Merge pull request #7765 from tchak/feat-improuve-api-token

feat(graphql): new tokens should carry administrateur_id
This commit is contained in:
Paul Chavard 2022-09-29 12:26:19 +02:00 committed by GitHub
commit 16d19f7b32
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 93 additions and 16 deletions

View file

@ -1,16 +1,26 @@
class API::V2::BaseController < ApplicationController
protect_from_forgery with: :null_session
# Disable forgery protection for API controllers when the request is authenticated
# with a bearer token. Otherwise the session will be nullified and we'll lose curent_user
protect_from_forgery with: :null_session, unless: :token?
skip_before_action :setup_tracking
prepend_before_action :authenticate_administrateur_from_token
private
def context
{
administrateur_id: current_administrateur&.id,
token: authorization_bearer_token
}
if api_token.administrateur?
{ administrateur_id: api_token.administrateur_id }
else
{ token: api_token.token }
end
end
def token?
authorization_bearer_token.present?
end
def authorization_bearer_token
@authorization_bearer_token ||= begin
received_token = nil
authenticate_with_http_token do |token, _options|
received_token = token
@ -18,3 +28,17 @@ class API::V2::BaseController < ApplicationController
received_token
end
end
def authenticate_administrateur_from_token
if api_token.administrateur?
administrateur = Administrateur.includes(:user).find_by(id: api_token.administrateur_id)
if administrateur.valid_api_token?(api_token.token)
@current_user = administrateur.user
end
end
end
def api_token
@api_token ||= APIToken.new(authorization_bearer_token)
end
end

View file

@ -5,7 +5,7 @@ class APIController < ApplicationController
def find_administrateur_for_token(procedure)
procedure.administrateurs.find do |administrateur|
administrateur.valid_api_token?(token)
administrateur.valid_api_token?(api_token.token)
end
end
@ -15,7 +15,11 @@ class APIController < ApplicationController
request.format = "json" if !request.params[:format]
end
def token
def api_token
@api_token ||= APIToken.new(authorization_bearer_token)
end
def authorization_bearer_token
params_token.presence || header_token
end

View file

@ -263,7 +263,13 @@ class ApplicationController < ActionController::Base
end
def sentry_user
{ id: user_signed_in? ? "User##{current_user.id}" : 'Guest' }
if user_signed_in?
{ id: "User##{current_user.id}" }
elsif administrateur_signed_in?
{ id: "Administrateur##{current_administrateur.id}" }
else
{ id: 'Guest' }
end
end
def sentry_config

View file

@ -54,7 +54,7 @@ class Administrateur < ApplicationRecord
api_token = Administrateur.generate_unique_secure_token
encrypted_token = BCrypt::Password.create(api_token)
update(encrypted_token: encrypted_token)
api_token
APIToken.signe(id, api_token)
end
def valid_api_token?(api_token)

27
app/models/api_token.rb Normal file
View file

@ -0,0 +1,27 @@
class APIToken
attr_reader :administrateur_id, :token
def initialize(token)
@token = token
verify!
end
def administrateur?
administrateur_id.present?
end
def self.message_verifier
Rails.application.message_verifier('api_v2_token')
end
def self.signe(administrateur_id, token)
message_verifier.generate([administrateur_id, token])
end
private
def verify!
@administrateur_id, @token = self.class.message_verifier.verified(@token) || [nil, @token]
rescue
end
end

View file

@ -1,6 +1,7 @@
describe API::V2::GraphqlController do
let(:admin) { create(:administrateur) }
let(:token) { admin.renew_api_token }
let(:legacy_token) { APIToken.new(token).token }
let(:procedure) { create(:procedure, :published, :for_individual, :with_service, administrateurs: [admin]) }
let(:dossier) { create(:dossier, :en_construction, :with_individual, procedure: procedure) }
let(:dossier1) { create(:dossier, :en_construction, :with_individual, procedure: procedure, en_construction_at: 1.day.ago) }
@ -99,6 +100,19 @@ describe API::V2::GraphqlController do
subject { post :execute, params: { query: query } }
context "when authenticated with legacy token" do
let(:authorization_header) { ActionController::HttpAuthentication::Token.encode_credentials(legacy_token) }
before do
request.env['HTTP_AUTHORIZATION'] = authorization_header
end
it "returns the demarche" do
expect(gql_errors).to eq(nil)
expect(gql_data[:demarche][:id]).to eq(procedure.to_typed_id)
end
end
context "when authenticated" do
let(:authorization_header) { ActionController::HttpAuthentication::Token.encode_credentials(token) }

View file

@ -22,7 +22,7 @@ describe ApplicationController, type: :controller do
allow(@controller).to receive(:media_type).and_return('text/plain')
allow(@controller).to receive(:current_user).and_return(current_user)
expect(@controller).to receive(:current_instructeur).and_return(current_instructeur)
expect(@controller).to receive(:current_administrateur).and_return(current_administrateur)
expect(@controller).to receive(:current_administrateur).at_least(:once).and_return(current_administrateur)
expect(@controller).to receive(:current_super_admin).and_return(current_super_admin)
allow(Sentry).to receive(:set_user)

View file

@ -6,10 +6,12 @@ describe Administrateur, type: :model do
end
describe "#renew_api_token" do
let!(:administrateur) { create(:administrateur) }
let(:administrateur) { create(:administrateur) }
let!(:token) { administrateur.renew_api_token }
let(:encrypted_token) { BCrypt::Password.new(administrateur.encrypted_token) }
let(:base_token) { APIToken.new(token).token }
it { expect(BCrypt::Password.new(administrateur.encrypted_token)).to eq(token) }
it { expect(encrypted_token).to eq(base_token) }
context 'when it s called twice' do
let!(:new_token) { administrateur.renew_api_token }