feat(api): add last_authenticated_at timestamp to api requests

2023-08-01 12:30:23 +02:00 · 2023-08-01 12:30:23 +02:00 · e9cb50d09c
commit e9cb50d09c
parent a8f7ce77c3
7 changed files with 31 additions and 4 deletions
--- a/app/controllers/api/v2/base_controller.rb
+++ b/app/controllers/api/v2/base_controller.rb
@ -39,7 +39,9 @@ class API::V2::BaseController < ApplicationController

  def api_token
    if @api_token.nil?
-      @api_token = APIToken.find_and_verify(authorization_bearer_token) || false
+      @api_token = APIToken
+        .find_and_verify(authorization_bearer_token)
+        &.tap { _1.touch(:last_v2_authenticated_at) } || false
    end
    @api_token
  end
--- a/app/controllers/api_controller.rb
+++ b/app/controllers/api_controller.rb
@ -6,6 +6,7 @@ class APIController < ApplicationController
  def find_administrateur_for_token(procedure)
    api_token = APIToken.find_and_verify(authorization_bearer_token, procedure.administrateurs)
    if api_token.present? && api_token.context.fetch(:procedure_ids).include?(procedure.id)
+      api_token.touch(:last_v1_authenticated_at)
      api_token.administrateur
    end
  end
--- a/app/graphql/api/v2/context.rb
+++ b/app/graphql/api/v2/context.rb
@ -73,6 +73,7 @@ class API::V2::Context < GraphQL::Query::Context
    elsif self[:token].present?
      token = APIToken.find_and_verify(self[:token], demarche.administrateurs)
      if token.present?
+        token.touch(:last_v2_authenticated_at)
        Current.user = token.administrateur.user
        true
      else
--- a/app/models/administrateur.rb
+++ b/app/models/administrateur.rb
@ -20,7 +20,10 @@ class Administrateur < ApplicationRecord
      .where.missing(:services)
      .left_outer_joins(:administrateurs_procedures) # needed to bypass procedure hidden default scope
      .where(administrateurs_procedures: { procedure_id: nil })
-      .where("users.last_sign_in_at < ? ", UNUSED_ADMIN_THRESHOLD.ago)
+      .includes(:api_tokens)
+      .where(users: { last_sign_in_at: ..UNUSED_ADMIN_THRESHOLD.ago })
+      .merge(APIToken.where(last_v1_authenticated_at: nil).or(APIToken.where(last_v1_authenticated_at: ..UNUSED_ADMIN_THRESHOLD.ago)))
+      .merge(APIToken.where(last_v2_authenticated_at: nil).or(APIToken.where(last_v2_authenticated_at: ..UNUSED_ADMIN_THRESHOLD.ago)))
  end

  def self.by_email(email)
--- a/db/migrate/20230801102740_add_last_authenticated_at_to_api_tokens.rb
+++ b/db/migrate/20230801102740_add_last_authenticated_at_to_api_tokens.rb
@ -0,0 +1,6 @@
+class AddLastAuthenticatedAtToAPITokens < ActiveRecord::Migration[7.0]
+  def change
+    add_column :api_tokens, :last_v1_authenticated_at, :datetime
+    add_column :api_tokens, :last_v2_authenticated_at, :datetime
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema[7.0].define(version: 2023_08_01_121131) do
+ActiveRecord::Schema[7.0].define(version: 2023_08_02_121131) do
  # These are extensions that must be enabled in order to support this database
  enable_extension "pgcrypto"
  enable_extension "plpgsql"
@ -93,6 +93,8 @@ ActiveRecord::Schema[7.0].define(version: 2023_08_01_121131) do
    t.bigint "allowed_procedure_ids", array: true
    t.datetime "created_at", precision: 6, null: false
    t.string "encrypted_token", null: false
+    t.datetime "last_v1_authenticated_at"
+    t.datetime "last_v2_authenticated_at"
    t.string "name", null: false
    t.datetime "updated_at", precision: 6, null: false
    t.integer "version", default: 3, null: false
--- a/spec/models/administrateur_spec.rb
+++ b/spec/models/administrateur_spec.rb
@ -208,7 +208,7 @@ describe Administrateur, type: :model do
    subject { Administrateur.unused }

    let(:new_admin) { create(:administrateur) }
-    let(:unused_admin) { create(:administrateur) }
+    let(:unused_admin) { create(:administrateur, :with_api_token) }

    before do
      new_admin.user.update(last_sign_in_at: (6.months - 1.day).ago)
@ -225,6 +225,18 @@ describe Administrateur, type: :model do
      it { is_expected.to be_empty }
    end

+    context 'with a with_api_token on api v1' do
+      before { unused_admin.api_tokens.first.touch(:last_v1_authenticated_at) }
+
+      it { is_expected.to be_empty }
+    end
+
+    context 'with a with_api_token on api v2' do
+      before { unused_admin.api_tokens.first.touch(:last_v2_authenticated_at) }
+
+      it { is_expected.to be_empty }
+    end
+
    context 'with a service' do
      let(:service) { create(:service) }