discourse/lib/auth/default_current_user_provid...

require_dependency "auth/current_user_provider"
require_dependency "rate_limiter"

class Auth::DefaultCurrentUserProvider

  CURRENT_USER_KEY ||= "_DISCOURSE_CURRENT_USER".freeze
  API_KEY ||= "api_key".freeze
  USER_API_KEY ||= "HTTP_USER_API_KEY".freeze
  API_KEY_ENV ||= "_DISCOURSE_API".freeze
  TOKEN_COOKIE ||= "_t".freeze
  PATH_INFO ||= "PATH_INFO".freeze
  COOKIE_ATTEMPTS_PER_MIN ||= 10

  # do all current user initialization here
  def initialize(env)
    @env = env
    @request = Rack::Request.new(env)
  end

  # our current user, return nil if none is found
  def current_user
    return @env[CURRENT_USER_KEY] if @env.key?(CURRENT_USER_KEY)

    # bypass if we have the shared session header
    if shared_key = @env['HTTP_X_SHARED_SESSION_KEY']
      uid = $redis.get("shared_session_key_#{shared_key}")
      user = nil
      if uid
        user = User.find_by(id: uid.to_i)
      end
      @env[CURRENT_USER_KEY] = user
      return user
    end

    request = @request

    auth_token = request.cookies[TOKEN_COOKIE]

    current_user = nil

    if auth_token && auth_token.length == 32
      limiter = RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN ,60)

      if limiter.can_perform?
        current_user = User.where(auth_token: auth_token)
                         .where('auth_token_updated_at IS NULL OR auth_token_updated_at > ?',
                                  SiteSetting.maximum_session_age.hours.ago)
                         .first
      end

      unless current_user
        begin
          limiter.performed!
        rescue RateLimiter::LimitExceeded
          raise Discourse::InvalidAccess
        end
      end
    end

    if current_user && (current_user.suspended? || !current_user.active)
      current_user = nil
    end

    if current_user && should_update_last_seen?
      u = current_user
      Scheduler::Defer.later "Updating Last Seen" do
        u.update_last_seen!
        u.update_ip_address!(request.ip)
      end
    end

    # possible we have an api call, impersonate
    if api_key = request[API_KEY]
      current_user = lookup_api_user(api_key, request)
      raise Discourse::InvalidAccess unless current_user
      @env[API_KEY_ENV] = true
    end

    # user api key handling
    if api_key = @env[USER_API_KEY]

      limiter_min = RateLimiter.new(nil, "user_api_min_#{api_key}", SiteSetting.max_user_api_reqs_per_minute, 60)
      limiter_day = RateLimiter.new(nil, "user_api_day_#{api_key}", SiteSetting.max_user_api_reqs_per_day, 86400)

      unless limiter_day.can_perform?
        limiter_day.performed!
      end

      unless  limiter_min.can_perform?
        limiter_min.performed!
      end

      current_user = lookup_user_api_user(api_key)
      raise Discourse::InvalidAccess unless current_user

      limiter_min.performed!
      limiter_day.performed!

      @env[API_KEY_ENV] = true
    end

    @env[CURRENT_USER_KEY] = current_user
  end

  def refresh_session(user, session, cookies)
    return if is_api?

    if user && (!user.auth_token_updated_at || user.auth_token_updated_at <= 1.hour.ago)
      user.update_column(:auth_token_updated_at, Time.zone.now)
      cookies[TOKEN_COOKIE] = { value: user.auth_token, httponly: true, expires: SiteSetting.maximum_session_age.hours.from_now }
    end
    if !user && cookies.key?(TOKEN_COOKIE)
      cookies.delete(TOKEN_COOKIE)
    end
  end

  def log_on_user(user, session, cookies)
    legit_token = user.auth_token && user.auth_token.length == 32
    expired_token = user.auth_token_updated_at && user.auth_token_updated_at < SiteSetting.maximum_session_age.hours.ago

    if !legit_token || expired_token
      user.update_columns(auth_token: SecureRandom.hex(16),
                          auth_token_updated_at: Time.zone.now)
    end

    cookies[TOKEN_COOKIE] = { value: user.auth_token, httponly: true, expires: SiteSetting.maximum_session_age.hours.from_now }
    make_developer_admin(user)
    enable_bootstrap_mode(user)
    @env[CURRENT_USER_KEY] = user
  end

  def make_developer_admin(user)
    if  user.active? &&
        !user.admin &&
        Rails.configuration.respond_to?(:developer_emails) &&
        Rails.configuration.developer_emails.include?(user.email)
      user.admin = true
      user.save
    end
  end

  def enable_bootstrap_mode(user)
    Jobs.enqueue(:enable_bootstrap_mode, user_id: user.id) if user.admin && user.last_seen_at.nil? && !SiteSetting.bootstrap_mode_enabled && user.is_singular_admin?
  end

  def log_off_user(session, cookies)
    if SiteSetting.log_out_strict && (user = current_user)
      user.auth_token = nil
      user.save!

      if user.admin && defined?(Rack::MiniProfiler)
        # clear the profiling cookie to keep stuff tidy
        cookies.delete("__profilin")
      end

      user.logged_out
    end
    cookies.delete(TOKEN_COOKIE)
  end


  # api has special rights return true if api was detected
  def is_api?
    current_user
    @env[API_KEY_ENV]
  end

  def has_auth_cookie?
    cookie = @request.cookies[TOKEN_COOKIE]
    !cookie.nil? && cookie.length == 32
  end

  def should_update_last_seen?
    !(@request.path =~ /^\/message-bus\//)
  end

  protected

  WHITELISTED_WRITE_PATHS ||= [/^\/message-bus\/.*\/poll/, /^\/user-api-key\/revoke$/]
  def lookup_user_api_user(user_api_key)
    if api_key = UserApiKey.where(key: user_api_key, revoked_at: nil).includes(:user).first
      unless api_key.write
        if @env["REQUEST_METHOD"] != "GET"
          path = @env["PATH_INFO"]
          unless WHITELISTED_WRITE_PATHS.any?{|whitelisted| path =~ whitelisted}
            raise Discourse::InvalidAccess
          end
        end
      end

      api_key.user
    end
  end

  def lookup_api_user(api_key_value, request)
    if api_key = ApiKey.where(key: api_key_value).includes(:user).first
      api_username = request["api_username"]

      if api_key.allowed_ips.present? && !api_key.allowed_ips.any? { |ip| ip.include?(request.ip) }
        Rails.logger.warn("[Unauthorized API Access] username: #{api_username}, IP address: #{request.ip}")
        return nil
      end

      if api_key.user
        api_key.user if !api_username || (api_key.user.username_lower == api_username.downcase)
      elsif api_username
        User.find_by(username_lower: api_username.downcase)
      end
    end
  end

end
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`require_dependency "auth/current_user_provider"`
SECURITY: limit bad cookie auth attempts - Also cleans up the _t cookie if it is invalid 2016-07-27 22:58:49 -04:00			`require_dependency "rate_limiter"`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00
			`class Auth::DefaultCurrentUserProvider`

Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433. 2014-05-22 18:13:25 -04:00			`CURRENT_USER_KEY \|\|= "_DISCOURSE_CURRENT_USER".freeze`
			`API_KEY \|\|= "api_key".freeze`
tweak headers so they can be consumed 2016-08-18 00:38:33 -04:00			`USER_API_KEY \|\|= "HTTP_USER_API_KEY".freeze`
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433. 2014-05-22 18:13:25 -04:00			`API_KEY_ENV \|\|= "_DISCOURSE_API".freeze`
			`TOKEN_COOKIE \|\|= "_t".freeze`
			`PATH_INFO \|\|= "PATH_INFO".freeze`
SECURITY: limit bad cookie auth attempts - Also cleans up the _t cookie if it is invalid 2016-07-27 22:58:49 -04:00			`COOKIE_ATTEMPTS_PER_MIN \|\|= 10`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00
			`# do all current user initialization here`
			`def initialize(env)`
			`@env = env`
			`@request = Rack::Request.new(env)`
			`end`

			`# our current user, return nil if none is found`
			`def current_user`
			`return @env[CURRENT_USER_KEY] if @env.key?(CURRENT_USER_KEY)`

FEATURE: allow long polling to go to a different url Added the site setting long_polling_base_url , this allows you to farm long polling to a different server. This setting is very important if a CDN is serving dynamic content. 2014-10-23 22:38:00 -04:00			`# bypass if we have the shared session header`
			`if shared_key = @env['HTTP_X_SHARED_SESSION_KEY']`
			`uid = $redis.get("shared_session_key_#{shared_key}")`
			`user = nil`
			`if uid`
			`user = User.find_by(id: uid.to_i)`
			`end`
			`@env[CURRENT_USER_KEY] = user`
			`return user`
			`end`

Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433. 2014-05-22 18:13:25 -04:00			`request = @request`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00
			`auth_token = request.cookies[TOKEN_COOKIE]`

			`current_user = nil`

			`if auth_token && auth_token.length == 32`
SECURITY: do cookie auth rate limiting earlier 2016-08-08 20:02:18 -04:00			`limiter = RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN ,60)`

			`if limiter.can_perform?`
			`current_user = User.where(auth_token: auth_token)`
Revert "make upgrade a bit more seamless" This reverts commit 78b88a1633925a1551cf27732213b7f613634b4e. 2016-07-24 22:49:33 -04:00			`.where('auth_token_updated_at IS NULL OR auth_token_updated_at > ?',`
			`SiteSetting.maximum_session_age.hours.ago)`
			`.first`
SECURITY: do cookie auth rate limiting earlier 2016-08-08 20:02:18 -04:00			`end`
SECURITY: limit bad cookie auth attempts - Also cleans up the _t cookie if it is invalid 2016-07-27 22:58:49 -04:00
			`unless current_user`
			`begin`
SECURITY: do cookie auth rate limiting earlier 2016-08-08 20:02:18 -04:00			`limiter.performed!`
SECURITY: limit bad cookie auth attempts - Also cleans up the _t cookie if it is invalid 2016-07-27 22:58:49 -04:00			`rescue RateLimiter::LimitExceeded`
			`raise Discourse::InvalidAccess`
			`end`
			`end`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`end`

FIX: deactivated users shouldn't be able to log in 2014-04-28 13:46:28 -04:00			`if current_user && (current_user.suspended? \|\| !current_user.active)`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`current_user = nil`
			`end`

Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433. 2014-05-22 18:13:25 -04:00			`if current_user && should_update_last_seen?`
FEATURE: add a simple queue Scheduler::Defer.later {} For quick jobs that do not need to be sent to sidekiq, runs inline in a single thread but does not block 2014-03-16 20:59:34 -04:00			`u = current_user`
Start passing more context to Discourse.handle_exception 2014-07-17 16:22:46 -04:00			`Scheduler::Defer.later "Updating Last Seen" do`
FEATURE: add a simple queue Scheduler::Defer.later {} For quick jobs that do not need to be sent to sidekiq, runs inline in a single thread but does not block 2014-03-16 20:59:34 -04:00			`u.update_last_seen!`
			`u.update_ip_address!(request.ip)`
			`end`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`end`

			`# possible we have an api call, impersonate`
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433. 2014-05-22 18:13:25 -04:00			`if api_key = request[API_KEY]`
			`current_user = lookup_api_user(api_key, request)`
			`raise Discourse::InvalidAccess unless current_user`
			`@env[API_KEY_ENV] = true`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`end`

Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00			`# user api key handling`
			`if api_key = @env[USER_API_KEY]`

			`limiter_min = RateLimiter.new(nil, "user_api_min_#{api_key}", SiteSetting.max_user_api_reqs_per_minute, 60)`
			`limiter_day = RateLimiter.new(nil, "user_api_day_#{api_key}", SiteSetting.max_user_api_reqs_per_day, 86400)`

			`unless limiter_day.can_perform?`
FIX: incorrect error being raised 2016-08-25 20:38:46 -04:00			`limiter_day.performed!`
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00			`end`

			`unless limiter_min.can_perform?`
FIX: incorrect error being raised 2016-08-25 20:38:46 -04:00			`limiter_min.performed!`
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00			`end`

			`current_user = lookup_user_api_user(api_key)`
			`raise Discourse::InvalidAccess unless current_user`

			`limiter_min.performed!`
			`limiter_day.performed!`

			`@env[API_KEY_ENV] = true`
			`end`

add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`@env[CURRENT_USER_KEY] = current_user`
			`end`

FEATURE: refresh session cookie at most once an hour This feature ensures session cookie lifespan is extended when user is online. Also decreases session timeout from 90 to 60 days. Ensures all users (including logged on ones) get expiring sessions. 2016-07-24 22:07:31 -04:00			`def refresh_session(user, session, cookies)`
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00			`return if is_api?`

Revert "make upgrade a bit more seamless" This reverts commit 78b88a1633925a1551cf27732213b7f613634b4e. 2016-07-24 22:49:33 -04:00			`if user && (!user.auth_token_updated_at \|\| user.auth_token_updated_at <= 1.hour.ago)`
FEATURE: refresh session cookie at most once an hour This feature ensures session cookie lifespan is extended when user is online. Also decreases session timeout from 90 to 60 days. Ensures all users (including logged on ones) get expiring sessions. 2016-07-24 22:07:31 -04:00			`user.update_column(:auth_token_updated_at, Time.zone.now)`
			`cookies[TOKEN_COOKIE] = { value: user.auth_token, httponly: true, expires: SiteSetting.maximum_session_age.hours.from_now }`
			`end`
SECURITY: limit bad cookie auth attempts - Also cleans up the _t cookie if it is invalid 2016-07-27 22:58:49 -04:00			`if !user && cookies.key?(TOKEN_COOKIE)`
			`cookies.delete(TOKEN_COOKIE)`
			`end`
FEATURE: refresh session cookie at most once an hour This feature ensures session cookie lifespan is extended when user is online. Also decreases session timeout from 90 to 60 days. Ensures all users (including logged on ones) get expiring sessions. 2016-07-24 22:07:31 -04:00			`end`

add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`def log_on_user(user, session, cookies)`
FIX: don't expire old sessions when logging in 2016-07-25 21:37:41 -04:00			`legit_token = user.auth_token && user.auth_token.length == 32`
			`expired_token = user.auth_token_updated_at && user.auth_token_updated_at < SiteSetting.maximum_session_age.hours.ago`

			`if !legit_token \|\| expired_token`
			`user.update_columns(auth_token: SecureRandom.hex(16),`
			`auth_token_updated_at: Time.zone.now)`
			`end`

FEATURE: configure session time via site setting for all the users (#4343) 2016-07-22 17:27:30 -04:00			`cookies[TOKEN_COOKIE] = { value: user.auth_token, httponly: true, expires: SiteSetting.maximum_session_age.hours.from_now }`
automatically make developers admins on account creation, this solves the user #1 problem you can simply set the DEVELOPER_EMAILS to a comma delimited list and the users will be auto admined 2013-11-01 19:25:43 -04:00			`make_developer_admin(user)`
FEATURE: new bootstrap mode settings for brand new Discourse community (#4193) * FEATURE: new bootstrap mode settings for brand new Discourse community * new SiteSetting.set_and_log method 2016-04-26 13:08:19 -04:00			`enable_bootstrap_mode(user)`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`@env[CURRENT_USER_KEY] = user`
			`end`

automatically make developers admins on account creation, this solves the user #1 problem you can simply set the DEVELOPER_EMAILS to a comma delimited list and the users will be auto admined 2013-11-01 19:25:43 -04:00			`def make_developer_admin(user)`
			`if user.active? &&`
			`!user.admin &&`
			`Rails.configuration.respond_to?(:developer_emails) &&`
			`Rails.configuration.developer_emails.include?(user.email)`
FEATURE: on initial boot hint users on how to get admin 2014-03-24 03:03:39 -04:00			`user.admin = true`
			`user.save`
automatically make developers admins on account creation, this solves the user #1 problem you can simply set the DEVELOPER_EMAILS to a comma delimited list and the users will be auto admined 2013-11-01 19:25:43 -04:00			`end`
			`end`

FEATURE: new bootstrap mode settings for brand new Discourse community (#4193) * FEATURE: new bootstrap mode settings for brand new Discourse community * new SiteSetting.set_and_log method 2016-04-26 13:08:19 -04:00			`def enable_bootstrap_mode(user)`
			`Jobs.enqueue(:enable_bootstrap_mode, user_id: user.id) if user.admin && user.last_seen_at.nil? && !SiteSetting.bootstrap_mode_enabled && user.is_singular_admin?`
			`end`

add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`def log_off_user(session, cookies)`
FEATURE: logging out logs you out everywhere can be disabled by changing the setting "log_out_strict" to false 2015-01-27 20:56:25 -05:00			`if SiteSetting.log_out_strict && (user = current_user)`
			`user.auth_token = nil`
			`user.save!`
clear mini profiler cookie when admin logs off 2016-05-18 03:27:54 -04:00
			`if user.admin && defined?(Rack::MiniProfiler)`
			`# clear the profiling cookie to keep stuff tidy`
SECURITY: limit bad cookie auth attempts - Also cleans up the _t cookie if it is invalid 2016-07-27 22:58:49 -04:00			`cookies.delete("__profilin")`
clear mini profiler cookie when admin logs off 2016-05-18 03:27:54 -04:00			`end`

FEATURE: Add event trigger when a user is logged out. 2016-07-04 05:20:30 -04:00			`user.logged_out`
FEATURE: logging out logs you out everywhere can be disabled by changing the setting "log_out_strict" to false 2015-01-27 20:56:25 -05:00			`end`
SECURITY: limit bad cookie auth attempts - Also cleans up the _t cookie if it is invalid 2016-07-27 22:58:49 -04:00			`cookies.delete(TOKEN_COOKIE)`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`end`


			`# api has special rights return true if api was detected`
			`def is_api?`
			`current_user`
BUGFIX: missed a key rename BUGFIX: API spec not enabling CSRF 2014-05-22 18:42:58 -04:00			`@env[API_KEY_ENV]`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`end`

			`def has_auth_cookie?`
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433. 2014-05-22 18:13:25 -04:00			`cookie = @request.cookies[TOKEN_COOKIE]`
add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`!cookie.nil? && cookie.length == 32`
			`end`
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433. 2014-05-22 18:13:25 -04:00
			`def should_update_last_seen?`
			`!(@request.path =~ /^\/message-bus\//)`
			`end`

			`protected`

FEATURE: allow user api key revocation for read only keys 2016-09-02 02:57:41 -04:00			`WHITELISTED_WRITE_PATHS \|\|= [/^\/message-bus\/.*\/poll/, /^\/user-api-key\/revoke$/]`
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00			`def lookup_user_api_user(user_api_key)`
FEATURE: basic UI to view user api keys 2016-08-16 03:06:33 -04:00			`if api_key = UserApiKey.where(key: user_api_key, revoked_at: nil).includes(:user).first`
FEATURE: allow user api key revocation for read only keys 2016-09-02 02:57:41 -04:00			`unless api_key.write`
			`if @env["REQUEST_METHOD"] != "GET"`
			`path = @env["PATH_INFO"]`
			`unless WHITELISTED_WRITE_PATHS.any?{\|whitelisted\| path =~ whitelisted}`
			`raise Discourse::InvalidAccess`
			`end`
			`end`
Feature: User API key support (server side implementation) - Supports throttled read and write - No support for push yet, but data is captured about intent 2016-08-15 03:58:33 -04:00			`end`

			`api_key.user`
			`end`
			`end`

Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433. 2014-05-22 18:13:25 -04:00			`def lookup_api_user(api_key_value, request)`
FEATURE: sendgrid webhooks 2016-06-01 15:48:06 -04:00			`if api_key = ApiKey.where(key: api_key_value).includes(:user).first`
Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433. 2014-05-22 18:13:25 -04:00			`api_username = request["api_username"]`
FEATURE: allow restricting API keys to a particular range 2014-11-19 23:21:49 -05:00
FEATURE: sendgrid webhooks 2016-06-01 15:48:06 -04:00			`if api_key.allowed_ips.present? && !api_key.allowed_ips.any? { \|ip\| ip.include?(request.ip) }`
			`Rails.logger.warn("[Unauthorized API Access] username: #{api_username}, IP address: #{request.ip}")`
FEATURE: allow restricting API keys to a particular range 2014-11-19 23:21:49 -05:00			`return nil`
			`end`

Revert "Revert "BUGFIX: improve error messages for invalid API keys"" This reverts commit e9afe28586cd887b92fa86c52db78d543a70e433. 2014-05-22 18:13:25 -04:00			`if api_key.user`
			`api_key.user if !api_username \|\| (api_key.user.username_lower == api_username.downcase)`
			`elsif api_username`
			`User.find_by(username_lower: api_username.downcase)`
			`end`
			`end`
			`end`

add current_user_provider so people can override current_user bevior cleanly, see http://meta.discourse.org/t/amending-current-user-logic-in-discourse/10278 2013-10-09 00:10:37 -04:00			`end`