demarches-normaliennes/app/controllers/api/v2/base_controller.rb

71 lines
2.2 KiB
Ruby
Raw Normal View History

2018-11-19 21:18:17 +01:00
class API::V2::BaseController < ApplicationController
# This controller is used for API v2 through api endpoint (/api/v2/graphql)
# and through the web interface (/graphql). When used through the web interface,
# we use connected administrateur to authenticate the request. We want CSRF protection
# for the web interface, but not for the API endpoint. :null_session means that when the
# request is not CSRF protected, we will not raise an exception,
# but we will provide the controller with an empty session.
protect_from_forgery with: :null_session
skip_before_action :setup_tracking
2023-08-03 15:38:51 +02:00
before_action :authenticate_from_token
before_action :ensure_authorized_network, if: -> { @api_token.present? }
before_action :ensure_token_is_not_expired, if: -> { @api_token.present? }
2018-11-19 21:18:17 +01:00
before_action do
Current.browser = 'api'
end
2018-11-19 21:18:17 +01:00
private
def context
2023-08-03 15:38:51 +02:00
if @api_token.present?
@api_token.context
# web interface (/graphql) give current_administrateur
elsif current_administrateur.present?
2023-08-03 16:33:30 +02:00
graphql_web_interface_context
else
unauthenticated_request_context
end
end
2023-08-03 16:33:30 +02:00
def graphql_web_interface_context
{
administrateur_id: current_administrateur.id,
procedure_ids: current_administrateur.procedure_ids,
write_access: true
}
end
def unauthenticated_request_context
{
administrateur_id: nil,
procedure_ids: [],
write_access: false
}
end
2023-08-03 15:38:51 +02:00
def authenticate_from_token
@api_token = authenticate_with_http_token { |t, _o| APIToken.authenticate(t) }
2022-11-30 10:14:23 +01:00
2023-08-03 15:38:51 +02:00
if @api_token.present?
@api_token.touch(:last_v2_authenticated_at)
2023-12-21 15:58:03 +01:00
@api_token.store_new_ip(request.remote_ip)
2023-08-03 15:38:51 +02:00
@current_user = @api_token.administrateur.user
Current.user = @current_user
end
end
def ensure_authorized_network
if @api_token.forbidden_network?(request.remote_ip)
address = IPAddr.new(request.remote_ip)
render json: { errors: ["request issued from a forbidden network. Add #{address.to_string}/#{address.prefix} to your allowed adresses in your /profil"] }, status: :forbidden
end
end
def ensure_token_is_not_expired
if @api_token.expired?
render json: { errors: ['token expired'] }, status: :unauthorized
end
end
2018-11-19 21:18:17 +01:00
end