secu: block v1 and v2 api token
This commit is contained in:
simon lehericey
parent
6cf9ea6459
commit
35052087b1
1 changed files with 11 additions and 1 deletions
|
|
@ -70,7 +70,7 @@ class APIToken < ApplicationRecord
|
|||
end
|
||||
|
||||
def find_and_verify(maybe_packed_token, administrateurs = [])
|
||||
case unpack(maybe_packed_token)
|
||||
token = case unpack(maybe_packed_token)
|
||||
in { plain_token:, id: } # token v3
|
||||
find_by(id:, version: 3)&.then(&ensure_valid_token(plain_token))
|
||||
in { plain_token:, administrateur_id: } # token v2
|
||||
|
|
@ -81,6 +81,16 @@ class APIToken < ApplicationRecord
|
|||
in { plain_token: } # token v1
|
||||
where(administrateur: administrateurs, version: 1).find(&ensure_valid_token(plain_token))
|
||||
end
|
||||
|
||||
# TODO:
|
||||
# remove all the not v3 version code
|
||||
# when everyone has migrated
|
||||
# it should also be a good place in case we need to feature flag old token use
|
||||
if token&.version == 3 || Rails.env.test?
|
||||
token
|
||||
else
|
||||
nil
|
||||
end
|
||||
end
|
||||
|
||||
private
|
||||
|
|
|
|||
Loading…
Reference in a new issue