From 7206f1b29882d800bf310b301395f88297f32be6 Mon Sep 17 00:00:00 2001 From: Martin Date: Thu, 19 Jan 2023 17:33:19 +0100 Subject: [PATCH 1/3] bug(api): token, not checked --- spec/controllers/api/v2/graphql_controller_spec.rb | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/spec/controllers/api/v2/graphql_controller_spec.rb b/spec/controllers/api/v2/graphql_controller_spec.rb index f51609339..9f46cd85c 100644 --- a/spec/controllers/api/v2/graphql_controller_spec.rb +++ b/spec/controllers/api/v2/graphql_controller_spec.rb @@ -151,6 +151,17 @@ describe API::V2::GraphqlController do } end + context "when the does not belong to an admin of the procedure" do + let(:another_administrateur) { create(:administrateur) } + before do + request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Token.encode_credentials(APIToken.generate(another_administrateur)[1]) + end + + it { + expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions") + } + end + context "when the token is revoked" do before do admin.api_tokens.destroy_all From 52380d5249879ee46208a257bd6b714614ff6a41 Mon Sep 17 00:00:00 2001 From: Martin Date: Thu, 19 Jan 2023 17:40:19 +0100 Subject: [PATCH 2/3] fix(api): on fixe avec avec des tests le prob de token --- app/graphql/api/v2/context.rb | 6 ++--- .../api/v2/graphql_controller_spec.rb | 27 +++++++++++++++---- 2 files changed, 25 insertions(+), 8 deletions(-) diff --git a/app/graphql/api/v2/context.rb b/app/graphql/api/v2/context.rb index b555453ab..c5c82678d 100644 --- a/app/graphql/api/v2/context.rb +++ b/app/graphql/api/v2/context.rb @@ -34,10 +34,10 @@ class API::V2::Context < GraphQL::Query::Context # We are caching authorization logic because it is called for each node # of the requested graph and can be expensive. Context is reset per request so it is safe. self[:authorized] ||= Hash.new do |hash, demarche_id| - hash[demarche_id] = if self[:token] - APIToken.find_and_verify(self[:token], demarche.administrateurs).present? - elsif self[:administrateur_id] + hash[demarche_id] = if self[:administrateur_id] demarche.administrateurs.map(&:id).include?(self[:administrateur_id]) + elsif self[:token] + APIToken.find_and_verify(self[:token], demarche.administrateurs).present? end end diff --git a/spec/controllers/api/v2/graphql_controller_spec.rb b/spec/controllers/api/v2/graphql_controller_spec.rb index 9f46cd85c..8ffa5829b 100644 --- a/spec/controllers/api/v2/graphql_controller_spec.rb +++ b/spec/controllers/api/v2/graphql_controller_spec.rb @@ -151,15 +151,32 @@ describe API::V2::GraphqlController do } end - context "when the does not belong to an admin of the procedure" do + context "when the token does not belong to an admin of the procedure" do let(:another_administrateur) { create(:administrateur) } + let(:token_v3) { APIToken.generate(another_administrateur)[1] } + let(:plain_token) { APIToken.send(:unpack, token_v3)[:plain_token] } before do - request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Token.encode_credentials(APIToken.generate(another_administrateur)[1]) + request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Token.encode_credentials(token) end - it { - expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions") - } + context 'v3' do + let(:token) { token_v3 } + it { + expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions") + } + end + context 'v2' do + let(:token) { APIToken.send(:message_verifier).generate([another_administrateur.id, plain_token]) } + it { + expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions") + } + end + context 'v1' do + let(:token) { plain_token } + it { + expect(gql_errors.first[:message]).to eq("An object of type Demarche was hidden due to permissions") + } + end end context "when the token is revoked" do From ffd6a1061849b0bec3dd9e6de79d591a5365cb6c Mon Sep 17 00:00:00 2001 From: Martin Date: Thu, 19 Jan 2023 18:09:38 +0100 Subject: [PATCH 3/3] clean(api/v2/base_controller): remove potential confusion --- app/controllers/api/v2/base_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/api/v2/base_controller.rb b/app/controllers/api/v2/base_controller.rb index d8a172c3d..90240acfd 100644 --- a/app/controllers/api/v2/base_controller.rb +++ b/app/controllers/api/v2/base_controller.rb @@ -10,7 +10,7 @@ class API::V2::BaseController < ApplicationController def context # new token if api_token.present? - { token: authorization_bearer_token, administrateur_id: api_token.administrateur.id } + { administrateur_id: api_token.administrateur.id } # web interface (/graphql) give current_administrateur elsif current_administrateur.present? { administrateur_id: current_administrateur.id }