rack-api-key 0.0.2 → 0.0.3

data/README.md

@@ -31,8 +31,10 @@ Or install it yourself as:
 
 ```ruby
 use RackApiKey, :api_key_proc => Proc.new { |val| ApiKey.find(val) },
-		  					:rack_api_key => "account.api.key",
-		  					:header_key => "HTTP_X_CUSTOM_API_HEADER"
+                :rack_api_key => "account.api.key",
+                :header_key => "HTTP_X_CUSTOM_API_HEADER",
+                :url_restriction => [/api/],
+                :url_exclusion => [/api\/status/]
 ```
 
 ### :header_key
@@ -61,6 +63,11 @@ authentication and some that might not. Or a combination of API endpoints and
 publicly facing webpages. Perhaps you've scoped all of your API endpoints to
 "/api", and the rest of the URL mappings or routes are supposed to be wide open.
 
+### :url_exclusion
+This is an option to allow specific URLs to bypass rack-api-middleware authentication.
+This works well when you require a single or few endpoints to not require
+authentication. Perhaps you've scoped all of your API endpoints to "/api" but wish
+to leave "/api/status" publically facing.
 
 ### unauthorized_api_key method
 This is a method that can be overridden with however you'd like to respond

data/lib/rack-api-key.rb

@@ -2,94 +2,107 @@ require "rack-api-key/version"
 
 ##
 # RackApiKey is a middleware that relies on the client submitting requests
-# with a header named "X-API-KEY" storing their private API key as the value. 
-# The middleware will then intercept the request, read the value from the named 
-# header and call the given "proc" used for API key lookup. The API key lookup 
-# should only return a value if there is an exact match for the value stored in 
-# the named API key header. 
-# If such a API key exists, the middleware will pass the request onward and also 
+# with a header named "X-API-KEY" storing their private API key as the value.
+# The middleware will then intercept the request, read the value from the named
+# header and call the given "proc" used for API key lookup. The API key lookup
+# should only return a value if there is an exact match for the value stored in
+# the named API key header.
+#
+# If such a API key exists, the middleware will pass the request onward and also
 # set a new value in the request representing the authenticated API key. Otherwise
 # the middleware will return a HTTP status of 401, and a plain text message
 # notifying the calling requestor that they are not authorized.
 class RackApiKey
 
-	##
-	# ==== Options
-	# * +:api_key_proc+ - **REQUIRED** A proc that is intended to lookup the API key in your datastore.
-	# 										The given proc should take an argument, namely the value of the API key header.
-	# 										There is no default value for this option and will raise a 
-	# 										NotImplementedError if left unspecified.
-	# * +:rack_api_key+ - A way to override the key's name set in the request
-	#											on successful authentication. The default value is
-	# 										"rack_api_key".
-	# * +:header_key+ - A way to override the header's name used to store the API key.
-	# 									The value given here should reflect how Rack interprets the
-  #                   header. For example if the client passes "X-API-KEY" Rack
-  #                   transforms interprets it as "HTTP_X_API_KEY". The default
-  #                   value is "HTTP_X_API_KEY".
-  # * +:url_restriction+ - A way to restrict specific URLs that should pass through
-  #                        the rack-api-key middleware. In order to use pass an Array of Regex patterns.
-  #                        If left unspecified all requests will pass through the rack-api-key
-  #                        middleware.
-	#
-	# ==== Example
-	#		use RackApiKey, 
-	# 			:api_key_proc => Proc.new { |key| ApiKey.where(:key => key).first },
-	# 			:rack_api_key => "authenticated.api.key",
-	# 			:header_key => "HTTP_X_SECRET_API_KEY"
-	def initialize(app, options = {})
-		@app = app
-		default_options = { 
-												:header_key => "HTTP_X_API_KEY", 
-											  :rack_api_key => "rack_api_key",
-											  :api_key_proc => Proc.new { raise NotImplementedError.new("Caller must implement a way to lookup an API key.") },
-                        :url_restriction => []
-											}
-		@options = default_options.merge(options)
-	end
-
-	def call(env)
-    
-    if @options[:url_restriction].nil? || @options[:url_restriction].empty?      
+  ##
+  # ==== Options
+  # * +:api_key_proc+ -     **REQUIRED** A proc that is intended to lookup the API key in your datastore.
+  #                         The given proc should take an argument, namely the value of the API key header.
+  #                         There is no default value for this option and will raise a
+  #                         NotImplementedError if left unspecified.
+  #
+  # * +:rack_api_key+ -     A way to override the key's name set in the request
+  #                         on successful authentication. The default value is
+  #                         "rack_api_key".
+  #
+  # * +:header_key+ -       A way to override the header's name used to store the API key.
+  #                         The value given here should reflect how Rack interprets the
+  #                         header. For example if the client passes "X-API-KEY" Rack
+  #                         transforms interprets it as "HTTP_X_API_KEY". The default
+  #                         value is "HTTP_X_API_KEY".
+  #
+  # * +:url_restriction+ -  A way to restrict specific URLs that should pass through
+  #                         the rack-api-key middleware. In order to use pass an Array of Regex patterns.
+  #                         If left unspecified all requests will pass through the rack-api-key
+  #                         middleware.
+  #
+  # * +:url_exclusion+ -    A way to exclude specific URLs that should not pass through the
+  #                         the rack-api-middleware. In order to use, pass an Array of Regex patterns.
+  #
+  # ==== Example
+  #   use RackApiKey,
+  #       :api_key_proc => Proc.new { |key| ApiKey.where(:key => key).first },
+  #       :rack_api_key => "authenticated.api.key",
+  #       :header_key => "HTTP_X_SECRET_API_KEY",
+  #       :url_restriction => [/api/],
+  #       :url_exclusion => [/api\/status/]
+
+  def initialize(app, options = {})
+    @app = app
+    default_options = {
+      :header_key => 'HTTP_X_API_KEY',
+      :rack_api_key => 'rack_api_key',
+      :api_key_proc => Proc.new { raise NotImplementedError.new('Caller must implement a way to lookup an API key.') },
+      :url_restriction => [],
+      :url_exclusion => []
+    }
+    @options = default_options.merge(options)
+  end
+
+  def call(env)
+
+    if constraint?(:url_exclusion) && url_matches(:url_exclusion, env)
+
+      @app.call(env)
+
+    elsif constraint?(:url_restriction)
+
+      url_matches(:url_restriction, env) ? process_request(env) : @app.call(env)
+
+    else
+
       process_request(env)
-    else 
-      request = Rack::Request.new(env)
-      url_matches = @options[:url_restriction].select { |url_regex| request.fullpath.match(url_regex) }
-      unless url_matches.empty?
-        process_request(env)
-      else
-        @app.call(env)
-      end
+
     end
 
   end
 
   ##
   # Sets the API key lookup value in the request. Intentionally left here
-  # if anyone wants to change or override what does or does not get set 
+  # if anyone wants to change or override what does or does not get set
   # in the request.
   def rack_api_key_request_setter(env, api_key_lookup_val)
-  	env[@options[:rack_api_key]] = api_key_lookup_val
+    env[@options[:rack_api_key]] = api_key_lookup_val
   end
 
   ##
   # Returns a 401 HTTP status code when an API key is not found or is not
   # authorized. Intentionally left here if anyone wants to override this
-  # functionality, specifically change the format of the message or the 
+  # functionality, specifically change the format of the message or the
   # media type.
-	def unauthorized_api_key
-    body_text = "The API key provided is not authorized."
+  def unauthorized_api_key
+    body_text = 'The API key provided is not authorized.'
     [401, {'Content-Type' => 'text/plain; charset=utf-8',
-					 'Content-Length' => body_text.size.to_s}, [body_text]]
+           'Content-Length' => body_text.size.to_s}, [body_text]]
   end
 
   ##
   # Checks if the API key header value is present and the API key
   # that was returned from the API key proc is present.
   # Intentionally left here is anyone wants to override this functionality.
-	def valid_api_key?(api_header_val, api_key_lookup_val)
-    !api_header_val.nil? && api_header_val != "" && 
-    !api_key_lookup_val.nil? && api_key_lookup_val != ""
+  def valid_api_key?(api_header_val, api_key_lookup_val)
+    !api_header_val.nil? && api_header_val != '' &&
+    !api_key_lookup_val.nil? && api_key_lookup_val != ''
   end
 
   private
@@ -106,4 +119,13 @@ class RackApiKey
     end
   end
 
+  def constraint?(key)
+    !(@options[key].nil? || @options[key].empty?)
+  end
+
+  def url_matches(key, env)
+    path = Rack::Request.new(env).fullpath
+    @options[key].select { |url_regex| path.match(url_regex) }.empty? ? false : true
+  end
+
 end

data/lib/rack-api-key/version.rb

@@ -1,3 +1,3 @@
 class RackApiKey
-	VERSION = "0.0.2"
+	VERSION = "0.0.3"
 end

data/spec/rack_api_key_spec.rb

@@ -1,164 +1,211 @@
 require 'spec_helper'
 
 describe RackApiKey do
-	include Rack::Test::Methods
+  include Rack::Test::Methods
 
-	class Account; end
+  class Account; end
 
-	class ApiKey
+  class ApiKey
 
-		attr_reader :value
+    attr_reader :value
 
-		def initialize(value)
-			@value = value
-		end
+    def initialize(value)
+      @value = value
+    end
 
-		def self.find(value)
-			nil
-		end
+    def self.find(value)
+      nil
+    end
 
-		def account
-			Account.new
-		end
+    def account
+      Account.new
+    end
 
-	end
+  end
 
-	# simple test app for the middleware test
-	def app
+  # simple test app for the middleware test
+  def app
 
-		Rack::Builder.new do
+    Rack::Builder.new do
       map '/' do 
-				use RackApiKey, :api_key_proc => Proc.new { |val| ApiKey.find(val) }
-	      run lambda { |env| [200, {"Content-Type" => "text/html"}, "Testing Middleware"] }
-	    end
-
-	    map "/no-api-proc" do
-	    	use RackApiKey
-	      run lambda { |env| [200, {"Content-Type" => "text/html"}, "Testing Middleware"] }
-	    end
-
-	    map "/all-options" do
-	    	use RackApiKey, 
-	    		:api_key_proc => Proc.new { |val| ApiKey.find(val) },
-	    		:rack_api_key => "account.api.key",
-	    		:header_key => "HTTP_X_CUSTOM_API_HEADER"
-	      run lambda { |env| [200, {"Content-Type" => "text/html"}, "Testing Middleware"] }
-	    end
-
-	    map "/url-restricted" do
-	    	use RackApiKey,
-	    		:api_key_proc => Proc.new { |val| ApiKey.find(val) },
-					:url_restriction => [/url-restricted\/foo/]
-				run lambda { |env| [200, {"Content-Type" => "text/html"}, "Testing Middleware"] }
-	    end
-	    
-    end  	
-	end
-
-	context "when using the predefined default middleware options" do
-
-		it 'attempts to find the ApiKey with the header value' do
-			ApiKey.should_receive(:find).with("SECRET API KEY")
-			get "/", {}, "HTTP_X_API_KEY" => "SECRET API KEY"
-		end
-
-		it 'responds with a 200 upon successful authorization' do
-			ApiKey.stub(:find).and_return(ApiKey.new("SECRET API KEY"))
-			get "/", {}, "HTTP_X_API_KEY" => "SECRET API KEY"
-			last_response.ok?.should be_true
-		end
-
-		it 'responds with a 401 when the ApiKey is not found' do
-			ApiKey.stub(:find).and_return(nil)
-			get "/", {}, "HTTP_X_API_KEY" => "SECRET API KEY"
-			last_response.status.should == 401
-		end
-
-		it 'responds with a 401 when the header is not set' do
-			header("HTTP_X_API_KEY", nil)
-			get "/"
-			last_response.status.should == 401
-		end
-
-		it 'responds with a JSON formatted error message' do
-			header("HTTP_X_API_KEY", nil)
-			get "/"
-			last_response.body.should == "The API key provided is not authorized."
-	  end
-
-	  it 'sets the api key in the env' do
-	    ApiKey.stub(:find).and_return(api_key = ApiKey.new("SECRET API KEY"))
-	    get "/", {}, "HTTP_X_API_KEY" => "SECRET API KEY"
-	    last_request.env['rack_api_key'].should == api_key
-	  end
-
-	end
-
-	context "when the API key lookup proc is not provided" do
-
-		it 'raises an error' do
-			expect { get "/no-api-proc", {}, {} }.to raise_error(NotImplementedError, "Caller must implement a way to lookup an API key.")
-		end
-
-	end
-
-	context "when all the options are specified" do
-
-		it 'attempts to find the ApiKey with the header value' do
-			ApiKey.should_receive(:find).with("SECRET API KEY")
-			get "/all-options", {}, "HTTP_X_CUSTOM_API_HEADER" => "SECRET API KEY"
-		end
-
-		it 'responds with a 200 upon successful authorization' do
-			ApiKey.stub(:find).and_return(ApiKey.new("SECRET API KEY"))
-			get "/all-options", {}, "HTTP_X_CUSTOM_API_HEADER" => "SECRET API KEY"
-			last_response.ok?.should be_true
-		end
-
-		it 'sets the api key in the env' do
-	    ApiKey.stub(:find).and_return(api_key = ApiKey.new("SECRET API KEY"))
-	    get "/all-options", {}, "HTTP_X_CUSTOM_API_HEADER" => "SECRET API KEY"
-	    last_request.env['account.api.key'].should == api_key
-	  end
-
-	end
-
-	context "when URL restriction is used" do
-
-		context "and the requesting URL matches the restricted list" do
-
-			it 'attempts to find the ApiKey with the header value' do
-				ApiKey.should_receive(:find).with("SECRET API KEY")
-				get "/url-restricted/foo", {}, "HTTP_X_API_KEY" => "SECRET API KEY"
-			end
-
-			it 'responds with a 200 upon successful authorization' do
-				ApiKey.stub(:find).and_return(ApiKey.new("SECRET API KEY"))
-				get "/url-restricted/foo", {}, "HTTP_X_API_KEY" => "SECRET API KEY"
-				last_response.ok?.should be_true
-			end
-
-			it 'responds with a 401 when the header is not set' do
-				header("HTTP_X_API_KEY", nil)
-				get "/url-restricted/foo"
-				last_response.status.should == 401
-			end
-
-		end
-
-		context "and the requesting URL is not in the restricted list" do
-
-			it 'does not attempt to find the ApiKey with the header value' do
-				ApiKey.should_not_receive(:find).with("SECRET API KEY")
-				get "/url-restricted/bar"
-			end
+        use RackApiKey, :api_key_proc => Proc.new { |val| ApiKey.find(val) }
+        run lambda { |env| [200, {"Content-Type" => "text/html"}, "Testing Middleware"] }
+      end
+
+      map "/no-api-proc" do
+        use RackApiKey
+        run lambda { |env| [200, {"Content-Type" => "text/html"}, "Testing Middleware"] }
+      end
+
+      map "/all-options" do
+        use RackApiKey,
+          :api_key_proc => Proc.new { |val| ApiKey.find(val) },
+          :rack_api_key => "account.api.key",
+          :header_key => "HTTP_X_CUSTOM_API_HEADER"
+        run lambda { |env| [200, {"Content-Type" => "text/html"}, "Testing Middleware"] }
+      end
+
+      map "/url-restricted" do
+        use RackApiKey,
+          :api_key_proc => Proc.new { |val| ApiKey.find(val) },
+          :url_restriction => [/url-restricted\/foo/]
+        run lambda { |env| [200, {"Content-Type" => "text/html"}, "Testing Middleware"] }
+      end
+
+      map '/url-exclusion' do
+        use RackApiKey,
+          :api_key_proc => Proc.new { |val| ApiKey.find(val) },
+          :url_exclusion => [/url-exclusion\/foo/]
+        run lambda { |env| [200, { 'Content-Type' => 'text/html' }, 'Testing Middleware'] }
+      end
+
+    end
+
+  end
+
+  context "when using the predefined default middleware options" do
+
+    it 'attempts to find the ApiKey with the header value' do
+      ApiKey.should_receive(:find).with("SECRET API KEY")
+      get "/", {}, "HTTP_X_API_KEY" => "SECRET API KEY"
+    end
+
+    it 'responds with a 200 upon successful authorization' do
+      ApiKey.stub(:find).and_return(ApiKey.new("SECRET API KEY"))
+      get "/", {}, "HTTP_X_API_KEY" => "SECRET API KEY"
+      last_response.ok?.should be_true
+    end
+
+    it 'responds with a 401 when the ApiKey is not found' do
+      ApiKey.stub(:find).and_return(nil)
+      get "/", {}, "HTTP_X_API_KEY" => "SECRET API KEY"
+      last_response.status.should == 401
+    end
+
+    it 'responds with a 401 when the header is not set' do
+      header("HTTP_X_API_KEY", nil)
+      get "/"
+      last_response.status.should == 401
+    end
 
-			it 'responds with a 200 without the header set' do
-				get "/url-restricted/bar"
-				last_response.ok?.should be_true
-			end
-
-		end
+    it 'responds with a JSON formatted error message' do
+      header("HTTP_X_API_KEY", nil)
+      get "/"
+      last_response.body.should == "The API key provided is not authorized."
+    end
 
-	end
+    it 'sets the api key in the env' do
+      ApiKey.stub(:find).and_return(api_key = ApiKey.new("SECRET API KEY"))
+      get "/", {}, "HTTP_X_API_KEY" => "SECRET API KEY"
+      last_request.env['rack_api_key'].should == api_key
+    end
+
+  end
+
+  context "when the API key lookup proc is not provided" do
+
+    it 'raises an error' do
+      expect { get "/no-api-proc", {}, {} }.to raise_error(NotImplementedError, "Caller must implement a way to lookup an API key.")
+    end
+
+  end
+
+  context "when all the options are specified" do
+
+    it 'attempts to find the ApiKey with the header value' do
+      ApiKey.should_receive(:find).with("SECRET API KEY")
+      get "/all-options", {}, "HTTP_X_CUSTOM_API_HEADER" => "SECRET API KEY"
+    end
+
+    it 'responds with a 200 upon successful authorization' do
+      ApiKey.stub(:find).and_return(ApiKey.new("SECRET API KEY"))
+      get "/all-options", {}, "HTTP_X_CUSTOM_API_HEADER" => "SECRET API KEY"
+      last_response.ok?.should be_true
+    end
+
+    it 'sets the api key in the env' do
+      ApiKey.stub(:find).and_return(api_key = ApiKey.new("SECRET API KEY"))
+      get "/all-options", {}, "HTTP_X_CUSTOM_API_HEADER" => "SECRET API KEY"
+      last_request.env['account.api.key'].should == api_key
+    end
+
+  end
+
+  context "when URL restriction is used" do
+
+    context "and the requesting URL matches the restricted list" do
+
+      it 'attempts to find the ApiKey with the header value' do
+        ApiKey.should_receive(:find).with("SECRET API KEY")
+        get "/url-restricted/foo", {}, "HTTP_X_API_KEY" => "SECRET API KEY"
+      end
+
+      it 'responds with a 200 upon successful authorization' do
+        ApiKey.stub(:find).and_return(ApiKey.new("SECRET API KEY"))
+        get "/url-restricted/foo", {}, "HTTP_X_API_KEY" => "SECRET API KEY"
+        last_response.ok?.should be_true
+      end
+
+      it 'responds with a 401 when the header is not set' do
+        header("HTTP_X_API_KEY", nil)
+        get "/url-restricted/foo"
+        last_response.status.should == 401
+      end
+
+    end
+
+    context "and the requesting URL is not in the restricted list" do
+
+      it 'does not attempt to find the ApiKey with the header value' do
+        ApiKey.should_not_receive(:find).with("SECRET API KEY")
+        get "/url-restricted/bar"
+      end
+
+      it 'responds with a 200 without the header set' do
+        get "/url-restricted/bar"
+        last_response.ok?.should be_true
+      end
+
+    end
+
+  end
+
+  context 'when URL exclusion is used' do
+
+    context 'and the requesting URL matches the excluded list' do
+
+      it 'does not attempt to find the ApiKey with the header value' do
+        ApiKey.should_not_receive(:find)
+        get '/url-exclusion/foo'
+      end
+
+      it 'responds with a 200 without the header set' do
+        get '/url-exclusion/foo'
+        last_response.should be_ok
+      end
+
+    end
+
+    context 'and the requesting URL is not in the exclusion list' do
+
+      it 'attempts to find the ApiKey with the header value' do
+        ApiKey.should_receive(:find).with('SECRET API KEY')
+        get '/url-exclusion/bar', {}, 'HTTP_X_API_KEY' => 'SECRET API KEY'
+      end
+
+      it 'responds with a 200 upon successful authorization' do
+        ApiKey.stub(:find).and_return(ApiKey.new('SECRET API KEY'))
+        get '/url-exclusion/bar', {}, 'HTTP_X_API_KEY' => 'SECRET API KEY'
+        last_response.should be_ok
+      end
+
+      it 'responds with a 401 when the header is not set' do
+        header('HTTP_X_API_KEY', nil)
+        get '/url-exclusion/bar'
+        last_response.status.should eq 401
+      end
+
+    end
+
+  end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-api-key
 version: !ruby/object:Gem::Version
-  version: 0.0.2
+  version: 0.0.3
   prerelease: 
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-04-29 00:00:00.000000000 Z
+date: 2013-05-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -107,7 +107,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 2860984967925191594
+      hash: -216640359850820027
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -116,7 +116,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: 2860984967925191594
+      hash: -216640359850820027
 requirements: []
 rubyforge_project: 
 rubygems_version: 1.8.25