feat(graphql): new tokens should carry administrateur_id

2022-09-28 12:40:44 +02:00 · 2022-09-28 12:40:44 +02:00 · df47f4a7ab
commit df47f4a7ab
parent bd60ac4dfc
8 changed files with 93 additions and 16 deletions
--- a/app/controllers/api/v2/base_controller.rb
+++ b/app/controllers/api/v2/base_controller.rb
@ -1,20 +1,44 @@
 class API::V2::BaseController < ApplicationController
-  protect_from_forgery with: :null_session
+  # Disable forgery protection for API controllers when the request is authenticated
+  # with a bearer token. Otherwise the session will be nullified and we'll lose curent_user
+  protect_from_forgery with: :null_session, unless: :token?
+  skip_before_action :setup_tracking
+  prepend_before_action :authenticate_administrateur_from_token

  private

  def context
-    {
-      administrateur_id: current_administrateur&.id,
-      token: authorization_bearer_token
-    }
+    if api_token.administrateur?
+      { administrateur_id: api_token.administrateur_id }
+    else
+      { token: api_token.token }
+    end
+  end
+
+  def token?
+    authorization_bearer_token.present?
  end

  def authorization_bearer_token
-    received_token = nil
-    authenticate_with_http_token do |token, _options|
-      received_token = token
+    @authorization_bearer_token ||= begin
+      received_token = nil
+      authenticate_with_http_token do |token, _options|
+        received_token = token
+      end
+      received_token
    end
-    received_token
+  end
+
+  def authenticate_administrateur_from_token
+    if api_token.administrateur?
+      administrateur = Administrateur.includes(:user).find_by(id: api_token.administrateur_id)
+      if administrateur.valid_api_token?(api_token.token)
+        @current_user = administrateur.user
+      end
+    end
+  end
+
+  def api_token
+    @api_token ||= APIToken.new(authorization_bearer_token)
  end
 end
--- a/app/controllers/api_controller.rb
+++ b/app/controllers/api_controller.rb
@ -5,7 +5,7 @@ class APIController < ApplicationController

  def find_administrateur_for_token(procedure)
    procedure.administrateurs.find do |administrateur|
-      administrateur.valid_api_token?(token)
+      administrateur.valid_api_token?(api_token.token)
    end
  end

@ -15,7 +15,11 @@ class APIController < ApplicationController
    request.format = "json" if !request.params[:format]
  end

-  def token
+  def api_token
+    @api_token ||= APIToken.new(authorization_bearer_token)
+  end
+
+  def authorization_bearer_token
    params_token.presence || header_token
  end

--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -263,7 +263,13 @@ class ApplicationController < ActionController::Base
  end

  def sentry_user
-    { id: user_signed_in? ? "User##{current_user.id}" : 'Guest' }
+    if user_signed_in?
+      { id: "User##{current_user.id}" }
+    elsif administrateur_signed_in?
+      { id: "Administrateur##{current_administrateur.id}" }
+    else
+      { id: 'Guest' }
+    end
  end

  def sentry_config