From 4a04f2e59faea38c15929baf35ded2210faabfa5 Mon Sep 17 00:00:00 2001 From: simon lehericey Date: Wed, 26 Sep 2018 15:39:45 +0200 Subject: [PATCH] ApiController: check token validity for a given admin --- app/controllers/api_controller.rb | 12 +++++ app/models/administrateur.rb | 6 +++ spec/controllers/api_controller_spec.rb | 67 +++++++++---------------- 3 files changed, 43 insertions(+), 42 deletions(-) diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb index fde090daf..943080dec 100644 --- a/app/controllers/api_controller.rb +++ b/app/controllers/api_controller.rb @@ -16,6 +16,10 @@ class APIController < ApplicationController protected + def valid_token_for_administrateur?(administrateur) + administrateur.valid_api_token?(token) + end + def default_format_json request.format = "json" if !request.params[:format] end @@ -26,6 +30,10 @@ class APIController < ApplicationController end end + def token + params_token.presence || header_token + end + def header_token received_token = nil authenticate_with_http_token do |token, _options| @@ -33,4 +41,8 @@ class APIController < ApplicationController end received_token end + + def params_token + params[:token] + end end diff --git a/app/models/administrateur.rb b/app/models/administrateur.rb index 5d32b093d..6b188a6f2 100644 --- a/app/models/administrateur.rb +++ b/app/models/administrateur.rb @@ -43,6 +43,12 @@ class Administrateur < ApplicationRecord api_token end + def valid_api_token?(api_token) + BCrypt::Password.new(encrypted_token) == api_token + rescue BCrypt::Errors::InvalidHash + false + end + def registration_state if active? 'Actif' diff --git a/spec/controllers/api_controller_spec.rb b/spec/controllers/api_controller_spec.rb index 2060f3533..6898fe2cb 100644 --- a/spec/controllers/api_controller_spec.rb +++ b/spec/controllers/api_controller_spec.rb @@ -1,55 +1,38 @@ require 'spec_helper' describe APIController, type: :controller do - controller(APIController) do - def show - render json: {}, satus: 200 + describe 'valid_token_for_administrateur?' do + let!(:admin) { create(:administrateur) } + + subject { controller.send(:'valid_token_for_administrateur?', admin) } + + context 'when the admin has not any token' do + context 'and the token is not given' do + it { is_expected.to be false } + end end - def index - render json: {}, satus: 200 - end - end + context 'when the admin has a token' do + let!(:token) { admin.renew_api_token } - describe 'GET index' do - let!(:administrateur) { create(:administrateur) } - let!(:administrateur_with_token) { create(:administrateur, :with_api_token) } + context 'and the token is given by params' do + before { controller.params[:token] = token } - context 'when token is missing' do - subject { get :index } - - it { expect(subject.status).to eq(401) } - end - - context 'when token is empty' do - subject { get :index, params: { token: nil } } - - it { expect(subject.status).to eq(401) } - end - - context 'when token does not exist' do - let(:token) { 'invalid_token' } - - subject { get :index, params: { token: token } } - - it { expect(subject.status).to eq(401) } - end - - context 'when token exist in the params' do - subject { get :index, params: { token: administrateur_with_token.api_token } } - - it { expect(subject.status).to eq(200) } - end - - context 'when token exist in the header' do - before do - valid_headers = { 'Authorization' => "Bearer token=#{administrateur_with_token.api_token}" } - request.headers.merge!(valid_headers) + it { is_expected.to be true } end - subject { get(:index) } + context 'and the token is given by header' do + before do + valid_headers = { 'Authorization' => "Bearer token=#{token}" } + request.headers.merge!(valid_headers) + end - it { expect(subject.status).to eq(200) } + it { is_expected.to be true } + end + + context 'and the token is not given' do + it { is_expected.to be false } + end end end end