def test_user_not_active(self):
self.user.is_active = False
self.user.save()
key = PersonalAPIKey(label="Test", team=self.team, user=self.user)
key.save()
response = self.client.get("/api/user/", HTTP_AUTHORIZATION=f"Bearer {key.value}")
self.assertEqual(response.status_code, 401)
def test_query_string(self):
key = PersonalAPIKey(label="Test", user=self.user)
key.save()
response = self.client.get(
f"/api/projects/{self.team.id}/dashboards/?personal_api_key={key.value}"
)
self.assertEqual(response.status_code, 200)
def test_user_endpoint(self):
# special case as /api/user/ is (or used to be) uniquely not DRF (vanilla Django instead)
key = PersonalAPIKey(label="Test", team=self.team, user=self.user)
key.save()
response = self.client.get("/api/user",
HTTP_AUTHORIZATION=f"Bearer {key.value}")
self.assertEqual(response.status_code, 200)
def test_delete_personal_api_key(self):
key = PersonalAPIKey(label="Test", team=self.team, user=self.user)
key.save()
self.assertEqual(len(PersonalAPIKey.objects.all()), 1)
response = self.client.delete(f"/api/personal_api_keys/{key.id}/")
self.assertEqual(response.status_code, 204)
self.assertEqual(len(PersonalAPIKey.objects.all()), 0)
def test_personal_api_key(self, patch_process_event_with_plugins):
key = PersonalAPIKey(label="X", user=self.user)
key.save()
data = {
"event": "$autocapture",
"api_key": key.value,
"project_id": self.team.id,
"properties": {
"distinct_id": 2,
"$elements": [
{"tag_name": "a", "nth_child": 1, "nth_of_type": 2, "attr__class": "btn btn-sm",},
{"tag_name": "div", "nth_child": 1, "nth_of_type": 2, "$el_text": "💻",},
],
},
}
now = timezone.now()
with freeze_time(now):
with self.assertNumQueries(5):
response = self.client.get("/e/?data=%s" % quote(self._to_json(data)), HTTP_ORIGIN="https://localhost",)
self.assertEqual(response.get("access-control-allow-origin"), "https://localhost")
arguments = self._to_arguments(patch_process_event_with_plugins)
arguments.pop("now") # can't compare fakedate
arguments.pop("sent_at") # can't compare fakedate
self.assertDictEqual(
arguments,
{
"distinct_id": "2",
"ip": "127.0.0.1",
"site_url": "http://testserver",
"data": data,
"team_id": self.team.pk,
},
)
def test_get_someone_elses_personal_api_key(self):
other_user = self._create_user("*****@*****.**")
other_key = PersonalAPIKey(label="Other test", team=self.team, user=other_user)
other_key.save()
response = self.client.get(f"/api/personal_api_keys/{other_key.id}/")
self.assertEqual(response.status_code, 404)
response_data = response.json()
self.assertDictEqual(response_data, self.ERROR_RESPONSE_NOT_FOUND)
def test_feature_flags_with_personal_api_key(self):
key = PersonalAPIKey(label="X", user=self.user, team=self.team)
key.save()
Person.objects.create(team=self.team, distinct_ids=["example_id"])
FeatureFlag.objects.create(
team=self.team, rollout_percentage=100, name="Test", key="test", created_by=self.user,
)
response = self._post_decide({"distinct_id": "example_id", "personal_api_key": key.value})
self.assertEqual(len(response["featureFlags"]), 1)
def test_personal_api_key_without_project_id(self):
key = PersonalAPIKey(label="X", user=self.user)
key.save()
Person.objects.create(team=self.team, distinct_ids=["example_id"])
response = self._post_decide({
"distinct_id": "example_id",
"api_key": key.value
})
self.assertEqual(response.status_code, 401)
self.assertEqual(
response.json()["message"],
"Project API key invalid. You can find your project API key in PostHog project settings.",
)
def test_list_only_user_personal_api_keys(self):
my_label = "Test"
my_key = PersonalAPIKey(label=my_label, team=self.team, user=self.user)
my_key.save()
other_user = self._create_user("*****@*****.**")
other_key = PersonalAPIKey(label="Other test",
team=self.team,
user=other_user)
other_key.save()
self.assertEqual(len(PersonalAPIKey.objects.all()), 2)
response = self.client.get("/api/personal_api_keys")
self.assertEqual(response.status_code, 200)
response_data = response.json()
self.assertEqual(len(response_data), 1)
response_data[0].pop("created_at")
self.assertDictEqual(
response_data[0],
{
"id": my_key.id,
"label": my_label,
"last_used_at": None,
"user_id": self.user.id,
"team_id": self.team.id,
},
)
def test_personal_api_key_from_batch_request(
self, patch_process_event_with_plugins):
# Originally issue POSTHOG-2P8
key = PersonalAPIKey(label="X", user=self.user)
key.save()
data = [{
"event": "$pageleave",
"api_key": key.value,
"project_id": self.team.id,
"properties": {
"$os": "Linux",
"$browser": "Chrome",
"$device_type": "Desktop",
"distinct_id": "94b03e599131fd5026b",
"token":
"fake token", # as this is invalid, will do API key authentication
},
"timestamp": "2021-04-20T19:11:33.841Z",
}]
response = self.client.get("/e/?data=%s" % quote(self._to_json(data)))
self.assertEqual(response.status_code, status.HTTP_200_OK)
arguments = self._to_arguments(patch_process_event_with_plugins)
arguments.pop("now") # can't compare fakedate
arguments.pop("sent_at") # can't compare fakedate
self.assertDictEqual(
arguments,
{
"distinct_id": "94b03e599131fd5026b",
"ip": "127.0.0.1",
"site_url": "http://testserver",
"data": {
"event": "$pageleave",
"api_key": key.value,
"project_id": self.team.id,
"properties": {
"$os": "Linux",
"$browser": "Chrome",
"$device_type": "Desktop",
"distinct_id": "94b03e599131fd5026b",
"token": "fake token",
},
"timestamp": "2021-04-20T19:11:33.841Z",
},
"team_id": self.team.id,
},
)
def test_get_own_personal_api_key(self):
my_label = "Test"
my_key = PersonalAPIKey(label=my_label, user=self.user)
my_key.save()
response = self.client.get(f"/api/personal_api_keys/{my_key.id}/")
self.assertEqual(response.status_code, 200)
response_data = response.json()
response_data.pop("created_at")
self.assertDictEqual(
response_data,
{
"id": my_key.id,
"label": my_label,
"last_used_at": None,
"user_id": self.user.id,
},
)
def test_personal_api_key_without_project_id(self):
key = PersonalAPIKey(label="X", user=self.user)
key.save()
Person.objects.create(team=self.team, distinct_ids=["example_id"])
response = self._post_decide({
"distinct_id": "example_id",
"api_key": key.value
})
self.assertEqual(response.status_code, status.HTTP_401_UNAUTHORIZED)
self.assertEqual(
response.json(),
{
"type": "authentication_error",
"code": "invalid_api_key",
"detail":
"Project API key invalid. You can find your project API key in PostHog project settings.",
"attr": None,
},
)
def test_missing_token(self):
key = PersonalAPIKey(label="X", user=self.user)
key.save()
Person.objects.create(team=self.team, distinct_ids=["example_id"])
FeatureFlag.objects.create(
team=self.team,
rollout_percentage=100,
name="Test",
key="test",
created_by=self.user,
)
response = self._post_decide({
"distinct_id": "example_id",
"api_key": None,
"project_id": self.team.id
})
self.assertEqual(response.status_code, status.HTTP_200_OK)
response_json = response.json()
self.assertEqual(response_json["featureFlags"], [])
self.assertFalse(response_json["sessionRecording"])
def test_feature_flags_with_personal_api_key(self):
key = PersonalAPIKey(label="X", user=self.user, team=self.team)
key.save()
Person.objects.create(team=self.team, distinct_ids=["example_id"])
FeatureFlag.objects.create(
team=self.team,
rollout_percentage=100,
name="Test",
key="test",
created_by=self.user,
)
response = self.client.post(
"/decide/",
{
"data":
json.dumps({
"distinct_id": "example_id",
"personal_api_key": key.value
})
},
HTTP_ORIGIN="http://127.0.0.1:8000",
).json()
self.assertEqual(len(response["featureFlags"]), 1)
def test_feature_flags_with_personal_api_key(self):
key = PersonalAPIKey(label="X", user=self.user)
key.save()
Person.objects.create(team=self.team, distinct_ids=["example_id"])
FeatureFlag.objects.create(
team=self.team,
rollout_percentage=100,
name="Test",
key="test",
created_by=self.user,
)
FeatureFlag.objects.create(
team=self.team,
rollout_percentage=100,
name="Disabled",
key="disabled",
created_by=self.user,
active=False,
) # disabled flag
FeatureFlag.objects.create(
team=self.team,
filters={
"groups": [{
"properties": [],
"rollout_percentage": None
}]
},
key="default-flag",
created_by=self.user,
) # enabled for everyone
response = self._post_decide({
"distinct_id": "example_id",
"api_key": key.value,
"project_id": self.team.id
}).json()
self.assertEqual(response["featureFlags"], ["test", "default-flag"])
def test_body(self):
key = PersonalAPIKey(label="Test", team=self.team, user=self.user)
key.save()
response = self.client.get("/api/dashboard/",
{"personal_api_key": key.value})
self.assertEqual(response.status_code, 200)
def test_header_resilient(self):
key = PersonalAPIKey(label="Test", team=self.team, user=self.user)
key.save()
response = self.client.get("/api/dashboard/",
HTTP_AUTHORIZATION=f"Bearer {key.value} ")
self.assertEqual(response.status_code, 200)
def test_user_endpoint(self):
key = PersonalAPIKey(label="Test", user=self.user)
key.save()
response = self.client.get("/api/users/@me/",
HTTP_AUTHORIZATION=f"Bearer {key.value}")
self.assertEqual(response.status_code, status.HTTP_200_OK)
