diff --git a/app/routes/github-authorize.js b/app/routes/github-authorize.js index 4ee10cd9a18..fca003a398a 100644 --- a/app/routes/github-authorize.js +++ b/app/routes/github-authorize.js @@ -19,7 +19,7 @@ export default Route.extend({ async beforeModel(transition) { try { let queryParams = serializeQueryParams(transition.queryParams); - let resp = await fetch(`/authorize?${queryParams}`); + let resp = await fetch(`/api/private/session/authorize?${queryParams}`); let json = await resp.json(); let item = JSON.stringify({ ok: resp.ok, data: json }); if (window.opener) { diff --git a/app/routes/github-login.js b/app/routes/github-login.js index 904e386725b..30f6dcb5aa1 100644 --- a/app/routes/github-login.js +++ b/app/routes/github-login.js @@ -2,7 +2,7 @@ import Route from '@ember/routing/route'; import ajax from 'ember-fetch/ajax'; /** - * Calling this route will query the `/authorize_url` API endpoint + * Calling this route will query the `/api/private/session/begin` API endpoint * and redirect to the received URL to initiate the OAuth flow. * * Example URL: @@ -16,7 +16,7 @@ import ajax from 'ember-fetch/ajax'; */ export default Route.extend({ async beforeModel() { - let url = await ajax(`/authorize_url`); + let url = await ajax(`/api/private/session/begin`); window.location = url.url; }, }); diff --git a/app/routes/logout.js b/app/routes/logout.js index 7fc5fd7bb30..3cb5d59419f 100644 --- a/app/routes/logout.js +++ b/app/routes/logout.js @@ -7,7 +7,7 @@ export default Route.extend({ session: service(), async activate() { - await ajax(`/logout`, { method: 'DELETE' }); + await ajax(`/api/private/session`, { method: 'DELETE' }); run(() => { this.session.logoutUser(); this.transitionTo('index'); diff --git a/src/controllers/user/session.rs b/src/controllers/user/session.rs index 05b924409aa..96aac813d66 100644 --- a/src/controllers/user/session.rs +++ b/src/controllers/user/session.rs @@ -10,7 +10,7 @@ use crate::models::{NewUser, User}; use crate::schema::users; use crate::util::errors::{AppError, ReadOnlyMode}; -/// Handles the `GET /authorize_url` route. +/// Handles the `GET /api/private/session/begin` route. /// /// This route will return an authorization URL for the GitHub OAuth flow including the crates.io /// `client_id` and a randomly generated `state` secret. @@ -25,7 +25,7 @@ use crate::util::errors::{AppError, ReadOnlyMode}; /// "url": "https://github.com/login/oauth/authorize?client_id=...&state=...&scope=read%3Aorg" /// } /// ``` -pub fn github_authorize(req: &mut dyn Request) -> AppResult { +pub fn begin(req: &mut dyn Request) -> AppResult { let (url, state) = req .app() .github @@ -45,7 +45,7 @@ pub fn github_authorize(req: &mut dyn Request) -> AppResult { })) } -/// Handles the `GET /authorize` route. +/// Handles the `GET /api/private/session/authorize` route. /// /// This route is called from the GitHub API OAuth flow after the user accepted or rejected /// the data access permissions. It will check the `state` parameter and then call the GitHub API @@ -73,7 +73,7 @@ pub fn github_authorize(req: &mut dyn Request) -> AppResult { /// } /// } /// ``` -pub fn github_access_token(req: &mut dyn Request) -> AppResult { +pub fn authorize(req: &mut dyn Request) -> AppResult { // Parse the url query let mut query = req.query(); let code = query.remove("code").unwrap_or_default(); @@ -144,7 +144,7 @@ impl GithubUser { } } -/// Handles the `GET /logout` route. +/// Handles the `DELETE /api/private/session` route. pub fn logout(req: &mut dyn Request) -> AppResult { req.session().remove(&"user_id".to_string()); Ok(req.json(&true)) diff --git a/src/router.rs b/src/router.rs index 86bcce0ea81..a4b01ef9e02 100644 --- a/src/router.rs +++ b/src/router.rs @@ -112,9 +112,13 @@ pub fn build_router(app: &App) -> R404 { router.head("/api/v1/*path", R(Arc::clone(&api_router))); router.delete("/api/v1/*path", R(api_router)); - router.get("/authorize_url", C(user::session::github_authorize)); - router.get("/authorize", C(user::session::github_access_token)); - router.delete("/logout", C(user::session::logout)); + // Session management + router.get("/api/private/session/begin", C(user::session::begin)); + router.get( + "/api/private/session/authorize", + C(user::session::authorize), + ); + router.delete("/api/private/session", C(user::session::logout)); // Only serve the local checkout of the git index in development mode. // In production, for crates.io, cargo gets the index from diff --git a/src/tests/user.rs b/src/tests/user.rs index 5f22111d08d..6b7ad7a6e12 100644 --- a/src/tests/user.rs +++ b/src/tests/user.rs @@ -106,14 +106,16 @@ impl crate::util::MockAnonymousUser { #[test] fn auth_gives_a_token() { let (_, anon) = TestApp::init().empty(); - let json: AuthResponse = anon.get("/authorize_url").good(); + let json: AuthResponse = anon.get("/api/private/session/begin").good(); assert!(json.url.contains(&json.state)); } #[test] fn access_token_needs_data() { let (_, anon) = TestApp::init().empty(); - let json = anon.get::<()>("/authorize").bad_with_status(200); // Change endpoint to 400? + let json = anon + .get::<()>("/api/private/session/authorize") + .bad_with_status(200); // Change endpoint to 400? assert!(json.errors[0].detail.contains("invalid state")); }