DGNum/demarches-normaliennes
13
1
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

secu(graphql): without a token, only persisted queries are allowed

Browse source
This commit is contained in:
Paul Chavard 2024-07-22 11:11:06 +02:00
parent c31321d695
commit d6f9e57e77
No known key found for this signature in database
4 changed files with 28 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
app/controllers/api/v2/base_controller.rb
View file

@ -10,6 +10,7 @@ class API::V2::BaseController < ApplicationController
before_action :authenticate_from_token
before_action :ensure_authorized_network, if: -> { @api_token.present? }
before_action :ensure_token_is_not_expired, if: -> { @api_token.present? }
before_action :allow_only_persisted_queries, if: -> { @api_token.blank? }
before_action do
Current.browser = 'api'
@ -55,6 +56,12 @@ class API::V2::BaseController < ApplicationController
end
end
def allow_only_persisted_queries
if params[:queryId].blank?
render json: graphql_error('Without a token, only persisted queries are allowed', :forbidden), status: :forbidden
end
end
def ensure_authorized_network
if @api_token.forbidden_network?(request.remote_ip)
address = IPAddr.new(request.remote_ip)