remove v1/v2 api token logic
This commit is contained in:
parent
4fa783fa80
commit
0b03ba4d68
4 changed files with 5 additions and 65 deletions
|
@ -8,7 +8,6 @@ class API::V2::BaseController < ApplicationController
|
|||
private
|
||||
|
||||
def context
|
||||
# new token
|
||||
if api_token.present?
|
||||
api_token.context
|
||||
# web interface (/graphql) give current_administrateur
|
||||
|
@ -18,12 +17,6 @@ class API::V2::BaseController < ApplicationController
|
|||
procedure_ids: current_administrateur.procedure_ids,
|
||||
write_access: true
|
||||
}
|
||||
# old token
|
||||
else
|
||||
{
|
||||
token: authorization_bearer_token,
|
||||
write_access: true
|
||||
}
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@ class APIController < ApplicationController
|
|||
protected
|
||||
|
||||
def find_administrateur_for_token(procedure)
|
||||
api_token = APIToken.find_and_verify(authorization_bearer_token, procedure.administrateurs)
|
||||
api_token = APIToken.find_and_verify(authorization_bearer_token)
|
||||
if api_token.present? && api_token.context.fetch(:procedure_ids).include?(procedure.id)
|
||||
api_token.touch(:last_v1_authenticated_at)
|
||||
api_token.administrateur
|
||||
|
|
|
@ -75,20 +75,7 @@ class API::V2::Context < GraphQL::Query::Context
|
|||
|
||||
def compute_demarche_authorization(demarche)
|
||||
# procedure_ids and token are passed from graphql controller
|
||||
if self[:procedure_ids].present?
|
||||
self[:procedure_ids].include?(demarche.id)
|
||||
elsif self[:token].present?
|
||||
token = APIToken.find_and_verify(self[:token], demarche.administrateurs)
|
||||
if token.present?
|
||||
token.touch(:last_v2_authenticated_at)
|
||||
Current.user = token.administrateur.user
|
||||
true
|
||||
else
|
||||
false
|
||||
end
|
||||
else
|
||||
false
|
||||
end
|
||||
(self[:procedure_ids] || []).include?(demarche.id)
|
||||
end
|
||||
|
||||
# This is a query AST visitor that we use to check
|
||||
|
|
|
@ -55,53 +55,13 @@ class APIToken < ApplicationRecord
|
|||
[api_token, packed_token]
|
||||
end
|
||||
|
||||
def find_and_verify(maybe_packed_token, administrateurs = [])
|
||||
token = case unpack(maybe_packed_token)
|
||||
in { plain_token:, id: } # token v3
|
||||
find_by(id:, version: 3)&.then(&ensure_valid_token(plain_token))
|
||||
in { plain_token:, administrateur_id: } # token v2
|
||||
# the migration to the APIToken model set `version: 1` for all the v1 and v2 token
|
||||
# this is the only place where we can fix the version
|
||||
where(administrateur_id:, version: 1).update_all(version: 2) # update to v2
|
||||
find_by(administrateur_id:, version: 2)&.then(&ensure_valid_token(plain_token))
|
||||
in { plain_token: } # token v1
|
||||
where(administrateur: administrateurs, version: 1).find(&ensure_valid_token(plain_token))
|
||||
end
|
||||
|
||||
# TODO:
|
||||
# remove all the not v3 version code
|
||||
# when everyone has migrated
|
||||
# it should also be a good place in case we need to feature flag old token use
|
||||
if token&.version == 3 || Rails.env.test?
|
||||
token
|
||||
else
|
||||
nil
|
||||
end
|
||||
def find_and_verify(base64_packed_token)
|
||||
id, plain_token = Base64.urlsafe_decode64(base64_packed_token).split(';')
|
||||
find_by(id:, version: 3)&.then(&ensure_valid_token(plain_token))
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
UUID_SIZE = SecureRandom.uuid.size
|
||||
def unpack(maybe_packed_token)
|
||||
case message_verifier.verified(maybe_packed_token)
|
||||
in [administrateur_id, plain_token]
|
||||
{ plain_token:, administrateur_id: }
|
||||
else
|
||||
case Base64.urlsafe_decode64(maybe_packed_token).split(';')
|
||||
in [id, plain_token] if id.size == UUID_SIZE # valid format "<uuid>;<random token>"
|
||||
{ plain_token:, id: }
|
||||
else
|
||||
{ plain_token: maybe_packed_token }
|
||||
end
|
||||
end
|
||||
rescue
|
||||
{ plain_token: maybe_packed_token }
|
||||
end
|
||||
|
||||
def message_verifier
|
||||
Rails.application.message_verifier('api_v2_token')
|
||||
end
|
||||
|
||||
def ensure_valid_token(plain_token)
|
||||
-> (api_token) { api_token if BCrypt::Password.new(api_token.encrypted_token) == plain_token }
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue