demarches-normaliennes/app/models/api_token.rb

class APIToken < ApplicationRecord
  include ActiveRecord::SecureToken

  belongs_to :administrateur, inverse_of: :api_tokens

  before_save :sanitize_targeted_procedure_ids

  def context
    {
      administrateur_id:,
      procedure_ids:,
      write_access:
    }
  end

  def procedure_ids
    if full_access?
      administrateur.procedures.ids
    else
      sanitized_targeted_procedure_ids
    end
  end

  def procedures
    Procedure.where(id: procedure_ids)
  end

  def full_access?
    targeted_procedure_ids.nil?
  end

  def targetable_procedures
    administrateur
      .procedures
      .where.not(id: targeted_procedure_ids)
      .select(:id, :libelle, :path)
      .order(:libelle)
  end

  def untarget_procedure(procedure_id)
    new_target_ids = targeted_procedure_ids - [procedure_id]

    update!(allowed_procedure_ids: new_target_ids)
  end

  def sanitized_targeted_procedure_ids
    administrateur.procedures.ids.intersection(targeted_procedure_ids || [])
  end

  def become_full_access!
    update_column(:allowed_procedure_ids, nil)
  end

  # Prefix is made of the first 6 characters of the uuid base64 encoded
  # it does not leak plain token
  def prefix
    Base64.urlsafe_encode64(id).slice(0, 5)
  end

  class << self
    def generate(administrateur)
      plain_token = generate_unique_secure_token
      encrypted_token = BCrypt::Password.create(plain_token)
      api_token = create!(administrateur:, encrypted_token:, name: Date.today.strftime('Jeton d’API généré le %d/%m/%Y'))
      bearer = BearerToken.new(api_token.id, plain_token)
      [api_token, bearer.to_string]
    end

    def authenticate(bearer_string)
      bearer = BearerToken.from_string(bearer_string)

      return if bearer.nil?

      api_token = find_by(id: bearer.api_token_id, version: 3)

      return if api_token.nil?

      BCrypt::Password.new(api_token.encrypted_token) == bearer.plain_token ? api_token : nil
    end
  end

  private

  def sanitize_targeted_procedure_ids
    if targeted_procedure_ids.present?
      write_attribute(:allowed_procedure_ids, sanitized_targeted_procedure_ids)
    end
  end

  def targeted_procedure_ids
    read_attribute(:allowed_procedure_ids)
  end

  class BearerToken < Data.define(:api_token_id, :plain_token)
    def to_string
      Base64.urlsafe_encode64([api_token_id, plain_token].join(';'))
    end

    def self.from_string(bearer_token)
      return if bearer_token.nil?

      api_token_id, plain_token = Base64.urlsafe_decode64(bearer_token).split(';')
      BearerToken.new(api_token_id, plain_token)
    rescue ArgumentError
    end
  end
end
-												feat(api_token): add APIToken model

											
										
										
											2022-11-30 10:06:33 +01:00
+								class APIToken < ApplicationRecord
 								  include ActiveRecord::SecureToken
-												feat(graphql): new tokens should carry administrateur_id

											
										
										
											2022-09-28 12:40:44 +02:00
-												feat(api_token): add APIToken model

											
										
										
											2022-11-30 10:06:33 +01:00
+								  belongs_to :administrateur, inverse_of: :api_tokens
-												feat(api_token): add allowed_procedure_ids and write_access

											
										
										
											2023-02-13 14:57:51 +01:00
-												refactor of api_token

											
										
										
											2023-08-03 17:53:34 +02:00
+								  before_save :sanitize_targeted_procedure_ids
-												feat(api_token): enable fin graned access rights on tokens

											
										
										
											2023-02-28 16:33:22 +01:00
-												feat(api_token): add allowed_procedure_ids and write_access

											
										
										
											2023-02-13 14:57:51 +01:00
+								  def context
-												refactor of api_token

											
										
										
											2023-08-03 17:53:34 +02:00
+								    {
 								      administrateur_id:,
 								      procedure_ids:,
 								      write_access:
 								    }
 								  end
-												feat(api_token): add allowed_procedure_ids and write_access

											
										
										
											2023-02-13 14:57:51 +01:00
-												refactor of api_token

											
										
										
											2023-08-03 17:53:34 +02:00
+								  def procedure_ids
-												feat(api_token): add allowed_procedure_ids and write_access

											
										
										
											2023-02-13 14:57:51 +01:00
+								    if full_access?
-												refactor of api_token

											
										
										
											2023-08-03 17:53:34 +02:00
+								      administrateur.procedures.ids
-												feat(api_token): add allowed_procedure_ids and write_access

											
										
										
											2023-02-13 14:57:51 +01:00
+								    else
-												refactor of api_token

											
										
										
											2023-08-03 17:53:34 +02:00
+								      sanitized_targeted_procedure_ids
-												feat(api_token): add allowed_procedure_ids and write_access

											
										
										
											2023-02-13 14:57:51 +01:00
+								    end
 								  end
-												feat(graphql): new tokens should carry administrateur_id

											
										
										
											2022-09-28 12:40:44 +02:00
-												refactor of api_token

											
										
										
											2023-08-03 17:53:34 +02:00
+								  def procedures
 								    Procedure.where(id: procedure_ids)
 								  end
-												feat(api_token): enable fin graned access rights on tokens

											
										
										
											2023-02-28 16:33:22 +01:00
+								  def full_access?
-												refactor of api_token

											
										
										
											2023-08-03 17:53:34 +02:00
+								    targeted_procedure_ids.nil?
-												feat(api_token): enable fin graned access rights on tokens

											
										
										
											2023-02-28 16:33:22 +01:00
+								  end
-												refactor of api_token

											
										
										
											2023-08-03 17:53:34 +02:00
+								  def targetable_procedures
 								    administrateur
 								      .procedures
 								      .where.not(id: targeted_procedure_ids)
 								      .select(:id, :libelle, :path)
 								      .order(:libelle)
-												feat(api_token): enable fin graned access rights on tokens

											
										
										
											2023-02-28 16:33:22 +01:00
+								  end
-												refactor of api_token

											
										
										
											2023-08-03 17:53:34 +02:00
+								  def untarget_procedure(procedure_id)
 								    new_target_ids = targeted_procedure_ids - [procedure_id]
 								    update!(allowed_procedure_ids: new_target_ids)
-												feat(api_token): enable fin graned access rights on tokens

											
										
										
											2023-02-28 16:33:22 +01:00
+								  end
-												refactor of api_token

											
										
										
											2023-08-03 17:53:34 +02:00
+								  def sanitized_targeted_procedure_ids
 								    administrateur.procedures.ids.intersection(targeted_procedure_ids || [])
 								  end
 								  def become_full_access!
 								    update_column(:allowed_procedure_ids, nil)
-												feat(api_token): enable fin graned access rights on tokens

											
										
										
											2023-02-28 16:33:22 +01:00
+								  end
-												feat(api_token): add APIToken model

											
										
										
											2022-11-30 10:06:33 +01:00
+								  # Prefix is made of the first 6 characters of the uuid base64 encoded
 								  # it does not leak plain token
 								  def prefix
 								    Base64.urlsafe_encode64(id).slice(0, 5)
-												feat(graphql): new tokens should carry administrateur_id

											
										
										
											2022-09-28 12:40:44 +02:00
+								  end
-												feat(api_token): add APIToken model

											
										
										
											2022-11-30 10:06:33 +01:00
+								  class << self
 								    def generate(administrateur)
 								      plain_token = generate_unique_secure_token
 								      encrypted_token = BCrypt::Password.create(plain_token)
 								      api_token = create!(administrateur:, encrypted_token:, name: Date.today.strftime('Jeton d’API généré le %d/%m/%Y'))
-												introduce token bearer

											
										
										
											2023-08-03 12:04:08 +02:00
+								      bearer = BearerToken.new(api_token.id, plain_token)
 								      [api_token, bearer.to_string]
-												feat(api_token): add APIToken model

											
										
										
											2022-11-30 10:06:33 +01:00
+								    end
-												feat(graphql): new tokens should carry administrateur_id

											
										
										
											2022-09-28 12:40:44 +02:00
-												rename find_and_verify => authenticate

											
										
										
											2023-08-03 15:27:33 +02:00
+								    def authenticate(bearer_string)
-												introduce token bearer

											
										
										
											2023-08-03 12:04:08 +02:00
+								      bearer = BearerToken.from_string(bearer_string)
 								      return if bearer.nil?
 								      api_token = find_by(id: bearer.api_token_id, version: 3)
-												feat(api_token): add APIToken model

											
										
										
											2022-11-30 10:06:33 +01:00
-												introduce token bearer

											
										
										
											2023-08-03 12:04:08 +02:00
+								      return if api_token.nil?
-												feat(api_token): add APIToken model

											
										
										
											2022-11-30 10:06:33 +01:00
-												introduce token bearer

											
										
										
											2023-08-03 12:04:08 +02:00
+								      BCrypt::Password.new(api_token.encrypted_token) == bearer.plain_token ? api_token : nil
-												feat(api_token): add APIToken model

											
										
										
											2022-11-30 10:06:33 +01:00
+								    end
-												feat(graphql): new tokens should carry administrateur_id

											
										
										
											2022-09-28 12:40:44 +02:00
+								  end
-												feat(api_token): enable fin graned access rights on tokens

											
										
										
											2023-02-28 16:33:22 +01:00
 								  private
-												refactor of api_token

											
										
										
											2023-08-03 17:53:34 +02:00
+								  def sanitize_targeted_procedure_ids
 								    if targeted_procedure_ids.present?
 								      write_attribute(:allowed_procedure_ids, sanitized_targeted_procedure_ids)
-												feat(api_token): enable fin graned access rights on tokens

											
										
										
											2023-02-28 16:33:22 +01:00
+								    end
 								  end
-												introduce token bearer

											
										
										
											2023-08-03 12:04:08 +02:00
-												refactor of api_token

											
										
										
											2023-08-03 17:53:34 +02:00
+								  def targeted_procedure_ids
 								    read_attribute(:allowed_procedure_ids)
 								  end
-												introduce token bearer

											
										
										
											2023-08-03 12:04:08 +02:00
+								  class BearerToken < Data.define(:api_token_id, :plain_token)
 								    def to_string
 								      Base64.urlsafe_encode64([api_token_id, plain_token].join(';'))
 								    end
 								    def self.from_string(bearer_token)
 								      return if bearer_token.nil?
 								      api_token_id, plain_token = Base64.urlsafe_decode64(bearer_token).split(';')
 								      BearerToken.new(api_token_id, plain_token)
 								    rescue ArgumentError
 								    end
 								  end
-												feat(graphql): new tokens should carry administrateur_id

											
										
										
											2022-09-28 12:40:44 +02:00
+								end