DGNum/demarches-normaliennes
13
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

secu: block v1 and v2 api token

Browse source
This commit is contained in:
simon lehericey 2023-07-10 15:25:02 +02:00
parent 6cf9ea6459
commit 35052087b1
1 changed files with 11 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

12
app/models/api_token.rb
View file

@ -70,7 +70,7 @@ class APIToken < ApplicationRecord
end end
def find_and_verify(maybe_packed_token, administrateurs = []) def find_and_verify(maybe_packed_token, administrateurs = [])
case unpack(maybe_packed_token) token = case unpack(maybe_packed_token)
in { plain_token:, id: } # token v3 in { plain_token:, id: } # token v3
find_by(id:, version: 3)&.then(&ensure_valid_token(plain_token)) find_by(id:, version: 3)&.then(&ensure_valid_token(plain_token))
in { plain_token:, administrateur_id: } # token v2 in { plain_token:, administrateur_id: } # token v2
@ -81,6 +81,16 @@ class APIToken < ApplicationRecord
in { plain_token: } # token v1 in { plain_token: } # token v1
where(administrateur: administrateurs, version: 1).find(&ensure_valid_token(plain_token)) where(administrateur: administrateurs, version: 1).find(&ensure_valid_token(plain_token))
end end
# TODO:
# remove all the not v3 version code
# when everyone has migrated
# it should also be a good place in case we need to feature flag old token use
if token&.version == 3 || Rails.env.test?
token
else
nil
end
end end
private private