Module: Spree::Api::V3::ApiKeyAuthentication

Extended by:

ActiveSupport::Concern

Included in:

BaseController

Defined in:

app/controllers/concerns/spree/api/v3/api_key_authentication.rb

Instance Method Summary

• #authenticate_api_key! ⇒ Boolean

  Authenticates a publishable API key (pk_*) for Store API requests.

• #authenticate_secret_key! ⇒ Boolean

  Authenticates a secret API key (sk_*) for Admin API requests.

Instance Method Details

#authenticate_api_key! ⇒ Boolean

Authenticates a publishable API key (pk_*) for Store API requests. Looks up the key by plaintext token scoped to the current store.

Returns:

• (Boolean) —

  true if authentication succeeded, false otherwise

# File 'app/controllers/concerns/spree/api/v3/api_key_authentication.rb', line 18

def authenticate_api_key!
  @current_api_key = current_store.api_keys.active.publishable.find_by(token: extract_api_key)

  unless @current_api_key
    render_error(
      code: ErrorHandler::ERROR_CODES[:invalid_token],
      message: 'Valid API key required',
      status: :unauthorized
    )
    return false
  end

  touch_api_key_if_needed(@current_api_key)
  true
end

#authenticate_secret_key! ⇒ Boolean

Authenticates a secret API key (sk_*) for Admin API requests. Computes the HMAC-SHA256 digest of the provided token and looks up by token_digest, then verifies it belongs to the current store.

Returns:

• (Boolean) —

  true if authentication succeeded, false otherwise

# File 'app/controllers/concerns/spree/api/v3/api_key_authentication.rb', line 39

def authenticate_secret_key!
  @current_api_key = Spree::ApiKey.find_by_secret_token(extract_api_key)
  @current_api_key = nil if @current_api_key && @current_api_key.store_id != current_store.id

  unless @current_api_key
    render_error(
      code: ErrorHandler::ERROR_CODES[:invalid_token],
      message: 'Valid secret API key required',
      status: :unauthorized
    )
    return false
  end

  touch_api_key_if_needed(@current_api_key)
  true
end