Add API keys / bearer tokens for forward auth

Enables server-to-server authentication for forward auth applications (e.g., video players accessing WebDAV) where browser cookies aren't available. API keys use clk_ prefixed tokens stored as HMAC hashes. Bearer token auth is checked before cookie auth in /api/verify. Invalid tokens return 401 JSON (no redirect). Requests without bearer tokens fall through to existing cookie flow unchanged. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-05 21:45:40 +11:00
parent 444ae6291c
commit fd8785a43d
15 changed files with 651 additions and 1 deletions
--- a/test/controllers/api/forward_auth_bearer_test.rb
+++ b/test/controllers/api/forward_auth_bearer_test.rb
@@ -0,0 +1,148 @@
+require "test_helper"
+
+module Api
+  class ForwardAuthBearerTest < ActionDispatch::IntegrationTest
+    setup do
+      @user = users(:bob)
+      @app = Application.create!(
+        name: "WebDAV App",
+        slug: "webdav-app",
+        app_type: "forward_auth",
+        domain_pattern: "webdav.example.com",
+        active: true
+      )
+      @api_key = @user.api_keys.create!(name: "Test Key", application: @app)
+      @token = @api_key.plaintext_token
+    end
+
+    test "valid bearer token returns 200 with user headers" do
+      get "/api/verify", headers: {
+        "Authorization" => "Bearer #{@token}",
+        "X-Forwarded-Host" => "webdav.example.com"
+      }
+
+      assert_response :ok
+      assert_equal @user.email_address, response.headers["x-remote-user"]
+      assert_equal @user.email_address, response.headers["x-remote-email"]
+    end
+
+    test "valid bearer token updates last_used_at" do
+      assert_nil @api_key.last_used_at
+
+      get "/api/verify", headers: {
+        "Authorization" => "Bearer #{@token}",
+        "X-Forwarded-Host" => "webdav.example.com"
+      }
+
+      assert_response :ok
+      assert @api_key.reload.last_used_at.present?
+    end
+
+    test "expired bearer token returns 401 JSON" do
+      @api_key.update_column(:expires_at, 1.hour.ago)
+
+      get "/api/verify", headers: {
+        "Authorization" => "Bearer #{@token}",
+        "X-Forwarded-Host" => "webdav.example.com"
+      }
+
+      assert_response :unauthorized
+      json = JSON.parse(response.body)
+      assert_equal "Invalid or expired API key", json["error"]
+    end
+
+    test "revoked bearer token returns 401 JSON" do
+      @api_key.revoke!
+
+      get "/api/verify", headers: {
+        "Authorization" => "Bearer #{@token}",
+        "X-Forwarded-Host" => "webdav.example.com"
+      }
+
+      assert_response :unauthorized
+      json = JSON.parse(response.body)
+      assert_equal "Invalid or expired API key", json["error"]
+    end
+
+    test "invalid bearer token returns 401 JSON" do
+      get "/api/verify", headers: {
+        "Authorization" => "Bearer clk_totally_bogus_token",
+        "X-Forwarded-Host" => "webdav.example.com"
+      }
+
+      assert_response :unauthorized
+      json = JSON.parse(response.body)
+      assert_equal "Invalid or expired API key", json["error"]
+    end
+
+    test "bearer token for wrong domain returns 401 JSON" do
+      get "/api/verify", headers: {
+        "Authorization" => "Bearer #{@token}",
+        "X-Forwarded-Host" => "other.example.com"
+      }
+
+      assert_response :unauthorized
+      json = JSON.parse(response.body)
+      assert_equal "API key not valid for this domain", json["error"]
+    end
+
+    test "bearer token for inactive user returns 401 JSON" do
+      @user.update!(status: :disabled)
+
+      get "/api/verify", headers: {
+        "Authorization" => "Bearer #{@token}",
+        "X-Forwarded-Host" => "webdav.example.com"
+      }
+
+      assert_response :unauthorized
+      json = JSON.parse(response.body)
+      assert_equal "User account is not active", json["error"]
+    end
+
+    test "bearer token for inactive application returns 401 JSON" do
+      @app.update!(active: false)
+
+      get "/api/verify", headers: {
+        "Authorization" => "Bearer #{@token}",
+        "X-Forwarded-Host" => "webdav.example.com"
+      }
+
+      assert_response :unauthorized
+      json = JSON.parse(response.body)
+      assert_equal "Application is inactive", json["error"]
+    end
+
+    test "no bearer token falls through to cookie auth" do
+      # No auth header, no session -> should redirect (cookie flow)
+      get "/api/verify", headers: {
+        "X-Forwarded-Host" => "webdav.example.com"
+      }
+
+      assert_response :redirect
+      assert_match %r{/signin}, response.location
+    end
+
+    test "bearer token does not redirect on failure" do
+      get "/api/verify", headers: {
+        "Authorization" => "Bearer clk_bad",
+        "X-Forwarded-Host" => "webdav.example.com"
+      }
+
+      assert_response :unauthorized
+      assert_equal "application/json", response.media_type
+      # Should NOT be a redirect
+      assert_nil response.headers["Location"]
+    end
+
+    test "cookie auth still works when no bearer token present" do
+      sign_in_as(@user)
+
+      get "/api/verify", headers: {
+        "X-Forwarded-Host" => "webdav.example.com"
+      }
+
+      assert_response :ok
+      assert_equal @user.email_address, response.headers["x-remote-user"]
+    end
+  end
+end