Merge pull request #8469 from mfo/US/token_enhancement
Us/token enhancement
This commit is contained in:
commit
6e4c164e5b
3 changed files with 32 additions and 4 deletions
|
@ -10,7 +10,7 @@ class API::V2::BaseController < ApplicationController
|
|||
def context
|
||||
# new token
|
||||
if api_token.present?
|
||||
{ token: authorization_bearer_token, administrateur_id: api_token.administrateur.id }
|
||||
{ administrateur_id: api_token.administrateur.id }
|
||||
# web interface (/graphql) give current_administrateur
|
||||
elsif current_administrateur.present?
|
||||
{ administrateur_id: current_administrateur.id }
|
||||
|
|
|
@ -34,10 +34,10 @@ class API::V2::Context < GraphQL::Query::Context
|
|||
# We are caching authorization logic because it is called for each node
|
||||
# of the requested graph and can be expensive. Context is reset per request so it is safe.
|
||||
self[:authorized] ||= Hash.new do |hash, demarche_id|
|
||||
hash[demarche_id] = if self[:token]
|
||||
APIToken.find_and_verify(self[:token], demarche.administrateurs).present?
|
||||
elsif self[:administrateur_id]
|
||||
hash[demarche_id] = if self[:administrateur_id]
|
||||
demarche.administrateurs.map(&:id).include?(self[:administrateur_id])
|
||||
elsif self[:token]
|
||||
APIToken.find_and_verify(self[:token], demarche.administrateurs).present?
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -151,6 +151,34 @@ describe API::V2::GraphqlController do
|
|||
}
|
||||
end
|
||||
|
||||
context "when the token does not belong to an admin of the procedure" do
|
||||
let(:another_administrateur) { create(:administrateur) }
|
||||
let(:token_v3) { APIToken.generate(another_administrateur)[1] }
|
||||
let(:plain_token) { APIToken.send(:unpack, token_v3)[:plain_token] }
|
||||
before do
|
||||
request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Token.encode_credentials(token)
|
||||
end
|
||||
|
||||
context 'v3' do
|
||||
let(:token) { token_v3 }
|
||||
it {
|
||||
expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
|
||||
}
|
||||
end
|
||||
context 'v2' do
|
||||
let(:token) { APIToken.send(:message_verifier).generate([another_administrateur.id, plain_token]) }
|
||||
it {
|
||||
expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
|
||||
}
|
||||
end
|
||||
context 'v1' do
|
||||
let(:token) { plain_token }
|
||||
it {
|
||||
expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions")
|
||||
}
|
||||
end
|
||||
end
|
||||
|
||||
context "when the token is revoked" do
|
||||
before do
|
||||
admin.api_tokens.destroy_all
|
||||
|
|
Loading…
Reference in a new issue