Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Limited permission API keys #667

Closed
wants to merge 8 commits into from
Closed

Limited permission API keys #667

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
218a2ab
initial scenario
Jul 17, 2014
e3e979e
add permissions to the required array
Jul 23, 2014
754336a
fix json
Jul 23, 2014
39039a2
refactor payload structure
Jul 28, 2014
ae733c8
scopes makes more sense than permissions - the extent of the area or …
Jul 28, 2014
dfd20da
define schema for scopes
Jul 29, 2014
204645d
engineering grammars
Jul 29, 2014
4a1ed0a
include the expected response
Aug 6, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions features/api_keys.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,10 @@ Feature: API Keys
API keys are used to make authenticated requests by sending an HTTP Basic
Auth header, using the key as the username, with no password.

API keys by default have full access to perform any operation on your
marketplace. You can create API keys with limited permissions that have
restricted access.

Scenario: Create an API Key for a new marketplace
To obtain a key, one must be created. This is done through an
unauthenticated API request.
Expand Down Expand Up @@ -48,3 +52,34 @@ Feature: API Keys
When I DELETE to /api_keys/:api_key giving the key
Then I should get a 204 OK status code
And there should be no response body

Scenario: Create an API key with limited permissions
By specifying permissions for a key you can restrict the operations that
it is able to perform to either being able to write (POST, DELETE, and PUT)
or read (GET) to a set of endpoints.

Given I have created an API key
When I POST to /api_keys with the body:
"""
{
"api_keys": [{
"scopes": [
{
"path": "/customers",
"permissions": ["read", "write"]
},
{
"path": "/debits",
"permissions": ["read"]
}
]
}]
}
"""
Then I should get a 201 Created status code
And the response is valid according to the "api_keys" schema
When I POST to /customers
Then I should get a 201 Created status code
And the response is valid according to the "customers" schema
When I POST to /debits
Then I should get a 401 Unauthorized status code
1 change: 1 addition & 0 deletions features/debits.feature
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -152,6 +152,7 @@ Feature: Debit a card or bank account
Then I should get a 201 Created status code
And the response is valid according to the "debits" schema

@focus
Scenario: Debit a verified bank account
Given I have a verified bank account
When I make a POST request to the link "bank_accounts.debits" with the body:
Expand Down
8 changes: 6 additions & 2 deletions fixtures/_models/api_key.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,18 @@
"type": "object",
"properties": {},
"additionalProperties": false
}
},
"scopes": {
"type": "object"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mjallday: Can you define the schema for scopes?

}
},
"required": [
"id",
"href",
"created_at",
"meta",
"links"
"links",
"scopes"
],
"additionalProperties": false
}