Revision bdc34694
Added by Brad Buckingham about 10 years ago
| test/functional/api/base_controller_subclass_test.rb | ||
|---|---|---|
|
end
|
||
|
end
|
||
|
|
||
|
context "API session expiration" do
|
||
|
test "request succeeds if no session[:expires_at] is included" do
|
||
|
# this would be typical of API initiated directly or from cli
|
||
|
get :index
|
||
|
assert_response :success
|
||
|
end
|
||
|
|
||
|
test "request fails if session expired" do
|
||
|
# this would be typical of API initiated from a web ui session
|
||
|
get :index, {}, { :expires_at => 5.days.ago.utc }
|
||
|
assert_response :unauthorized
|
||
|
end
|
||
|
|
||
|
test "request succeeds if session has not expired" do
|
||
|
# this would be typical of API initiated from a web ui session
|
||
|
get :index, {}, { :expires_at => 5.days.from_now.utc }
|
||
|
assert_response :success
|
||
|
end
|
||
|
end
|
||
|
|
||
|
context "API usage when authentication is disabled" do
|
||
|
setup do
|
||
|
User.current = nil
|
||
Also available in: Unified diff
fixes #4776 - support session[:expires_at] for api requests
There are situations where the UI needs to invoke requests
on the API controllers; therefore, we need to ensure that
the session expiration accounts for them. This is a common
for plugins, such as Katello, which leverage the
APIs extensively to support both the web UI and CLI.
With these changes, if an API request is received with
session[:expires_at], it will be evaluated and updated by the
server. This will be the case for requests from the web-UI.
If an API request is received without session[:expires_at],
no evaluation or updating of an expiration timer will
be performed. This latter case is the existing behavior
for the API requests (e.g via API or CLI) and will continue
to be supported.