demarches-normaliennes/app/controllers/api/v2/base_controller.rb

58 lines
1.5 KiB
Ruby

class API::V2::BaseController < ApplicationController
# Disable forgery protection for API controllers when the request is authenticated
# with a bearer token. Otherwise the session will be nullified and we'll lose curent_user
protect_from_forgery with: :null_session, unless: :token?
skip_before_action :setup_tracking
prepend_before_action :authenticate_administrateur_from_token
private
def context
# new token
if api_token.present?
api_token.context
# web interface (/graphql) give current_administrateur
elsif current_administrateur.present?
{
administrateur_id: current_administrateur.id,
procedure_ids: current_administrateur.procedure_ids,
write_access: true
}
# old token
else
{
token: authorization_bearer_token,
write_access: true
}
end
end
def token?
authorization_bearer_token.present?
end
def authenticate_administrateur_from_token
if api_token.present?
@current_user = api_token.administrateur.user
end
end
def api_token
if @api_token.nil?
@api_token = APIToken
.find_and_verify(authorization_bearer_token)
&.tap { _1.touch(:last_v2_authenticated_at) } || false
end
@api_token
end
def authorization_bearer_token
@authorization_bearer_token ||= begin
received_token = nil
authenticate_with_http_token do |token, _options|
received_token = token
end
received_token
end
end
end