Merge pull request #8469 from mfo/US/token_enhancement

Us/token enhancement
This commit is contained in:
mfo 2023-01-19 18:17:24 +01:00 committed by GitHub
commit 6e4c164e5b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 32 additions and 4 deletions

View file

@ -10,7 +10,7 @@ class API::V2::BaseController < ApplicationController
def context
# new token
if api_token.present?
{ token: authorization_bearer_token, administrateur_id: api_token.administrateur.id }
{ administrateur_id: api_token.administrateur.id }
# web interface (/graphql) give current_administrateur
elsif current_administrateur.present?
{ administrateur_id: current_administrateur.id }

View file

@ -34,10 +34,10 @@ class API::V2::Context < GraphQL::Query::Context
# We are caching authorization logic because it is called for each node
# of the requested graph and can be expensive. Context is reset per request so it is safe.
self[:authorized] ||= Hash.new do |hash, demarche_id|
hash[demarche_id] = if self[:token]
APIToken.find_and_verify(self[:token], demarche.administrateurs).present?
elsif self[:administrateur_id]
hash[demarche_id] = if self[:administrateur_id]
demarche.administrateurs.map(&:id).include?(self[:administrateur_id])
elsif self[:token]
APIToken.find_and_verify(self[:token], demarche.administrateurs).present?
end
end

View file

@ -151,6 +151,34 @@ describe API::V2::GraphqlController do
}
end
context "when the token does not belong to an admin of the procedure" do
let(:another_administrateur) { create(:administrateur) }
let(:token_v3) { APIToken.generate(another_administrateur)[1] }
let(:plain_token) { APIToken.send(:unpack, token_v3)[:plain_token] }
before do
request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Token.encode_credentials(token)
end
context 'v3' do
let(:token) { token_v3 }
it {
expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
}
end
context 'v2' do
let(:token) { APIToken.send(:message_verifier).generate([another_administrateur.id, plain_token]) }
it {
expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
}
end
context 'v1' do
let(:token) { plain_token }
it {
expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
}
end
end
context "when the token is revoked" do
before do
admin.api_tokens.destroy_all