cb0de11de1
- Remove unused create_stripe_session method from TicketsController - Replace hardcoded API key with environment variable for security - Fix typo in ApplicationHelper comment - Improve User model validation constraints for better UX - Add comprehensive YARD-style documentation across models, controllers, services, and helpers - Enhance error handling in cleanup jobs with proper exception handling - Suppress Prawn font warnings in PDF generator - Update refactoring summary with complete change documentation All tests pass (200 tests, 454 assertions, 0 failures) RuboCop style issues resolved automatically 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
27 lines
972 B
Ruby
Executable File
27 lines
972 B
Ruby
Executable File
# Base controller for API endpoints
|
|
# Provides authentication and common functionality for API controllers
|
|
class ApiController < ApplicationController
|
|
# Disable CSRF protection for API requests (token-based authentication instead)
|
|
protect_from_forgery with: :null_session
|
|
|
|
# Authenticate all API requests using API key
|
|
# Must be called before any API action
|
|
before_action :authenticate_api_key
|
|
|
|
private
|
|
|
|
# Authenticates API requests using X-API-Key header or api_key parameter
|
|
# Returns 401 Unauthorized if key is invalid or missing
|
|
def authenticate_api_key
|
|
# Extract API key from header or query parameter
|
|
api_key = request.headers["X-API-Key"] || params[:api_key]
|
|
|
|
# Validate against environment variable for security
|
|
expected_key = Rails.application.credentials.api_key || ENV["API_KEY"]
|
|
|
|
unless expected_key.present? && api_key == expected_key
|
|
render json: { error: "Unauthorized" }, status: :unauthorized
|
|
end
|
|
end
|
|
end
|