feat(api_token): api v2 use new token

app/controllers/api/v2/base_controller.rb

@@ -8,15 +8,15 @@ class API::V2::BaseController < ApplicationController
   private
 
   def context
-    # new token give administrateur_id
-    if api_token.administrateur?
-      { administrateur_id: api_token.administrateur_id, token: api_token.token }
+    # new token
+    if api_token.present?
+      { token: authorization_bearer_token, administrateur_id: api_token.administrateur.id }
     # web interface (/graphql) give current_administrateur
     elsif current_administrateur.present?
       { administrateur_id: current_administrateur.id }
     # old token
     else
-      { token: api_token.token }
+      { token: authorization_bearer_token }
     end
   end
 
@@ -24,6 +24,19 @@ class API::V2::BaseController < ApplicationController
     authorization_bearer_token.present?
   end
 
+  def authenticate_administrateur_from_token
+    if api_token.present?
+      @current_user = api_token.administrateur.user
+    end
+  end
+
+  def api_token
+    if @api_token.nil?
+      @api_token = APIToken.find_and_verify(authorization_bearer_token) || false
+    end
+    @api_token
+  end
+
   def authorization_bearer_token
     @authorization_bearer_token ||= begin
       received_token = nil
@@ -33,17 +46,4 @@ class API::V2::BaseController < ApplicationController
       received_token
     end
   end
-
-  def authenticate_administrateur_from_token
-    if api_token.administrateur?
-      administrateur = Administrateur.includes(:user).find_by(id: api_token.administrateur_id)
-      if administrateur.valid_api_token?(api_token.token)
-        @current_user = administrateur.user
-      end
-    end
-  end
-
-  def api_token
-    @api_token ||= APIToken.new(authorization_bearer_token)
-  end
 end

app/graphql/api/v2/context.rb

@@ -23,15 +23,11 @@ class API::V2::Context < GraphQL::Query::Context
     # We are caching authorization logic because it is called for each node
     # of the requested graph and can be expensive. Context is reset per request so it is safe.
     self[:authorized] ||= Hash.new do |hash, demarche_id|
-      # Compute the hash value dynamically when first requested
-      authorized_administrateur = demarche.administrateurs.find do |administrateur|
-        if self[:token]
-          administrateur.valid_api_token?(self[:token])
-        else
-          administrateur.id == self[:administrateur_id]
-        end
+      hash[demarche_id] = if self[:token]
+        APIToken.find_and_verify(self[:token], demarche.administrateurs).present?
+      elsif self[:administrateur_id]
+        demarche.administrateurs.map(&:id).include?(self[:administrateur_id])
       end
-      hash[demarche_id] = authorized_administrateur.present?
     end
 
     self[:authorized][demarche.id]