Merge branch 'jastkand/gitlab-ce-fix-api-auth' into 'master'

Jastkand/gitlab ce fix api auth Fixes https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/209 See merge request !1232

Merge branch 'jastkand/gitlab-ce-fix-api-auth' into 'master'
Jastkand/gitlab ce fix api auth Fixes https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/209 See merge request !1232
5cab9d6f · Dmitriy Zaporozhets · d7c50b4a · e1c48f14 · 5cab9d6f · 5cab9d6f
Commit 5cab9d6f authored Nov 04, 2014 by Dmitriy Zaporozhets
6 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -5,6 +5,7 @@ v 7.5.0
  - Fix LDAP config lookup for provider 'ldap'
  - Add Atlassian Bamboo CI service (Drew Blessing)
  - Mentioned @user will receive email even if he is not participating in issue or commit
+  - Session API: Use case-insensitive authentication like in UI (Andrey Krivko)
  - Tie up loose ends with annotated tags: API & UI (Sean Edge)
  - Return valid json for deleting branch via API (sponsored by O'Reilly Media)
  - Expose username in project events API (sponsored by O'Reilly Media)

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -226,6 +226,11 @@ class User < ActiveRecord::Base
      where("lower(name) LIKE :query OR lower(email) LIKE :query OR lower(username) LIKE :query", query: "%#{query.downcase}%")
    end

+    def by_login(login)
+      where('lower(username) = :value OR lower(email) = :value',
+            value: login.to_s.downcase).first
+    end
+
    def by_username_or_id(name_or_id)
      where('users.username = ? OR users.id = ?', name_or_id.to_s, name_or_id.to_i).first
    end

--- a/lib/gitlab/auth.rb
+++ b/lib/gitlab/auth.rb
 module Gitlab
  class Auth
    def find(login, password)
-      user = User.find_by(email: login) || User.find_by(username: login)
+      user = User.by_login(login)

      # If no user is found, or it's an LDAP server, try LDAP.
      #   LDAP users are only authenticated via LDAP

--- a/spec/lib/gitlab/auth_spec.rb
+++ b/spec/lib/gitlab/auth_spec.rb
@@ -10,13 +10,21 @@ describe Gitlab::Auth do
        password: password,
        password_confirmation: password)
    end
-    let(:username) { 'john' }
+    let(:username) { 'John' }     # username isn't lowercase, test this
    let(:password) { 'my-secret' }

    it "should find user by valid login/password" do
      expect( gl_auth.find(username, password) ).to eql user
    end

+    it 'should find user by valid email/password with case-insensitive email' do
+      expect(gl_auth.find(user.email.upcase, password)).to eql user
+    end
+
+    it 'should find user by valid username/password with case-insensitive username' do
+      expect(gl_auth.find(username.upcase, password)).to eql user
+    end
+
    it "should not find user with invalid password" do
      password = 'wrong'
      expect( gl_auth.find(username, password) ).to_not eql user

--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -287,6 +287,20 @@ describe User do
    end
  end

+  describe '.by_login' do
+    let(:username) { 'John' }
+    let!(:user) { create(:user, username: username) }
+
+    it 'should get the correct user' do
+      expect(User.by_login(user.email.upcase)).to eq user
+      expect(User.by_login(user.email)).to eq user
+      expect(User.by_login(username.downcase)).to eq user
+      expect(User.by_login(username)).to eq user
+      expect(User.by_login(nil)).to be_nil
+      expect(User.by_login('')).to be_nil
+    end
+  end
+
  describe 'all_ssh_keys' do
    it { should have_many(:keys).dependent(:destroy) }


--- a/spec/requests/api/session_spec.rb
+++ b/spec/requests/api/session_spec.rb
@@ -19,6 +19,32 @@ describe API::API, api: true  do
      end
    end

+    context 'when email has case-typo and password is valid' do
+      it 'should return private token' do
+        post api('/session'), email: user.email.upcase, password: '12345678'
+        expect(response.status).to eq 201
+
+        expect(json_response['email']).to eq user.email
+        expect(json_response['private_token']).to eq user.private_token
+        expect(json_response['is_admin']).to eq user.is_admin?
+        expect(json_response['can_create_project']).to eq user.can_create_project?
+        expect(json_response['can_create_group']).to eq user.can_create_group?
+      end
+    end
+
+    context 'when login has case-typo and password is valid' do
+      it 'should return private token' do
+        post api('/session'), login: user.username.upcase, password: '12345678'
+        expect(response.status).to eq 201
+
+        expect(json_response['email']).to eq user.email
+        expect(json_response['private_token']).to eq user.private_token
+        expect(json_response['is_admin']).to eq user.is_admin?
+        expect(json_response['can_create_project']).to eq user.can_create_project?
+        expect(json_response['can_create_group']).to eq user.can_create_group?
+      end
+    end
+
    context "when invalid password" do
      it "should return authentication error" do
        post api("/session"), email: user.email, password: '123'