id) end it "raises for a mismatched api_key param and header external id" do @@ -147,7 +161,8 @@ describe Auth::DefaultCurrentUserProvider do it "finds a user for a correct system api key with id" do user = Fabricate(:user) api_key = ApiKey.create!(created_by_id: -1) - expect(provider("/?api_key=#{api_key.key}&api_user_id=#{user.id}").current_user.id).to eq(user.id) + params = { "HTTP_API_USER_ID" => user.id, "HTTP_API_KEY" => api_key.key } + expect(provider("/", params).current_user.id).to eq(user.id) end it "raises for a mismatched api_key param and header user id" do @@ -176,36 +191,80 @@ describe Auth::DefaultCurrentUserProvider do user = Fabricate(:user) api_key = ApiKey.create!(created_by_id: -1) key = api_key.key + user_params = { "HTTP_API_KEY" => key, "HTTP_API_USERNAME" => user.username.downcase } + system_params = { "HTTP_API_KEY" => key, "HTTP_API_USERNAME" => "system" } - provider("/?api_key=#{key}&api_username=#{user.username.downcase}").current_user - provider("/?api_key=#{key}&api_username=system").current_user - provider("/?api_key=#{key}&api_username=#{user.username.downcase}").current_user + provider("/", user_params).current_user + provider("/", system_params).current_user + provider("/", user_params).current_user expect do - provider("/?api_key=#{key}&api_username=system").current_user + provider("/", system_params).current_user end.to raise_error(RateLimiter::LimitExceeded) freeze_time 59.seconds.from_now expect do - provider("/?api_key=#{key}&api_username=system").current_user + provider("/", system_params).current_user end.to raise_error(RateLimiter::LimitExceeded) freeze_time 2.seconds.from_now # 1 minute elapsed - provider("/?api_key=#{key}&api_username=system").current_user + provider("/", system_params).current_user # should not rake limit a random key api_key.destroy api_key = ApiKey.create!(created_by_id: -1) - provider("/?api_key=#{api_key.key}&api_username=#{user.username.downcase}").current_user + user_params = { "HTTP_API_KEY" => api_key.key, "HTTP_API_USERNAME" => user.username.downcase } + provider("/", user_params).current_user end end end + context "whitelisted api auth query param routes" do + + it "allows rss feeds" do + user = Fabricate(:user) + api_key = ApiKey.create!(user_id: user.id, created_by_id: -1) + url = "/latest.rss?api_key=#{api_key.key}&api_username=#{user.username.downcase}" + expect(provider(url).current_user.id).to eq(user.id) + end + + it "allows ics feeds" do + user = Fabricate(:user) + api_key = ApiKey.create!(user_id: user.id, created_by_id: -1) + url = "/u/#{user.username}/bookmarks.ics?api_key=#{api_key.key}&api_username=#{user.username.downcase}" + expect(provider(url).current_user.id).to eq(user.id) + end + + it "allows handle mail route" do + user = Fabricate(:user) + api_key = ApiKey.create!(user_id: user.id, created_by_id: -1) + url = "/admin/email/handle_mail?api_key=#{api_key.key}&api_username=#{user.username.downcase}" + opts = { method: "POST" } + expect(provider(url, opts).current_user.id).to eq(user.id) + end + + it "raises errors for non whitlisted routes" do + user = Fabricate(:user) + api_key = ApiKey.create!(user_id: user.id, created_by_id: -1) + url = "/u?api_key=#{api_key.key}&api_username=#{user.username.downcase}" + expect { + provider(url).current_user + }.to raise_error(Discourse::InvalidAccess) + end + + it "still allows header based auth" do + user = Fabricate(:user) + api_key = ApiKey.create!(user_id: user.id, created_by_id: -1) + params = { "HTTP_API_KEY" => api_key.key, "HTTP_API_USERNAME" => user.username.downcase } + expect(provider("/", params).current_user.id).to eq(user.id) + end + end + context "server header api" do it "raises errors for incorrect api_key" do diff --git a/spec/integration/invite_only_registration_spec.rb b/spec/integration/invite_only_registration_spec.rb index 6047bc054c3..5f19efb60f3 100644 --- a/spec/integration/invite_only_registration_spec.rb +++ b/spec/integration/invite_only_registration_spec.rb @@ -19,22 +19,23 @@ describe 'invite only' do username: 'bob', password: 'strongpassword', email: 'bob@bob.com', - api_key: api_key.key, - api_username: admin.username + }, headers: { + HTTP_API_KEY: api_key.key, + HTTP_API_USERNAME: admin.username } user_id = JSON.parse(response.body)["user_id"] expect(user_id).to be > 0 # activate and approve - put "/admin/users/#{user_id}/activate.json", params: { - api_key: api_key.key, - api_username: admin.username + put "/admin/users/#{user_id}/activate.json", headers: { + HTTP_API_KEY: api_key.key, + HTTP_API_USERNAME: admin.username } - put "/admin/users/#{user_id}/approve.json", params: { - api_key: api_key.key, - api_username: admin.username + put "/admin/users/#{user_id}/approve.json", headers: { + HTTP_API_KEY: api_key.key, + HTTP_API_USERNAME: admin.username } u = User.find(user_id) diff --git a/spec/integration/rate_limiting_spec.rb b/spec/integration/rate_limiting_spec.rb index 13fe8f73597..9a41f9120fc 100644 --- a/spec/integration/rate_limiting_spec.rb +++ b/spec/integration/rate_limiting_spec.rb @@ -60,16 +60,16 @@ describe 'rate limiter integration' do global_setting :max_admin_api_reqs_per_key_per_minute, 1 - get '/admin/api/keys.json', params: { - api_key: api_key.key, - api_username: admin.username + get '/admin/api/keys.json', headers: { + HTTP_API_KEY: api_key.key, + HTTP_API_USERNAME: admin.username } expect(response.status).to eq(200) - get '/admin/api/keys.json', params: { - api_key: api_key.key, - api_username: admin.username + get '/admin/api/keys.json', headers: { + HTTP_API_KEY: api_key.key, + HTTP_API_USERNAME: admin.username } expect(response.status).to eq(429) diff --git a/spec/requests/admin/users_controller_spec.rb b/spec/requests/admin/users_controller_spec.rb index fd82b1d1d9e..8d52b133f83 100644 --- a/spec/requests/admin/users_controller_spec.rb +++ b/spec/requests/admin/users_controller_spec.rb @@ -254,9 +254,8 @@ RSpec.describe Admin::UsersController do api_key = Fabricate(:api_key, user: user) put "/posts/#{Fabricate(:post).id}/bookmark.json", params: { - bookmarked: "true", - api_key: api_key.key - } + bookmarked: "true" + }, headers: { HTTP_API_KEY: api_key.key } expect(response.status).to eq(200) put "/admin/users/#{user.id}/suspend.json", params: suspend_params diff --git a/spec/requests/embed_controller_spec.rb b/spec/requests/embed_controller_spec.rb index 69692795028..71d6eef807d 100644 --- a/spec/requests/embed_controller_spec.rb +++ b/spec/requests/embed_controller_spec.rb @@ -49,7 +49,8 @@ describe EmbedController do it "returns information about the topic" do get '/embed/info.json', - params: { embed_url: topic_embed.embed_url, api_key: api_key.key, api_username: "system" } + params: { embed_url: topic_embed.embed_url }, + headers: { HTTP_API_KEY: api_key.key, HTTP_API_USERNAME: "system" } json = JSON.parse(response.body) expect(json['topic_id']).to eq(topic_embed.topic.id) @@ -61,7 +62,8 @@ describe EmbedController do context "without invalid embed url" do it "returns error response" do get '/embed/info.json', - params: { embed_url: "http://nope.com", api_key: api_key.key, api_username: "system" } + params: { embed_url: "http://nope.com" }, + headers: { HTTP_API_KEY: api_key.key, HTTP_API_USERNAME: "system" } json = JSON.parse(response.body) expect(json["error_type"]).to eq("not_found") diff --git a/spec/requests/posts_controller_spec.rb b/spec/requests/posts_controller_spec.rb index b90b7cd3e3b..534bcdecd5e 100644 --- a/spec/requests/posts_controller_spec.rb +++ b/spec/requests/posts_controller_spec.rb @@ -556,10 +556,9 @@ describe PostsController do # choosing an arbitrarily easy to mock trusted activity it 'allows users with api key to bookmark posts' do - put "/posts/#{post.id}/bookmark.json", params: { - bookmarked: "true", - api_key: api_key.key - } + put "/posts/#{post.id}/bookmark.json", + params: { bookmarked: "true" }, + headers: { HTTP_API_KEY: api_key.key } expect(response.status).to eq(200) expect(PostAction.where( @@ -570,21 +569,17 @@ describe PostsController do end it 'raises an error with a user key that does not match an optionally specified username' do - put "/posts/#{post.id}/bookmark.json", params: { - bookmarked: "true", - api_key: api_key.key, - api_username: 'made_up' - } + put "/posts/#{post.id}/bookmark.json", + params: { bookmarked: "true" }, + headers: { HTTP_API_KEY: api_key.key, HTTP_API_USERNAME: 'made_up' } expect(response.status).to eq(403) end it 'allows users with a master api key to bookmark posts' do - put "/posts/#{post.id}/bookmark.json", params: { - bookmarked: "true", - api_key: master_key.key, - api_username: user.username - } + put "/posts/#{post.id}/bookmark.json", + params: { bookmarked: "true" }, + headers: { HTTP_API_KEY: master_key.key, HTTP_API_USERNAME: user.username } expect(response.status).to eq(200) expect(PostAction.where( @@ -595,21 +590,17 @@ describe PostsController do end it 'disallows phonies to bookmark posts' do - put "/posts/#{post.id}/bookmark.json", params: { - bookmarked: "true", - api_key: SecureRandom.hex(32), - api_username: user.username - } + put "/posts/#{post.id}/bookmark.json", + params: { bookmarked: "true" }, + headers: { HTTP_API_KEY: SecureRandom.hex(32), HTTP_API_USERNAME: user.username } expect(response.status).to eq(403) end it 'disallows blank api' do - put "/posts/#{post.id}/bookmark.json", params: { - bookmarked: "true", - api_key: "", - api_username: user.username - } + put "/posts/#{post.id}/bookmark.json", + params: { bookmarked: "true" }, + headers: { HTTP_API_KEY: "", HTTP_API_USERNAME: user.username } expect(response.status).to eq(403) end @@ -740,24 +731,16 @@ describe PostsController do master_key = Fabricate(:api_key).key - post "/posts.json", params: { - api_username: user.username, - api_key: master_key, - raw: raw, - title: title, - wpid: 1 - } + post "/posts.json", + params: { raw: raw, title: title, wpid: 1 }, + headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: master_key } expect(response.status).to eq(200) original = response.body - post "/posts.json", params: { - api_username: user.username_lower, - api_key: master_key, - raw: raw, - title: title, - wpid: 2 - } + post "/posts.json", + params: { raw: raw, title: title, wpid: 2 }, + headers: { HTTP_API_USERNAME: user.username_lower, HTTP_API_KEY: master_key } expect(response.status).to eq(200) expect(response.body).to eq(original) @@ -769,38 +752,24 @@ describe PostsController do post_1 = Fabricate(:post) master_key = Fabricate(:api_key).key - post "/posts.json", params: { - api_username: user.username, - api_key: master_key, - raw: 'this is test reply 1', - topic_id: post_1.topic.id, - reply_to_post_number: 1 - } + post "/posts.json", + params: { raw: 'this is test reply 1', topic_id: post_1.topic.id, reply_to_post_number: 1 }, + headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: master_key } expect(response.status).to eq(200) expect(post_1.topic.user.notifications.count).to eq(1) post_1.topic.user.notifications.destroy_all - post "/posts.json", params: { - api_username: user.username, - api_key: master_key, - raw: 'this is test reply 2', - topic_id: post_1.topic.id, - reply_to_post_number: 1, - import_mode: true - } + post "/posts.json", + params: { raw: 'this is test reply 2', topic_id: post_1.topic.id, reply_to_post_number: 1, import_mode: true }, + headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: master_key } expect(response.status).to eq(200) expect(post_1.topic.user.notifications.count).to eq(0) - post "/posts.json", params: { - api_username: user.username, - api_key: master_key, - raw: 'this is test reply 3', - topic_id: post_1.topic.id, - reply_to_post_number: 1, - import_mode: false - } + post "/posts.json", + params: { raw: 'this is test reply 3', topic_id: post_1.topic.id, reply_to_post_number: 1, import_mode: false }, + headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: master_key } expect(response.status).to eq(200) expect(post_1.topic.user.notifications.count).to eq(1) @@ -810,14 +779,10 @@ describe PostsController do post_1 = Fabricate(:post) user_key = ApiKey.create!(user: user).key - post "/posts.json", params: { - api_username: user.username, - api_key: user_key, - raw: 'this is test whisper', - topic_id: post_1.topic.id, - reply_to_post_number: 1, - whisper: true - } + post "/posts.json", + params: { raw: 'this is test whisper', topic_id: post_1.topic.id, reply_to_post_number: 1, whisper: true }, + headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: user_key } + expect(response.status).to eq(403) end @@ -825,13 +790,9 @@ describe PostsController do user = Fabricate(:admin) master_key = Fabricate(:api_key).key - post "/posts.json", params: { - api_username: user.username, - api_key: master_key, - title: 'this is a test title', - raw: 'this is test body', - category: 'invalid' - } + post "/posts.json", + params: { title: 'this is a test title', raw: 'this is test body', category: 'invalid' }, + headers: { HTTP_API_USERNAME: user.username, HTTP_API_KEY: master_key } expect(response.status).to eq(400) diff --git a/spec/requests/uploads_controller_spec.rb b/spec/requests/uploads_controller_spec.rb index baa2f542702..13298866c06 100644 --- a/spec/requests/uploads_controller_spec.rb +++ b/spec/requests/uploads_controller_spec.rb @@ -60,7 +60,10 @@ describe UploadsController do stub_request(:get, url).to_return(status: 200, body: png) - post "/uploads.json", params: { url: url, type: "avatar", api_key: api_key, api_username: user.username } + post "/uploads.json", params: { url: url, type: "avatar" }, headers: { + HTTP_API_KEY: api_key, + HTTP_API_USERNAME: user.username.downcase + } json = ::JSON.parse(response.body) diff --git a/spec/requests/user_badges_controller_spec.rb b/spec/requests/user_badges_controller_spec.rb index 1034c36bde9..bd0c8ca3543 100644 --- a/spec/requests/user_badges_controller_spec.rb +++ b/spec/requests/user_badges_controller_spec.rb @@ -123,9 +123,13 @@ describe UserBadgesController do it 'grants badges from master api calls' do api_key = Fabricate(:api_key) - post "/user_badges.json", params: { - badge_id: badge.id, username: user.username, api_key: api_key.key, api_username: "system" - } + post "/user_badges.json", + params: { + badge_id: badge.id, username: user.username + }, + headers: { + HTTP_API_KEY: api_key.key, HTTP_API_USERNAME: "system" + } expect(response.status).to eq(200) user_badge = UserBadge.find_by(user: user, badge: badge) diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb index 59f705f8ebf..d35e8f9727a 100644 --- a/spec/requests/users_controller_spec.rb +++ b/spec/requests/users_controller_spec.rb @@ -743,7 +743,7 @@ describe UsersController do it "won't create the user as active with a regular key" do post "/u.json", - params: post_user_params.merge(active: true, api_key: api_key.key) + params: post_user_params.merge(active: true), headers: { HTTP_API_KEY: api_key.key } expect(response.status).to eq(200) expect(JSON.parse(response.body)['active']).to be_falsey @@ -759,7 +759,7 @@ describe UsersController do SiteSetting.must_approve_users = true #Sidekiq::Client.expects(:enqueue).never - post "/u.json", params: post_user_params.merge(approved: true, active: true, api_key: api_key.key) + post "/u.json", params: post_user_params.merge(approved: true, active: true), headers: { HTTP_API_KEY: api_key.key } expect(Jobs::CriticalUserEmail.jobs.size).to eq(0) expect(Jobs::SendSystemMessage.jobs.size).to eq(0) @@ -781,7 +781,7 @@ describe UsersController do Jobs.run_immediately! SiteSetting.must_approve_users = true - post "/u.json", params: post_user_params.merge(active: true, api_key: api_key.key) + post "/u.json", params: post_user_params.merge(active: true), headers: { HTTP_API_KEY: api_key.key } expect(response.status).to eq(200) json = JSON.parse(response.body) @@ -796,7 +796,7 @@ describe UsersController do Jobs.run_immediately! SiteSetting.must_approve_users = true - post "/u.json", params: post_user_params.merge(api_key: api_key.key) + post "/u.json", params: post_user_params, headers: { HTTP_API_KEY: api_key.key } expect(response.status).to eq(200) json = JSON.parse(response.body) @@ -810,7 +810,7 @@ describe UsersController do it "won't create the developer as active" do UsernameCheckerService.expects(:is_developer?).returns(true) - post "/u.json", params: post_user_params.merge(active: true, api_key: api_key.key) + post "/u.json", params: post_user_params.merge(active: true), headers: { HTTP_API_KEY: api_key.key } expect(response.status).to eq(200) expect(JSON.parse(response.body)['active']).to be_falsy end @@ -819,7 +819,7 @@ describe UsersController do SiteSetting.allow_user_locale = true admin.update!(locale: :fr) - post "/u.json", params: post_user_params.merge(active: true, api_key: api_key.key) + post "/u.json", params: post_user_params.merge(active: true), headers: { HTTP_API_KEY: api_key.key } expect(response.status).to eq(200) json = JSON.parse(response.body) @@ -832,7 +832,7 @@ describe UsersController do SiteSetting.must_approve_users = true SiteSetting.auto_approve_email_domains = "example.com" - post "/u.json", params: post_user_params.merge(active: true, api_key: api_key.key) + post "/u.json", params: post_user_params.merge(active: true), headers: { HTTP_API_KEY: api_key.key } expect(response.status).to eq(200) json = JSON.parse(response.body) @@ -858,7 +858,7 @@ describe UsersController do fab!(:api_key, refind: false) { Fabricate(:api_key, user: user) } it "won't create the user as staged with a regular key" do - post "/u.json", params: post_user_params.merge(staged: true, api_key: api_key.key) + post "/u.json", params: post_user_params.merge(staged: true), headers: { HTTP_API_KEY: api_key.key } expect(response.status).to eq(200) new_user = User.where(username: post_user_params[:username]).first @@ -871,7 +871,7 @@ describe UsersController do fab!(:api_key, refind: false) { Fabricate(:api_key, user: user) } it "creates the user as staged with a regular key" do - post "/u.json", params: post_user_params.merge(staged: true, api_key: api_key.key) + post "/u.json", params: post_user_params.merge(staged: true), headers: { HTTP_API_KEY: api_key.key } expect(response.status).to eq(200) new_user = User.where(username: post_user_params[:username]).first @@ -880,7 +880,7 @@ describe UsersController do it "won't create the developer as staged" do UsernameCheckerService.expects(:is_developer?).returns(true) - post "/u.json", params: post_user_params.merge(staged: true, api_key: api_key.key) + post "/u.json", params: post_user_params.merge(staged: true), headers: { HTTP_API_KEY: api_key.key } expect(response.status).to eq(200) new_user = User.where(username: post_user_params[:username]).first @@ -1850,8 +1850,9 @@ describe UsersController do }, user_fields: { user_field.id.to_s => 'user field value' - }, - api_key: api_key.key + } + }, headers: { + HTTP_API_KEY: api_key.key } expect(response.status).to eq(200) u = User.find_by_email('user@mail.com')