Conversation
|
First of all, thanks a lot for this 👍 Now, you may want to take a look at what we are doing here: #1289. There's a lot of stuff on this PR, but take into consideration:
Now, this is far from perfect, so I encourage you to innovate upon these ideas. I also thought of using something like grape, but so far I've used good ol' Rails as I'm already used to it (also notice all the ugly |
Both me and @vitoravelino have been busy with other stuff, and it will probably take a while, since we have to review the code, and apply more testing... I'd say I can break away the code for managing
I have to admit that I've never used it, so this is something I'm not really sure. It needs some exploration from my part 😄
Left some comments. In principle it looks good to me 👍 |
|
@Vad1mo ping me whenever this is ready to be reviewed. |
|
@mssola we are fixing the travis build and adding some documentation next to the swagger spec. The code is basically ready for an review. fyi: you can get the swagger spec localhost:3000/api/swagger_doc |
|
@Vad1mo ok, I'll wait also for the swagger documentation if you don't mind 😉 |
|
@mssola Hello, got can you help me find cause? |
|
@andrew2net have you tried without running the integration tests ? (they might be broken...): |
|
@mssola I haven't. traied now and all tests passed. Does it need to pass integration tests for successfull travis checkung? |
|
@andrew2net no. Travis does not run integration tests for Portus. |
|
@mssola you can take a look now at the PR |
mssola
left a comment
There was a problem hiding this comment.
Left some comments. Thanks a lot for all your hard work 👏
| /spec/integration/fixtures/data | ||
| /node_modules No newline at end of file | ||
| /node_modules | ||
| .idea |
| Enabled: false | ||
|
|
||
| Style/FrozenStringLiteralComment: | ||
| Enabled: false |
There was a problem hiding this comment.
This wasn't an issue before 😕 If you call it with bundle exec there shouldn't be any problem no ?
There was a problem hiding this comment.
@mssola with ruby 2.3 rubocop reports offense Missing frozen string literal comment. on each rb file
| @@ -1 +1 @@ | |||
| 2.1.2 | |||
| 2.3.3 | |||
There was a problem hiding this comment.
well, grape requires to go to minimum 2.3.
There was a problem hiding this comment.
I'll have to check about this requirement...
|
|
||
| # Stable versions | ||
| - 2.1.10 | ||
| - 2.2.6 |
There was a problem hiding this comment.
The changes on this file are unrelated to this PR. Moreover, why should we stop testing these versions ? (maybe we could upgrade the 2.2.6 to 2.2.7)
There was a problem hiding this comment.
ruby 2.3 is required
| gem "grape-swagger" | ||
| gem "grape-swagger-entity" | ||
| gem "grape-swagger-representable" | ||
| gem "hashie-forbidden_attributes" |
There was a problem hiding this comment.
I'm not sure about this gem... Do you really need mass assignment ?
There was a problem hiding this comment.
@mssola ruby-grape uses it https://github.com/ruby-grape/grape#rails
| @@ -0,0 +1,20 @@ | |||
| class VulnerabilitiesController < ApplicationController | |||
There was a problem hiding this comment.
This is from another PR. Please, don't include it...
| @@ -0,0 +1,191 @@ | |||
| module GrapeAPI | |||
There was a problem hiding this comment.
Two things:
- There's functionality already existing in
app/controllers/application_tokens_controller.rbfor this. Could we merge the code somehow ? (either changes the frontend to use this API instead of the controller, thus removing the controller, or creating methods that both the controller and the API use) - Could you add more documentation ?
There was a problem hiding this comment.
@mssola the functionality slightly different. API can create tokens for any user, not only for current, and returns plain_token. I think changing the frontend to use the API is preferred.
Will add more doc.
There was a problem hiding this comment.
The functionality is moved to model.
| end | ||
|
|
||
| class RootAPI < Grape::API | ||
| # version 'v1', using: :path |
| error!("Authorization fails.", 403) unless user.admin | ||
| end | ||
|
|
||
| def current_user |
There was a problem hiding this comment.
This already exists in the application_controller.rb. We should be using the same code and share it somehow.
There was a problem hiding this comment.
Moved it to concern auth_from_token.
| title: "Portus user API", | ||
| description: "CRUD users and user's application tokens API", | ||
| contact_name: "Anldrei Kislichenko", | ||
| contact_email: "andrei.kislichenko@gmail.com" |
There was a problem hiding this comment.
I'd prefer:
- Contact name: "Portus authors" (which would include you 😉)
- Contact email: "portus-dev@googlegroups.com"
|
Note that we have just merged #1289, and so there are quite some conflicts now. Also, make sure to rebase against master. |
|
@mssola IMHO, we are ready now, for the review. |
mssola
left a comment
There was a problem hiding this comment.
In general it looks good to me. Just fix my comments 😉 I still have to test it locally more deeply though ...
| username, password = auth.split(":") | ||
| user = User.find_by(username: username) | ||
| if user && user.application_token_valid?(password) | ||
|
|
There was a problem hiding this comment.
Remove this empty line. Maybe you could add this empty line before the if statement actually.
| @@ -0,0 +1,16 @@ | |||
| module AuthFromToken | |||
| module AuthFromToken | ||
| extend ActiveSupport::Concern | ||
|
|
||
| def authenticate_user_from_authentication_token! |
| expose :id, documentation: { type: Integer, desc: "User id" } | ||
| expose :username, documentation: { type: String, desc: "User name" } | ||
| expose :email, documentation: { type: String, desc: "E-mail" } | ||
| expose :sign_in_count, documentation: { type: Integer } |
There was a problem hiding this comment.
sign_in_count we can skip. The others we would like to keep. We want to use the API to perform CRUD operations on the on the user, so we can decide what users to create and maybe remove users automatically that don't use their account. However the last use case is no yet relevant for us right now.
| expose :sign_in_count, documentation: { type: Integer } | ||
| expose :current_sign_in_at, documentation: { type: DateTime } | ||
| expose :last_sign_in_at, documentation: { type: DateTime } | ||
| expose :current_sign_in_ip, :last_sign_in_ip |
There was a problem hiding this comment.
Not sure about these two, since it's not that useful imho
There was a problem hiding this comment.
ok, not really relevant.
|
|
||
| route_param :id, type: Integer do | ||
| resource :application_tokens do | ||
|
|
|
|
||
| params do | ||
| requires :application, documentation: { desc: "Application name" } | ||
| end |
There was a problem hiding this comment.
Add an empty line after the end line.
|
|
||
| params do | ||
| requires :id, documentation: { desc: "Token id" } | ||
| end |
| only: [:display_name], | ||
| using: API::Entities::Users.documentation.slice(:display_name) | ||
| end | ||
| end |
| only: [:display_name], | ||
| using: API::Entities::Users.documentation.slice(:display_name) | ||
| end | ||
| end |
There was a problem hiding this comment.
Some comments after using it:
There should be a way to return a 404 when the path does not exist. For example I typed /api/users, and I got an HTML page, instead of simply a not found error. Maybe in production this is already handled?
Besides this, when I performed:
curl -X DELETE \
-H "PORTUS-AUTH: mssola:KXsgWZQyDq8rMoy-hHaD" \
https://registry.mssola.cat/api/v1/users/2/application_tokens/2
I got:
{
"error": "Internal server error: Grape::Exceptions::MethodNotAllowed"
}
Overall really nice work. Thanks a lot for your patience 👏
| }, | ||
| security: [api_key: []], | ||
| info: { | ||
| title: "Portus user API", |
There was a problem hiding this comment.
Argh, overlooked this, sorry ... It should be "Portus API" instead since we will extend it to other endpoints as well...
| security: [api_key: []], | ||
| info: { | ||
| title: "Portus user API", | ||
| description: "CRUD users and user's application tokens API", |
There was a problem hiding this comment.
Same here. It should be something like this: "Portus CRUD API" (or better 😅 )
| [401, "Authentication fails."], | ||
| [403, "Authorization fails."] | ||
| ], | ||
| consumes: ["application/x-www-form-urlencoded"] |
There was a problem hiding this comment.
Maybe this can be done in another PR, but would it be too difficult to also support JSON ? It would be simpler than with an encoded form. See the curl command I had to use:
curl -X POST \
-H "PORTUS-AUTH: mssola:KXsgWZQyDq8rMoy-hHaD" \
-F "user[username]=another" -F "user[email]=asd@example.org" -F "user[password]=12341234" \
https://registry.mssola.cat/api/v1/users
Maybe this could work too (so without the user[...] part):
curl -X POST \
-H "PORTUS-AUTH: mssola:KXsgWZQyDq8rMoy-hHaD" \
https://registry.mssola.cat/api/v1/users?username=another&email=asd@example.org&password=12341234
There was a problem hiding this comment.
Will add JSON
curl -X POST "http://localhost:3005/api/v1/users" \
-H "accept: application/json" \
-H "Content-Type: application/json" \
-H "Portus-Auth: andrei:xzgZj6toUiuM2h49zA7z" \
-d '{"user":{"username":"another","email":"asd@example.org","password":"12341234"}}'
| [403, "Authorization fails."], | ||
| [404, "Not found."] | ||
| ], | ||
| consumes: ["application/x-www-form-urlencoded"] |
|
@mssola API with GRAPE processes requests if the path matches any of endpoints. If not then the request is ignored by GRAPE and the app processes it and returns |
mssola
left a comment
There was a problem hiding this comment.
If I submit a malformed JSON (create user), I receive and HTML. It should instead return a proper error response (in this case this is a 400 Bad Request).
We are getting really close, nice work!
| expect(JSON.parse(response.body)["errors"]).not_to be_nil | ||
| end | ||
|
|
||
| it "returs user error" do |
There was a problem hiding this comment.
Typo: "returs" -> "returns"
mssola
left a comment
There was a problem hiding this comment.
LGTM
Rebase all this to the master branch, and squash commits into a set of commits (or a single commit even)
Again, thanks a lot for all this. You rock 👏
Signed-off-by: Vadim Bauer <bauer.vadim@gmail.com>
REST API for Portus to manage Users and Tokens. Furthermore based on this effort here it is possible to add more APIs to Portus.
PR Content and Features: