commit: 73540ffe6b03cf27dd7738ebd157573488f376cf parent: 92bb16624632beb490bb84a51b9a868d4b71eb6a Author: Matt Jankowski <mjankowski@thoughtbot.com> Date: Wed, 7 Jun 2017 14:09:25 -0400 Clean up for api/base controller (#3629) * Move ApiController to Api/BaseController * API controllers inherit from Api::BaseController * Add coverage for various error cases in api/base controllerDiffstat:
36 files changed, 179 insertions(+), 146 deletions(-)
diff --git a/app/controllers/api/activitypub/activities_controller.rb b/app/controllers/api/activitypub/activities_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::Activitypub::ActivitiesController < ApiController +class Api::Activitypub::ActivitiesController < Api::BaseController include Authorization # before_action :set_follow, only: [:show_follow] diff --git a/app/controllers/api/activitypub/notes_controller.rb b/app/controllers/api/activitypub/notes_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::Activitypub::NotesController < ApiController +class Api::Activitypub::NotesController < Api::BaseController include Authorization before_action :set_status diff --git a/app/controllers/api/activitypub/outbox_controller.rb b/app/controllers/api/activitypub/outbox_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::Activitypub::OutboxController < ApiController +class Api::Activitypub::OutboxController < Api::BaseController before_action :set_account respond_to :activitystreams2 diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb @@ -0,0 +1,93 @@ +# frozen_string_literal: true + +class Api::BaseController < ApplicationController + DEFAULT_STATUSES_LIMIT = 20 + DEFAULT_ACCOUNTS_LIMIT = 40 + + include RateLimitHeaders + + skip_before_action :verify_authenticity_token + skip_before_action :store_current_location + + rescue_from ActiveRecord::RecordInvalid, Mastodon::ValidationError do |e| + render json: { error: e.to_s }, status: 422 + end + + rescue_from ActiveRecord::RecordNotFound do + render json: { error: 'Record not found' }, status: 404 + end + + rescue_from Goldfinger::Error do + render json: { error: 'Remote account could not be resolved' }, status: 422 + end + + rescue_from HTTP::Error do + render json: { error: 'Remote data could not be fetched' }, status: 503 + end + + rescue_from OpenSSL::SSL::SSLError do + render json: { error: 'Remote SSL certificate could not be verified' }, status: 503 + end + + rescue_from Mastodon::NotPermittedError do + render json: { error: 'This action is not allowed' }, status: 403 + end + + def doorkeeper_unauthorized_render_options(error: nil) + { json: { error: (error.try(:description) || 'Not authorized') } } + end + + def doorkeeper_forbidden_render_options(*) + { json: { error: 'This action is outside the authorized scopes' } } + end + + protected + + def set_pagination_headers(next_path = nil, prev_path = nil) + links = [] + links << [next_path, [%w(rel next)]] if next_path + links << [prev_path, [%w(rel prev)]] if prev_path + response.headers['Link'] = LinkHeader.new(links) + end + + def limit_param(default_limit) + return default_limit unless params[:limit] + [params[:limit].to_i.abs, default_limit * 2].min + end + + def current_resource_owner + @current_user ||= User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token + end + + def current_user + current_resource_owner || super + rescue ActiveRecord::RecordNotFound + nil + end + + def require_user! + current_resource_owner + set_user_activity + rescue ActiveRecord::RecordNotFound + render json: { error: 'This method requires an authenticated user' }, status: 422 + end + + def render_empty + render json: {}, status: 200 + end + + def set_maps(statuses) # rubocop:disable Style/AccessorMethodName + if current_account.nil? + @reblogs_map = {} + @favourites_map = {} + @mutes_map = {} + return + end + + status_ids = statuses.compact.flat_map { |s| [s.id, s.reblog_of_id] }.uniq + conversation_ids = statuses.compact.map(&:conversation_id).compact.uniq + @reblogs_map = Status.reblogs_map(status_ids, current_account) + @favourites_map = Status.favourites_map(status_ids, current_account) + @mutes_map = Status.mutes_map(conversation_ids, current_account) + end +end diff --git a/app/controllers/api/oembed_controller.rb b/app/controllers/api/oembed_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::OEmbedController < ApiController +class Api::OEmbedController < Api::BaseController respond_to :json def show diff --git a/app/controllers/api/push_controller.rb b/app/controllers/api/push_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::PushController < ApiController +class Api::PushController < Api::BaseController def update response, status = process_push_request render plain: response, status: status diff --git a/app/controllers/api/salmon_controller.rb b/app/controllers/api/salmon_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::SalmonController < ApiController +class Api::SalmonController < Api::BaseController before_action :set_account respond_to :txt diff --git a/app/controllers/api/subscriptions_controller.rb b/app/controllers/api/subscriptions_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::SubscriptionsController < ApiController +class Api::SubscriptionsController < Api::BaseController before_action :set_account respond_to :txt diff --git a/app/controllers/api/v1/accounts/credentials_controller.rb b/app/controllers/api/v1/accounts/credentials_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::Accounts::CredentialsController < ApiController +class Api::V1::Accounts::CredentialsController < Api::BaseController before_action -> { doorkeeper_authorize! :write }, only: [:update] before_action :require_user! diff --git a/app/controllers/api/v1/accounts/follower_accounts_controller.rb b/app/controllers/api/v1/accounts/follower_accounts_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::Accounts::FollowerAccountsController < ApiController +class Api::V1::Accounts::FollowerAccountsController < Api::BaseController before_action -> { doorkeeper_authorize! :read } before_action :set_account after_action :insert_pagination_headers diff --git a/app/controllers/api/v1/accounts/following_accounts_controller.rb b/app/controllers/api/v1/accounts/following_accounts_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::Accounts::FollowingAccountsController < ApiController +class Api::V1::Accounts::FollowingAccountsController < Api::BaseController before_action -> { doorkeeper_authorize! :read } before_action :set_account after_action :insert_pagination_headers diff --git a/app/controllers/api/v1/accounts/relationships_controller.rb b/app/controllers/api/v1/accounts/relationships_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::Accounts::RelationshipsController < ApiController +class Api::V1::Accounts::RelationshipsController < Api::BaseController before_action -> { doorkeeper_authorize! :read } before_action :require_user! diff --git a/app/controllers/api/v1/accounts/search_controller.rb b/app/controllers/api/v1/accounts/search_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::Accounts::SearchController < ApiController +class Api::V1::Accounts::SearchController < Api::BaseController before_action -> { doorkeeper_authorize! :read } before_action :require_user! diff --git a/app/controllers/api/v1/accounts/statuses_controller.rb b/app/controllers/api/v1/accounts/statuses_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::Accounts::StatusesController < ApiController +class Api::V1::Accounts::StatusesController < Api::BaseController before_action -> { doorkeeper_authorize! :read } before_action :set_account after_action :insert_pagination_headers diff --git a/app/controllers/api/v1/accounts_controller.rb b/app/controllers/api/v1/accounts_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::AccountsController < ApiController +class Api::V1::AccountsController < Api::BaseController before_action -> { doorkeeper_authorize! :read }, except: [:follow, :unfollow, :block, :unblock, :mute, :unmute] before_action -> { doorkeeper_authorize! :follow }, only: [:follow, :unfollow, :block, :unblock, :mute, :unmute] before_action :require_user!, except: [:show] diff --git a/app/controllers/api/v1/apps_controller.rb b/app/controllers/api/v1/apps_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::AppsController < ApiController +class Api::V1::AppsController < Api::BaseController respond_to :json def create diff --git a/app/controllers/api/v1/blocks_controller.rb b/app/controllers/api/v1/blocks_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::BlocksController < ApiController +class Api::V1::BlocksController < Api::BaseController before_action -> { doorkeeper_authorize! :follow } before_action :require_user! after_action :insert_pagination_headers diff --git a/app/controllers/api/v1/domain_blocks_controller.rb b/app/controllers/api/v1/domain_blocks_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::DomainBlocksController < ApiController +class Api::V1::DomainBlocksController < Api::BaseController BLOCK_LIMIT = 100 before_action -> { doorkeeper_authorize! :follow } diff --git a/app/controllers/api/v1/favourites_controller.rb b/app/controllers/api/v1/favourites_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::FavouritesController < ApiController +class Api::V1::FavouritesController < Api::BaseController before_action -> { doorkeeper_authorize! :read } before_action :require_user! after_action :insert_pagination_headers diff --git a/app/controllers/api/v1/follow_requests_controller.rb b/app/controllers/api/v1/follow_requests_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::FollowRequestsController < ApiController +class Api::V1::FollowRequestsController < Api::BaseController before_action -> { doorkeeper_authorize! :follow } before_action :require_user! after_action :insert_pagination_headers, only: :index diff --git a/app/controllers/api/v1/follows_controller.rb b/app/controllers/api/v1/follows_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::FollowsController < ApiController +class Api::V1::FollowsController < Api::BaseController before_action -> { doorkeeper_authorize! :follow } before_action :require_user! diff --git a/app/controllers/api/v1/instances_controller.rb b/app/controllers/api/v1/instances_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::InstancesController < ApiController +class Api::V1::InstancesController < Api::BaseController respond_to :json def show; end diff --git a/app/controllers/api/v1/media_controller.rb b/app/controllers/api/v1/media_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::MediaController < ApiController +class Api::V1::MediaController < Api::BaseController before_action -> { doorkeeper_authorize! :write } before_action :require_user! diff --git a/app/controllers/api/v1/mutes_controller.rb b/app/controllers/api/v1/mutes_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::MutesController < ApiController +class Api::V1::MutesController < Api::BaseController before_action -> { doorkeeper_authorize! :follow } before_action :require_user! after_action :insert_pagination_headers diff --git a/app/controllers/api/v1/notifications_controller.rb b/app/controllers/api/v1/notifications_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::NotificationsController < ApiController +class Api::V1::NotificationsController < Api::BaseController before_action -> { doorkeeper_authorize! :read } before_action :require_user! after_action :insert_pagination_headers, only: :index diff --git a/app/controllers/api/v1/reports_controller.rb b/app/controllers/api/v1/reports_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::ReportsController < ApiController +class Api::V1::ReportsController < Api::BaseController before_action -> { doorkeeper_authorize! :read }, except: [:create] before_action -> { doorkeeper_authorize! :write }, only: [:create] before_action :require_user! diff --git a/app/controllers/api/v1/search_controller.rb b/app/controllers/api/v1/search_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::SearchController < ApiController +class Api::V1::SearchController < Api::BaseController RESULTS_LIMIT = 5 respond_to :json diff --git a/app/controllers/api/v1/statuses_controller.rb b/app/controllers/api/v1/statuses_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::StatusesController < ApiController +class Api::V1::StatusesController < Api::BaseController include Authorization before_action :authorize_if_got_token, except: [:create, :destroy, :reblog, :unreblog, :favourite, :unfavourite, :mute, :unmute] diff --git a/app/controllers/api/v1/streaming_controller.rb b/app/controllers/api/v1/streaming_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::StreamingController < ApiController +class Api::V1::StreamingController < Api::BaseController respond_to :json def index diff --git a/app/controllers/api/v1/timelines/home_controller.rb b/app/controllers/api/v1/timelines/home_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::Timelines::HomeController < ApiController +class Api::V1::Timelines::HomeController < Api::BaseController before_action -> { doorkeeper_authorize! :read }, only: [:show] before_action :require_user!, only: [:show] after_action :insert_pagination_headers, unless: -> { @statuses.empty? } diff --git a/app/controllers/api/v1/timelines/public_controller.rb b/app/controllers/api/v1/timelines/public_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::Timelines::PublicController < ApiController +class Api::V1::Timelines::PublicController < Api::BaseController after_action :insert_pagination_headers, unless: -> { @statuses.empty? } respond_to :json diff --git a/app/controllers/api/v1/timelines/tag_controller.rb b/app/controllers/api/v1/timelines/tag_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::V1::Timelines::TagController < ApiController +class Api::V1::Timelines::TagController < Api::BaseController before_action :load_tag after_action :insert_pagination_headers, unless: -> { @statuses.empty? } diff --git a/app/controllers/api/web/settings_controller.rb b/app/controllers/api/web/settings_controller.rb @@ -1,6 +1,6 @@ # frozen_string_literal: true -class Api::Web::SettingsController < ApiController +class Api::Web::SettingsController < Api::BaseController respond_to :json before_action :require_user! diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb @@ -1,93 +0,0 @@ -# frozen_string_literal: true - -class ApiController < ApplicationController - DEFAULT_STATUSES_LIMIT = 20 - DEFAULT_ACCOUNTS_LIMIT = 40 - - include RateLimitHeaders - - skip_before_action :verify_authenticity_token - skip_before_action :store_current_location - - rescue_from ActiveRecord::RecordInvalid, Mastodon::ValidationError do |e| - render json: { error: e.to_s }, status: 422 - end - - rescue_from ActiveRecord::RecordNotFound do - render json: { error: 'Record not found' }, status: 404 - end - - rescue_from Goldfinger::Error do - render json: { error: 'Remote account could not be resolved' }, status: 422 - end - - rescue_from HTTP::Error do - render json: { error: 'Remote data could not be fetched' }, status: 503 - end - - rescue_from OpenSSL::SSL::SSLError do - render json: { error: 'Remote SSL certificate could not be verified' }, status: 503 - end - - rescue_from Mastodon::NotPermittedError do - render json: { error: 'This action is not allowed' }, status: 403 - end - - def doorkeeper_unauthorized_render_options(error: nil) - { json: { error: (error.try(:description) || 'Not authorized') } } - end - - def doorkeeper_forbidden_render_options(*) - { json: { error: 'This action is outside the authorized scopes' } } - end - - protected - - def set_pagination_headers(next_path = nil, prev_path = nil) - links = [] - links << [next_path, [%w(rel next)]] if next_path - links << [prev_path, [%w(rel prev)]] if prev_path - response.headers['Link'] = LinkHeader.new(links) - end - - def limit_param(default_limit) - return default_limit unless params[:limit] - [params[:limit].to_i.abs, default_limit * 2].min - end - - def current_resource_owner - @current_user ||= User.find(doorkeeper_token.resource_owner_id) if doorkeeper_token - end - - def current_user - current_resource_owner || super - rescue ActiveRecord::RecordNotFound - nil - end - - def require_user! - current_resource_owner - set_user_activity - rescue ActiveRecord::RecordNotFound - render json: { error: 'This method requires an authenticated user' }, status: 422 - end - - def render_empty - render json: {}, status: 200 - end - - def set_maps(statuses) # rubocop:disable Style/AccessorMethodName - if current_account.nil? - @reblogs_map = {} - @favourites_map = {} - @mutes_map = {} - return - end - - status_ids = statuses.compact.flat_map { |s| [s.id, s.reblog_of_id] }.uniq - conversation_ids = statuses.compact.map(&:conversation_id).compact.uniq - @reblogs_map = Status.reblogs_map(status_ids, current_account) - @favourites_map = Status.favourites_map(status_ids, current_account) - @mutes_map = Status.mutes_map(conversation_ids, current_account) - end -end diff --git a/spec/controllers/api/base_controller_spec.rb b/spec/controllers/api/base_controller_spec.rb @@ -0,0 +1,54 @@ +# frozen_string_literal: true + +require 'rails_helper' + +class FakeService; end + +describe Api::BaseController do + controller do + def success + head 200 + end + + def error + FakeService.new + end + end + + describe 'Forgery protection' do + before do + routes.draw { post 'success' => 'api/base#success' } + end + + it 'does not protect from forgery' do + ActionController::Base.allow_forgery_protection = true + post 'success' + expect(response).to have_http_status(:success) + end + end + + describe 'Error handling' do + ERRORS_WITH_CODES = { + ActiveRecord::RecordInvalid => 422, + Mastodon::ValidationError => 422, + ActiveRecord::RecordNotFound => 404, + Goldfinger::Error => 422, + HTTP::Error => 503, + OpenSSL::SSL::SSLError => 503, + Mastodon::NotPermittedError => 403, + } + + before do + routes.draw { get 'error' => 'api/base#error' } + end + + ERRORS_WITH_CODES.each do |error, code| + it "Handles error class of #{error}" do + expect(FakeService).to receive(:new).and_raise(error) + + get 'error' + expect(response).to have_http_status(code) + end + end + end +end diff --git a/spec/controllers/api_controller_spec.rb b/spec/controllers/api_controller_spec.rb @@ -1,21 +0,0 @@ -# frozen_string_literal: true - -require 'rails_helper' - -describe ApiController, type: :controller do - controller do - def success - head 200 - end - end - - before do - routes.draw { post 'success' => 'api#success' } - end - - it 'does not protect from forgery' do - ActionController::Base.allow_forgery_protection = true - post 'success' - expect(response).to have_http_status(:success) - end -end