Added User API and userkey

app/controllers/application_controller.rb

@@ -2,7 +2,10 @@ class ApplicationController < ActionController::Base
   protect_from_forgery with: :exception
 
   rescue_from CanCan::AccessDenied do |exception|
-    redirect_to root_path, flash: { error: message_for(exception) }
+    respond_to do |format|
+      format.json { render json: [ "Diefstal is een misdrijf." ], status: :forbidden }
+      format.html { redirect_to root_path, flash: { error: message_for(exception) } }
+    end
   end
 
   def after_sign_in_path_for(resource)

app/controllers/users_controller.rb

@@ -23,8 +23,21 @@
 class UsersController < ApplicationController
   load_and_authorize_resource
   before_action :init, only: :show
+  skip_load_and_authorize_resource :only => :show
 
   def show
+    # TODO fix this with `authorize!`
+    if params[:id] && (@user.name != params[:id] && !@user.admin?)
+      respond_to do |format|
+        format.json { render json: ["Mind your own business"] }
+        format.html { redirect_to root_url }
+      end
+    else
+      respond_to do |format|
+        format.json { render json: @user }
+        format.html {}
+      end
+    end
   end
 
   def update
@@ -81,6 +94,17 @@ class UsersController < ApplicationController
   end
 
   def init
-    @user ||= current_user
+    @user ||= current_user || user_token || User.new
+  end
+
+  def user_token
+    @user_token ||= authenticate_with_http_token do |token, options|
+      User.find_by userkey: token
+    end
+  end
+
+  def reset_key
+    @user.generate_key!
+    redirect_to @user
   end
 end

app/models/user.rb

@@ -37,6 +37,7 @@ class User < ActiveRecord::Base
     where(name: auth.uid).first_or_create do |user|
       user.name = auth.uid
       user.avatar = Identicon.data_url_for auth.uid
+      user.generate_key!
     end
   end
 
@@ -89,4 +90,18 @@ class User < ActiveRecord::Base
       user.koelkast = true
     end
   end
+
+  def generate_key
+    set_key unless self.userkey
+  end
+
+  def generate_key!
+    set_key
+    self.save
+  end
+
+  private
+  def set_key
+    self.userkey = SecureRandom.base64(16)
+  end
 end

config/routes.rb

@@ -22,6 +22,7 @@ Rails.application.routes.draw do
     member do
       get 'quickpay'               => 'users#quickpay'
       get 'dagschotel/edit'        => 'users#edit_dagschotel', as: 'edit_dagschotel'
+      post :reset_key
     end
   end
 

db/migrate/20190408122720_add_api_token.rb

@@ -0,0 +1,10 @@
+class AddApiToken < ActiveRecord::Migration
+  def change
+    add_column :users, :userkey, :string
+
+    User.all.each do |user|
+      user.generate_key
+      user.save
+    end
+  end
+end

db/schema.rb

@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20160304192839) do
+ActiveRecord::Schema.define(version: 20190408122720) do
 
   create_table "barcodes", force: :cascade do |t|
     t.integer  "product_id"
@@ -86,7 +86,8 @@ ActiveRecord::Schema.define(version: 20160304192839) do
     t.string   "name"
     t.boolean  "private",             default: false
     t.integer  "frecency",            default: 0,     null: false
-    t.boolean  "quickpay_hidden"
+    t.boolean  "quickpay_hidden",     default: false
+    t.string   "userkey"
   end
 
   add_index "users", ["koelkast"], name: "index_users_on_koelkast"