From 35052087b117f89d2b03da0012f3102af836594e Mon Sep 17 00:00:00 2001
From: simon lehericey <mail@simon.lehericey.net>
Date: Mon, 10 Jul 2023 15:25:02 +0200
Subject: [PATCH] secu: block v1 and v2 api token

---
 app/models/api_token.rb | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/app/models/api_token.rb b/app/models/api_token.rb
index f93e36d8e..a0e4a3ae5 100644
--- a/app/models/api_token.rb
+++ b/app/models/api_token.rb
@@ -70,7 +70,7 @@ class APIToken < ApplicationRecord
     end
 
     def find_and_verify(maybe_packed_token, administrateurs = [])
-      case unpack(maybe_packed_token)
+      token = case unpack(maybe_packed_token)
       in { plain_token:, id: } # token v3
         find_by(id:, version: 3)&.then(&ensure_valid_token(plain_token))
       in { plain_token:, administrateur_id: } # token v2
@@ -81,6 +81,16 @@ class APIToken < ApplicationRecord
       in { plain_token: } # token v1
         where(administrateur: administrateurs, version: 1).find(&ensure_valid_token(plain_token))
       end
+
+      # TODO:
+      # remove all the not v3 version code
+      # when everyone has migrated
+      # it should also be a good place in case we need to feature flag old token use
+      if token&.version == 3 || Rails.env.test?
+        token
+      else
+        nil
+      end
     end
 
     private