diff --git a/app/controllers/api/v2/base_controller.rb b/app/controllers/api/v2/base_controller.rb index 1deaa29cb..342de720e 100644 --- a/app/controllers/api/v2/base_controller.rb +++ b/app/controllers/api/v2/base_controller.rb @@ -8,7 +8,6 @@ class API::V2::BaseController < ApplicationController private def context - # new token if api_token.present? api_token.context # web interface (/graphql) give current_administrateur @@ -18,12 +17,6 @@ class API::V2::BaseController < ApplicationController procedure_ids: current_administrateur.procedure_ids, write_access: true } - # old token - else - { - token: authorization_bearer_token, - write_access: true - } end end diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb index 3a3adf757..55eedd8a1 100644 --- a/app/controllers/api_controller.rb +++ b/app/controllers/api_controller.rb @@ -4,7 +4,7 @@ class APIController < ApplicationController protected def find_administrateur_for_token(procedure) - api_token = APIToken.find_and_verify(authorization_bearer_token, procedure.administrateurs) + api_token = APIToken.find_and_verify(authorization_bearer_token) if api_token.present? && api_token.context.fetch(:procedure_ids).include?(procedure.id) api_token.touch(:last_v1_authenticated_at) api_token.administrateur diff --git a/app/graphql/api/v2/context.rb b/app/graphql/api/v2/context.rb index 22ccb3162..824c9cd30 100644 --- a/app/graphql/api/v2/context.rb +++ b/app/graphql/api/v2/context.rb @@ -75,20 +75,7 @@ class API::V2::Context < GraphQL::Query::Context def compute_demarche_authorization(demarche) # procedure_ids and token are passed from graphql controller - if self[:procedure_ids].present? - self[:procedure_ids].include?(demarche.id) - elsif self[:token].present? - token = APIToken.find_and_verify(self[:token], demarche.administrateurs) - if token.present? - token.touch(:last_v2_authenticated_at) - Current.user = token.administrateur.user - true - else - false - end - else - false - end + (self[:procedure_ids] || []).include?(demarche.id) end # This is a query AST visitor that we use to check diff --git a/app/models/api_token.rb b/app/models/api_token.rb index 4616969b8..7e5ded57a 100644 --- a/app/models/api_token.rb +++ b/app/models/api_token.rb @@ -55,53 +55,13 @@ class APIToken < ApplicationRecord [api_token, packed_token] end - def find_and_verify(maybe_packed_token, administrateurs = []) - token = case unpack(maybe_packed_token) - in { plain_token:, id: } # token v3 - find_by(id:, version: 3)&.then(&ensure_valid_token(plain_token)) - in { plain_token:, administrateur_id: } # token v2 - # the migration to the APIToken model set `version: 1` for all the v1 and v2 token - # this is the only place where we can fix the version - where(administrateur_id:, version: 1).update_all(version: 2) # update to v2 - find_by(administrateur_id:, version: 2)&.then(&ensure_valid_token(plain_token)) - in { plain_token: } # token v1 - where(administrateur: administrateurs, version: 1).find(&ensure_valid_token(plain_token)) - end - - # TODO: - # remove all the not v3 version code - # when everyone has migrated - # it should also be a good place in case we need to feature flag old token use - if token&.version == 3 || Rails.env.test? - token - else - nil - end + def find_and_verify(base64_packed_token) + id, plain_token = Base64.urlsafe_decode64(base64_packed_token).split(';') + find_by(id:, version: 3)&.then(&ensure_valid_token(plain_token)) end private - UUID_SIZE = SecureRandom.uuid.size - def unpack(maybe_packed_token) - case message_verifier.verified(maybe_packed_token) - in [administrateur_id, plain_token] - { plain_token:, administrateur_id: } - else - case Base64.urlsafe_decode64(maybe_packed_token).split(';') - in [id, plain_token] if id.size == UUID_SIZE # valid format ";" - { plain_token:, id: } - else - { plain_token: maybe_packed_token } - end - end - rescue - { plain_token: maybe_packed_token } - end - - def message_verifier - Rails.application.message_verifier('api_v2_token') - end - def ensure_valid_token(plain_token) -> (api_token) { api_token if BCrypt::Password.new(api_token.encrypted_token) == plain_token } end