feat(api_token): api v2 use new token

2022-11-30 10:14:23 +01:00 · 2022-11-30 10:14:23 +01:00 · 52c8fc7e8d
commit 52c8fc7e8d
parent a47a056ee8
4 changed files with 27 additions and 30 deletions
--- a/app/controllers/api/v2/base_controller.rb
+++ b/app/controllers/api/v2/base_controller.rb
@ -8,15 +8,15 @@ class API::V2::BaseController < ApplicationController
  private

  def context
-    # new token give administrateur_id
-    if api_token.administrateur?
-      { administrateur_id: api_token.administrateur_id, token: api_token.token }
+    # new token
+    if api_token.present?
+      { token: authorization_bearer_token, administrateur_id: api_token.administrateur.id }
    # web interface (/graphql) give current_administrateur
    elsif current_administrateur.present?
      { administrateur_id: current_administrateur.id }
    # old token
    else
-      { token: api_token.token }
+      { token: authorization_bearer_token }
    end
  end

@ -24,6 +24,19 @@ class API::V2::BaseController < ApplicationController
    authorization_bearer_token.present?
  end

+  def authenticate_administrateur_from_token
+    if api_token.present?
+      @current_user = api_token.administrateur.user
+    end
+  end
+
+  def api_token
+    if @api_token.nil?
+      @api_token = APIToken.find_and_verify(authorization_bearer_token) || false
+    end
+    @api_token
+  end
+
  def authorization_bearer_token
    @authorization_bearer_token ||= begin
      received_token = nil
@ -33,17 +46,4 @@ class API::V2::BaseController < ApplicationController
      received_token
    end
  end
-
-  def authenticate_administrateur_from_token
-    if api_token.administrateur?
-      administrateur = Administrateur.includes(:user).find_by(id: api_token.administrateur_id)
-      if administrateur.valid_api_token?(api_token.token)
-        @current_user = administrateur.user
-      end
-    end
-  end
-
-  def api_token
-    @api_token ||= APIToken.new(authorization_bearer_token)
-  end
 end
--- a/app/graphql/api/v2/context.rb
+++ b/app/graphql/api/v2/context.rb
@ -23,15 +23,11 @@ class API::V2::Context < GraphQL::Query::Context
    # We are caching authorization logic because it is called for each node
    # of the requested graph and can be expensive. Context is reset per request so it is safe.
    self[:authorized] ||= Hash.new do |hash, demarche_id|
-      # Compute the hash value dynamically when first requested
-      authorized_administrateur = demarche.administrateurs.find do |administrateur|
-        if self[:token]
-          administrateur.valid_api_token?(self[:token])
-        else
-          administrateur.id == self[:administrateur_id]
-        end
+      hash[demarche_id] = if self[:token]
+        APIToken.find_and_verify(self[:token], demarche.administrateurs).present?
+      elsif self[:administrateur_id]
+        demarche.administrateurs.map(&:id).include?(self[:administrateur_id])
      end
-      hash[demarche_id] = authorized_administrateur.present?
    end

    self[:authorized][demarche.id]
--- a/spec/controllers/api/v2/graphql_controller_spec.rb
+++ b/spec/controllers/api/v2/graphql_controller_spec.rb
@ -1,7 +1,7 @@
 describe API::V2::GraphqlController do
  let(:admin) { create(:administrateur) }
-  let(:token) { admin.renew_api_token }
-  let(:legacy_token) { APIToken.new(token).token }
+  let(:token) { APIToken.generate(admin)[1] }
+  let(:legacy_token) { APIToken.send(:unpack, token)[:plain_token] }
  let(:procedure) { create(:procedure, :published, :for_individual, :with_service, administrateurs: [admin]) }
  let(:dossier)  { create(:dossier, :en_construction, :with_individual, procedure: procedure) }
  let(:dossier1) { create(:dossier, :en_construction, :with_individual, procedure: procedure, en_construction_at: 1.day.ago) }
@ -108,6 +108,7 @@ describe API::V2::GraphqlController do

    before do
      request.env['HTTP_AUTHORIZATION'] = authorization_header
+      admin.api_tokens.first.update(version: 1)
    end

    it "returns the demarche" do
@ -141,7 +142,7 @@ describe API::V2::GraphqlController do

      context "when the token is revoked" do
        before do
-          admin.update(encrypted_token: nil)
+          admin.api_tokens.destroy_all
        end

        it {
--- a/spec/controllers/api/v2/graphql_controller_stored_queries_spec.rb
+++ b/spec/controllers/api/v2/graphql_controller_stored_queries_spec.rb
@ -1,7 +1,7 @@
 describe API::V2::GraphqlController do
  let(:admin) { create(:administrateur) }
-  let(:token) { admin.renew_api_token }
-  let(:legacy_token) { APIToken.new(token).token }
+  let(:token) { APIToken.generate(admin)[1] }
+  let(:legacy_token) { APIToken.send(:unpack, token)[:plain_token] }
  let(:procedure) { create(:procedure, :published, :for_individual, :with_service, administrateurs: [admin]) }
  let(:dossier)  { create(:dossier, :en_construction, :with_individual, procedure: procedure) }
  let(:dossier1) { create(:dossier, :en_construction, :with_individual, procedure: procedure, en_construction_at: 1.day.ago) }