d6184b6c84
All checks were successful
Ruby on Rails Test / rails-test (push) Successful in 1m7s
- Added dedicated CartsController for session-based cart storage - Refactored routes to use POST /api/v1/carts/store - Updated ticket selection JS to use dynamic data attributes for URLs - Fixed CSRF protection in API and checkout payment increment - Made checkout button URLs dynamic via data attributes - Updated tests for new cart storage endpoint - Removed obsolete store_cart from EventsController
27 lines
966 B
Ruby
Executable File
27 lines
966 B
Ruby
Executable File
# Base controller for API endpoints
|
|
# Provides authentication and common functionality for API controllers
|
|
class ApiController < ApplicationController
|
|
# Disable CSRF protection for API requests (token-based authentication instead)
|
|
protect_from_forgery prepend: true
|
|
|
|
# Authenticate all API requests using API key
|
|
# Must be called before any API action
|
|
before_action :authenticate_api_key
|
|
|
|
private
|
|
|
|
# Authenticates API requests using X-API-Key header or api_key parameter
|
|
# Returns 401 Unauthorized if key is invalid or missing
|
|
def authenticate_api_key
|
|
# Extract API key from header or query parameter
|
|
api_key = request.headers["X-API-Key"] || params[:api_key]
|
|
|
|
# Validate against environment variable for security
|
|
expected_key = Rails.application.credentials.api_key || ENV["API_KEY"]
|
|
|
|
unless expected_key.present? && api_key == expected_key
|
|
render json: { error: "Unauthorized" }, status: :unauthorized
|
|
end
|
|
end
|
|
end
|