feat(api_key): implement API key management with creation, retrieval, and deletion endpoints

2025-09-06 16:18:32 +02:00
parent b83b7acf1c
commit 508f218fc0
22 changed files with 520 additions and 11 deletions
--- a/thoughts-backend/tests/api/api_key.rs
+++ b/thoughts-backend/tests/api/api_key.rs
@@ -0,0 +1,79 @@
+use crate::api::main::{create_user_with_password, login_user, setup};
+use axum::http::{header, HeaderName, StatusCode};
+use http_body_util::BodyExt;
+use serde_json::{json, Value};
+use utils::testing::{make_jwt_request, make_request_with_headers};
+
+#[tokio::test]
+async fn test_api_key_flow() {
+    let app = setup().await;
+    let _ = create_user_with_password(&app.db, "apikey_user", "password123").await;
+    let jwt = login_user(app.router.clone(), "apikey_user", "password123").await;
+
+    // 1. Create a new API key using JWT auth
+    let create_body = json!({ "name": "My Test Key" }).to_string();
+    let response = make_jwt_request(
+        app.router.clone(),
+        "/users/me/api-keys",
+        "POST",
+        Some(create_body),
+        &jwt,
+    )
+    .await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    let body = response.into_body().collect().await.unwrap().to_bytes();
+    let v: Value = serde_json::from_slice(&body).unwrap();
+
+    let plaintext_key = v["plaintext_key"]
+        .as_str()
+        .expect("Plaintext key not found")
+        .to_string();
+    let key_id = v["id"].as_str().expect("Key ID not found").to_string();
+    assert!(plaintext_key.starts_with("th_"));
+
+    // 2. Use the new API key to post a thought
+
+    let thought_body = json!({ "content": "Posting with an API key!" }).to_string();
+    let key = plaintext_key.clone();
+    let api_key_header = format!("ApiKey {}", key);
+    let content_type = "application/json";
+    let headers: Vec<(HeaderName, &str)> = vec![
+        (header::AUTHORIZATION, &api_key_header),
+        (header::CONTENT_TYPE, content_type),
+    ];
+
+    let response = make_request_with_headers(
+        app.router.clone(),
+        "/thoughts",
+        "POST",
+        Some(thought_body),
+        headers,
+    )
+    .await;
+
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    // 3. Delete the API key using JWT auth
+    let response = make_jwt_request(
+        app.router.clone(),
+        &format!("/users/me/api-keys/{}", key_id),
+        "DELETE",
+        None,
+        &jwt,
+    )
+    .await;
+    assert_eq!(response.status(), StatusCode::NO_CONTENT);
+
+    // 4. Try to use the deleted key again, expecting failure
+    let body = json!({ "content": "This should fail" }).to_string();
+    let headers: Vec<(HeaderName, &str)> = vec![
+        (header::AUTHORIZATION, &api_key_header),
+        (header::CONTENT_TYPE, content_type),
+    ];
+
+    let response =
+        make_request_with_headers(app.router.clone(), "/thoughts", "POST", Some(body), headers)
+            .await;
+    assert_eq!(response.status(), StatusCode::UNAUTHORIZED);
+}