class APIToken < ApplicationRecord include ActiveRecord::SecureToken belongs_to :administrateur, inverse_of: :api_tokens has_many :procedures, through: :administrateur before_save :check_allowed_procedure_ids_ownership def context context = { administrateur_id: administrateur_id, write_access: write_access? } if full_access? context.merge procedure_ids: else context.merge procedure_ids: procedure_ids & allowed_procedure_ids end end def full_access? allowed_procedure_ids.nil? end def procedures_to_allow procedures.select(:id, :libelle, :path).where.not(id: allowed_procedure_ids || []).order(:libelle) end def allowed_procedures if allowed_procedure_ids.present? procedures.select(:id, :libelle, :path).where(id: allowed_procedure_ids).order(:libelle) else [] end end def disallow_procedure(procedure_id) allowed_procedure_ids = allowed_procedures.map(&:id) - [procedure_id] if allowed_procedure_ids.empty? allowed_procedure_ids = nil end update!(allowed_procedure_ids:) end # Prefix is made of the first 6 characters of the uuid base64 encoded # it does not leak plain token def prefix Base64.urlsafe_encode64(id).slice(0, 5) end class << self def generate(administrateur) plain_token = generate_unique_secure_token encrypted_token = BCrypt::Password.create(plain_token) api_token = create!(administrateur:, encrypted_token:, name: Date.today.strftime('Jeton d’API généré le %d/%m/%Y')) packed_token = Base64.urlsafe_encode64([api_token.id, plain_token].join(';')) [api_token, packed_token] end def find_and_verify(maybe_packed_token, administrateurs = []) token = case unpack(maybe_packed_token) in { plain_token:, id: } # token v3 find_by(id:, version: 3)&.then(&ensure_valid_token(plain_token)) in { plain_token:, administrateur_id: } # token v2 # the migration to the APIToken model set `version: 1` for all the v1 and v2 token # this is the only place where we can fix the version where(administrateur_id:, version: 1).update_all(version: 2) # update to v2 find_by(administrateur_id:, version: 2)&.then(&ensure_valid_token(plain_token)) in { plain_token: } # token v1 where(administrateur: administrateurs, version: 1).find(&ensure_valid_token(plain_token)) end # TODO: # remove all the not v3 version code # when everyone has migrated # it should also be a good place in case we need to feature flag old token use if token&.version == 3 || Rails.env.test? token else nil end end private UUID_SIZE = SecureRandom.uuid.size def unpack(maybe_packed_token) case message_verifier.verified(maybe_packed_token) in [administrateur_id, plain_token] { plain_token:, administrateur_id: } else case Base64.urlsafe_decode64(maybe_packed_token).split(';') in [id, plain_token] if id.size == UUID_SIZE # valid format ";" { plain_token:, id: } else { plain_token: maybe_packed_token } end end rescue { plain_token: maybe_packed_token } end def message_verifier Rails.application.message_verifier('api_v2_token') end def ensure_valid_token(plain_token) -> (api_token) { api_token if BCrypt::Password.new(api_token.encrypted_token) == plain_token } end end private def check_allowed_procedure_ids_ownership if allowed_procedure_ids.present? self.allowed_procedure_ids = allowed_procedures.map(&:id) end end end