DGNum/demarches-normaliennes
14
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

feature(api): add ensure_token_is_not_expired to api_controller v1 and v2

Browse source
This commit is contained in:
simon lehericey 2024-01-17 09:31:21 +01:00
parent 28e4e1be2e
commit 7e8555923f
5 changed files with 46 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
app/controllers/api/v2/base_controller.rb
View file

@ -3,6 +3,7 @@ class API::V2::BaseController < ApplicationController
skip_before_action :setup_tracking skip_before_action :setup_tracking
before_action :authenticate_from_token before_action :authenticate_from_token
before_action :ensure_authorized_network, if: -> { @api_token.present? } before_action :ensure_authorized_network, if: -> { @api_token.present? }
before_action :ensure_token_is_not_expired, if: -> { @api_token.present? }
before_action do before_action do
Current.browser = 'api' Current.browser = 'api'
@ -54,4 +55,10 @@ class API::V2::BaseController < ApplicationController
render json: { errors: ["request issued from a forbidden network. Add #{address.to_string}/#{address.prefix} to your allowed adresses in your /profil"] }, status: :forbidden render json: { errors: ["request issued from a forbidden network. Add #{address.to_string}/#{address.prefix} to your allowed adresses in your /profil"] }, status: :forbidden
end end
end end
def ensure_token_is_not_expired
if @api_token.expired?
render json: { errors: ['token expired'] }, status: :unauthorized
end
end
end end

7
app/controllers/api_controller.rb
View file

@ -2,6 +2,7 @@ class APIController < ApplicationController
before_action :default_format_json before_action :default_format_json
before_action :authenticate_from_token before_action :authenticate_from_token
before_action :ensure_authorized_network, if: -> { @api_token.present? } before_action :ensure_authorized_network, if: -> { @api_token.present? }
before_action :ensure_token_is_not_expired, if: -> { @api_token.present? }
before_action do before_action do
Current.browser = 'api' Current.browser = 'api'
@ -41,4 +42,10 @@ class APIController < ApplicationController
render json: { errors: ["request issued from a forbidden network. Add #{address.to_string}/#{address.prefix} to your allowed adresses in your /profil"] }, status: :forbidden render json: { errors: ["request issued from a forbidden network. Add #{address.to_string}/#{address.prefix} to your allowed adresses in your /profil"] }, status: :forbidden
end end
end end
def ensure_token_is_not_expired
if @api_token.expired?
render json: { errors: ['token expired'] }, status: :unauthorized
end
end
end end

4
app/models/api_token.rb
View file

@ -71,6 +71,10 @@ class APIToken < ApplicationRecord
authorized_networks.none? { |range| range.include?(ip) } authorized_networks.none? { |range| range.include?(ip) }
end end
def expired?
expires_at&.past?
end
class << self class << self
def generate(administrateur) def generate(administrateur)
plain_token = generate_unique_secure_token plain_token = generate_unique_secure_token

20
spec/controllers/api/v2/base_controller_spec.rb
View file

@ -1,5 +1,5 @@
describe API::V2::BaseController, type: :controller do describe API::V2::BaseController, type: :controller do
describe 'ensure_authorized_network' do describe 'ensure_authorized_network and token_is_not_expired' do
let(:admin) { create(:administrateur) } let(:admin) { create(:administrateur) }
let(:token_bearer_couple) { APIToken.generate(admin) } let(:token_bearer_couple) { APIToken.generate(admin) }
let(:token) { token_bearer_couple[0] } let(:token) { token_bearer_couple[0] }
@ -18,7 +18,23 @@ describe API::V2::BaseController, type: :controller do
describe 'GET #index' do describe 'GET #index' do
subject { get :fake_action } subject { get :fake_action }
context 'when no authorized networks are defined' do context 'when no authorized networks are defined and the token is not expired' do
it { is_expected.to have_http_status(:ok) }
end
context 'when the token is expired' do
before do
token.update!(expires_at: 1.day.ago)
end
it { is_expected.to have_http_status(:unauthorized) }
end
context 'when this is precisely the day the token expires' do
before do
token.update!(expires_at: Time.zone.today)
end
it { is_expected.to have_http_status(:ok) } it { is_expected.to have_http_status(:ok) }
end end

12
spec/controllers/api_controller_spec.rb
View file

@ -40,7 +40,7 @@ describe APIController, type: :controller do
end end
end end
describe 'ensure_authorized_network' do describe 'ensure_authorized_network and token is not expired' do
let(:admin) { create(:administrateur) } let(:admin) { create(:administrateur) }
let(:token_bearer_couple) { APIToken.generate(admin) } let(:token_bearer_couple) { APIToken.generate(admin) }
let(:token) { token_bearer_couple[0] } let(:token) { token_bearer_couple[0] }
@ -59,10 +59,18 @@ describe APIController, type: :controller do
describe 'GET #index' do describe 'GET #index' do
subject { get :fake_action } subject { get :fake_action }
context 'when no authorized networks are defined' do context 'when no authorized networks are defined and the token is not expired' do
it { is_expected.to have_http_status(:ok) } it { is_expected.to have_http_status(:ok) }
end end
context 'when the token is expired' do
before do
token.update!(expires_at: 1.day.ago)
end
it { is_expected.to have_http_status(:unauthorized) }
end
context 'when a single authorized network is defined' do context 'when a single authorized network is defined' do
before do before do
token.update!(authorized_networks: [IPAddr.new('192.168.1.0/24')]) token.update!(authorized_networks: [IPAddr.new('192.168.1.0/24')])