scinote-web/app/controllers/wopi_controller.rb

class WopiController < ActionController::Base
  include WopiUtil

  before_action :load_vars, :authenticate_user_from_token!
  before_action :verify_proof!

  # Only used for checkfileinfo
  def file_get_endpoint
    check_file_info
  end

  def file_contents_get_endpoint
    # get_file
    response.headers['X-WOPI-ItemVersion'] = @asset.version
    response.body = Paperclip.io_adapters.for(@asset.file).read
    send_data response.body, disposition: 'inline', content_type: 'text/plain'
  end

  def post_file_endpoint
    override = request.headers['X-WOPI-Override']
    case override
    when 'GET_LOCK'
      get_lock
    when 'PUT_RELATIVE'
      put_relative
    when 'LOCK'
      old_lock = request.headers['X-WOPI-OldLock']
      if old_lock.nil?
        lock
      else
        unlock_and_relock
      end
    when 'UNLOCK'
      unlock
    when 'REFRESH_LOCK'
      refresh_lock
    when 'GET_SHARE_URL'
      render nothing: :true, status: 501 and return
    else
      render nothing: :true, status: 404 and return
    end
  end

  # Only used for putfile
  def file_contents_post_endpoint
    logger.warn 'WOPI: post_file_contents called'
    put_file
  end

  def check_file_info
    msg = {
      BaseFileName:                @asset.file_file_name,
      OwnerId:                     @asset.created_by_id.to_s,
      Size:                        @asset.file_file_size,
      UserId:                      @user.id,
      Version:                     @asset.version,
      SupportsExtendedLockLength:  true,
      SupportsGetLock:             true,
      SupportsLocks:               true,
      SupportsUpdate:              true,
      # Setting all users to business until we figure out
      # which should NOT be business
      LicenseCheckForEditIsEnabled:  true,
      UserFriendlyName:              @user.name,
      # TODO: Check user permisisons
      ReadOnly:                 false,
      UserCanNotWriteRelative:  true,
      UserCanWrite:             true,
      # TODO: decide what to put here
      CloseUrl:    'https://scinote-preview.herokuapp.com',
      DownloadUrl: url_for(controller: 'assets', action: 'download',
                           id: @asset.id),
      HostEditUrl: url_for(controller: 'assets', action: 'edit',
                           id: @asset.id),
      HostViewUrl: url_for(controller: 'assets', action: 'view',
                           id: @asset.id)
      # TODO: breadcrumbs?
      #:FileExtension
    }
    response.headers['X-WOPI-HostEndpoint'] = ENV['WOPI_ENDPOINT_URL']
    response.headers['X-WOPI-MachineName'] = ENV['WOPI_ENDPOINT_URL']
    response.headers['X-WOPI-ServerVersion'] = APP_VERSION
    render json: msg and return
  end

  def put_relative
    render nothing: :true, status: 501 and return
  end

  def lock
    lock = request.headers['X-WOPI-Lock']
    logger.warn 'WOPI: lock; ' + lock.to_s
    render nothing: :true, status: 404 and return if lock.nil? || lock.blank?
    @asset.with_lock do
      if @asset.is_locked
        if @asset.lock == lock
          @asset.refresh_lock
          response.headers['X-WOPI-ItemVersion'] = @asset.version
          render nothing: :true, status: 200 and return
        else
          response.headers['X-WOPI-Lock'] = @asset.lock
          render nothing: :true, status: 409 and return
        end
      else
        @asset.lock_asset(lock)
        response.headers['X-WOPI-ItemVersion'] = @asset.version
        render nothing: :true, status: 200 and return
      end
    end
  end

  def unlock_and_relock
    logger.warn 'lock and relock'
    lock = request.headers['X-WOPI-Lock']
    old_lock = request.headers['X-WOPI-OldLock']
    if lock.nil? || lock.blank? || old_lock.blank?
      render nothing: :true, status: 400 and return
    end
    @asset.with_lock do
      if @asset.is_locked
        if @asset.lock == old_lock
          @asset.unlock
          @asset.lock_asset(lock)
          response.headers['X-WOPI-ItemVersion'] = @asset.version
          render nothing: :true, status: 200 and return
        else
          response.headers['X-WOPI-Lock'] = @asset.lock
          render nothing: :true, status: 409 and return
        end
      else
        response.headers['X-WOPI-Lock'] = ''
        render nothing: :true, status: 409 and return
      end
    end
  end

  def unlock
    lock = request.headers['X-WOPI-Lock']
    render nothing: :true, status: 400 and return if lock.nil? || lock.blank?
    @asset.with_lock do
      if @asset.is_locked
        logger.warn 'WOPI: current asset lock: #{@asset.lock},
                     unlocking lock #{lock}'
        if @asset.lock == lock
          @asset.unlock
          response.headers['X-WOPI-ItemVersion'] = @asset.version
          render nothing: :true, status: 200 and return
        else
          response.headers['X-WOPI-Lock'] = @asset.lock
          render nothing: :true, status: 409 and return
        end
      else
        logger.warn 'WOPI: tried to unlock non-locked file'
        response.headers['X-WOPI-Lock'] = ' '
        render nothing: :true, status: 409 and return
      end
    end
  end

  def refresh_lock
    lock = request.headers['X-WOPI-Lock']
    render nothing: :true, status: 400 and return if lock.nil? || lock.blank?
    @asset.with_lock do
      if @asset.is_locked
        if @asset.lock == lock
          @asset.refresh_lock
          response.headers['X-WOPI-ItemVersion'] = @asset.version
          response.headers['X-WOPI-ItemVersion'] = @asset.version
          render nothing: :true, status: 200 and return
        else
          response.headers['X-WOPI-Lock'] = @asset.lock
          render nothing: :true, status: 409 and return
        end
      else
        response.headers['X-WOPI-Lock'] = ''
        render nothing: :true, status: 409 and return
      end
    end
  end

  def get_lock
    @asset.with_lock do
      if @asset.is_locked
        response.headers['X-WOPI-Lock'] = @asset.lock
      else
        response.headers['X-WOPI-Lock'] = ''
      end
      render nothing: :true, status: 200 and return
    end
  end

  # TODO: When should we extract file text?
  def put_file
    @asset.with_lock do
      lock = request.headers['X-WOPI-Lock']
      if @asset.is_locked
        if @asset.lock == lock
          logger.warn 'WOPI: replacing file'
          @asset.update_contents(request.body)
          response.headers['X-WOPI-ItemVersion'] = @asset.version
          render nothing: :true, status: 200 and return
        else
          logger.warn 'WOPI: wrong lock used to try and modify file'
          response.headers['X-WOPI-Lock'] = @asset.lock
          render nothing: :true, status: 409 and return
        end
      elsif !@asset.file_file_size.nil? && @asset.file_file_size.zero?
        logger.warn 'WOPI: initializing empty file'
        @asset.update_contents(request.body)
        response.headers['X-WOPI-ItemVersion'] = @asset.version
        render nothing: :true, status: 200 and return
      else
        logger.warn 'WOPI: trying to modify unlocked file'
        response.headers['X-WOPI-Lock'] = ''
        render nothing: :true, status: 409 and return
      end
    end
  end

  def load_vars
    @asset = Asset.find_by_id(params[:id])
    if @asset.nil?
      render nothing: :true, status: 404 and return
    else
      logger.warn 'Found asset'
      step_assoc = @asset.step
      result_assoc = @asset.result
      @assoc = step_assoc unless step_assoc.nil?
      @assoc = result_assoc unless result_assoc.nil?

      if @assoc.class == Step
        @protocol = @asset.step.protocol
      else
        @my_module = @assoc.my_module
      end
    end
  end

  private

  def authenticate_user_from_token!
    wopi_token = params[:access_token]
    if wopi_token.nil?
      logger.warn 'WOPI: nil wopi token'
      render nothing: :true, status: 401 and return
    end

    @user = User.find_by_valid_wopi_token(wopi_token)
    if @user.nil?
      logger.warn 'WOPI: no user with this token found'
      render nothing: :true, status: 401 and return
    end
    logger.warn 'WOPI: user found by token'

    # TODO: check if the user can do anything with the file
  end

  def verify_proof!
    token = params[:access_token].encode('utf-8')
    timestamp = request.headers['X-WOPI-TimeStamp'].to_i
    signed_proof = request.headers['X-WOPI-Proof']
    signed_proof_old = request.headers['X-WOPI-ProofOld']
    url = request.original_url.upcase.encode('utf-8')

    if convert_to_unix_timestamp(timestamp) + 20.minutes >= Time.now
      if get_discovery.verify_proof(token, timestamp, signed_proof,
                                    signed_proof_old, url)
        logger.warn 'WOPI: proof verification: successful'
      else
        logger.warn 'WOPI: proof verification: not verified'
        render nothing: :true, status: 500 and return
      end
    else
      logger.warn 'WOPI: proof verification: timestamp too old; ' +
                  timestamp.to_s
      render nothing: :true, status: 500 and return
    end
  rescue => e
    logger.warn 'WOPI: proof verification: failed; ' + e.message
    render nothing: :true, status: 500 and return
  end
end
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00			`class WopiController < ActionController::Base`
Add timestamp WOPI checking Change status error code to 500. 2016-09-22 22:18:57 +08:00			`include WopiUtil`

Refactor WopiController 2016-09-23 16:27:30 +08:00			`before_action :load_vars, :authenticate_user_from_token!`
Add basic WOPI proof checking Still missing validation of timestamp. Remove web_console gem for testing. Add relevant tests from manual for WOPI proof. 2016-09-22 19:19:35 +08:00			`before_action :verify_proof!`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00
Refactor WopiController 2016-09-23 16:27:30 +08:00			`# Only used for checkfileinfo`
			`def file_get_endpoint`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00			`check_file_info`
			`end`

Refactor WopiController 2016-09-23 16:27:30 +08:00			`def file_contents_get_endpoint`
			`# get_file`
			`response.headers['X-WOPI-ItemVersion'] = @asset.version`
			`response.body = Paperclip.io_adapters.for(@asset.file).read`
			`send_data response.body, disposition: 'inline', content_type: 'text/plain'`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00			`end`

First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`def post_file_endpoint`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`override = request.headers['X-WOPI-Override']`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00			`case override`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`when 'GET_LOCK'`
			`get_lock`
			`when 'PUT_RELATIVE'`
			`put_relative`
			`when 'LOCK'`
			`old_lock = request.headers['X-WOPI-OldLock']`
			`if old_lock.nil?`
			`lock`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00			`else`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`unlock_and_relock`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00			`end`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`when 'UNLOCK'`
			`unlock`
			`when 'REFRESH_LOCK'`
			`refresh_lock`
			`when 'GET_SHARE_URL'`
			`render nothing: :true, status: 501 and return`
			`else`
			`render nothing: :true, status: 404 and return`
			`end`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00			`end`

Refactor WopiController 2016-09-23 16:27:30 +08:00			`# Only used for putfile`
			`def file_contents_post_endpoint`
			`logger.warn 'WOPI: post_file_contents called'`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00			`put_file`
			`end`

			`def check_file_info`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`msg = {`
			`BaseFileName: @asset.file_file_name,`
			`OwnerId: @asset.created_by_id.to_s,`
			`Size: @asset.file_file_size,`
			`UserId: @user.id,`
			`Version: @asset.version,`
			`SupportsExtendedLockLength: true,`
			`SupportsGetLock: true,`
			`SupportsLocks: true,`
			`SupportsUpdate: true,`
			`# Setting all users to business until we figure out`
			`# which should NOT be business`
			`LicenseCheckForEditIsEnabled: true,`
			`UserFriendlyName: @user.name,`
			`# TODO: Check user permisisons`
			`ReadOnly: false,`
			`UserCanNotWriteRelative: true,`
			`UserCanWrite: true,`
			`# TODO: decide what to put here`
			`CloseUrl: 'https://scinote-preview.herokuapp.com',`
			`DownloadUrl: url_for(controller: 'assets', action: 'download',`
			`id: @asset.id),`
			`HostEditUrl: url_for(controller: 'assets', action: 'edit',`
			`id: @asset.id),`
			`HostViewUrl: url_for(controller: 'assets', action: 'view',`
			`id: @asset.id)`
			`# TODO: breadcrumbs?`
			`#:FileExtension`
			`}`
			`response.headers['X-WOPI-HostEndpoint'] = ENV['WOPI_ENDPOINT_URL']`
			`response.headers['X-WOPI-MachineName'] = ENV['WOPI_ENDPOINT_URL']`
			`response.headers['X-WOPI-ServerVersion'] = APP_VERSION`
			`render json: msg and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`end`

			`def put_relative`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`render nothing: :true, status: 501 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`end`

			`def lock`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`lock = request.headers['X-WOPI-Lock']`
			`logger.warn 'WOPI: lock; ' + lock.to_s`
			`render nothing: :true, status: 404 and return if lock.nil? \|\| lock.blank?`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`@asset.with_lock do`
			`if @asset.is_locked`
			`if @asset.lock == lock`
			`@asset.refresh_lock`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`response.headers['X-WOPI-ItemVersion'] = @asset.version`
			`render nothing: :true, status: 200 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`else`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`response.headers['X-WOPI-Lock'] = @asset.lock`
			`render nothing: :true, status: 409 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`end`
			`else`
			`@asset.lock_asset(lock)`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`response.headers['X-WOPI-ItemVersion'] = @asset.version`
			`render nothing: :true, status: 200 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`end`
			`end`
			`end`

			`def unlock_and_relock`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`logger.warn 'lock and relock'`
			`lock = request.headers['X-WOPI-Lock']`
			`old_lock = request.headers['X-WOPI-OldLock']`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`if lock.nil? \|\| lock.blank? \|\| old_lock.blank?`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`render nothing: :true, status: 400 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`end`
			`@asset.with_lock do`
			`if @asset.is_locked`
			`if @asset.lock == old_lock`
			`@asset.unlock`
			`@asset.lock_asset(lock)`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`response.headers['X-WOPI-ItemVersion'] = @asset.version`
			`render nothing: :true, status: 200 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`else`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`response.headers['X-WOPI-Lock'] = @asset.lock`
			`render nothing: :true, status: 409 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`end`
			`else`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`response.headers['X-WOPI-Lock'] = ''`
			`render nothing: :true, status: 409 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`end`
			`end`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00			`end`

First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`def unlock`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`lock = request.headers['X-WOPI-Lock']`
			`render nothing: :true, status: 400 and return if lock.nil? \|\| lock.blank?`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`@asset.with_lock do`
			`if @asset.is_locked`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`logger.warn 'WOPI: current asset lock: #{@asset.lock},`
			`unlocking lock #{lock}'`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`if @asset.lock == lock`
			`@asset.unlock`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`response.headers['X-WOPI-ItemVersion'] = @asset.version`
			`render nothing: :true, status: 200 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`else`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`response.headers['X-WOPI-Lock'] = @asset.lock`
			`render nothing: :true, status: 409 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`end`
			`else`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`logger.warn 'WOPI: tried to unlock non-locked file'`
			`response.headers['X-WOPI-Lock'] = ' '`
			`render nothing: :true, status: 409 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`end`
			`end`
			`end`

			`def refresh_lock`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`lock = request.headers['X-WOPI-Lock']`
			`render nothing: :true, status: 400 and return if lock.nil? \|\| lock.blank?`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`@asset.with_lock do`
			`if @asset.is_locked`
			`if @asset.lock == lock`
			`@asset.refresh_lock`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`response.headers['X-WOPI-ItemVersion'] = @asset.version`
			`response.headers['X-WOPI-ItemVersion'] = @asset.version`
			`render nothing: :true, status: 200 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`else`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`response.headers['X-WOPI-Lock'] = @asset.lock`
			`render nothing: :true, status: 409 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`end`
			`else`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`response.headers['X-WOPI-Lock'] = ''`
			`render nothing: :true, status: 409 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`end`
			`end`
			`end`

			`def get_lock`
			`@asset.with_lock do`
			`if @asset.is_locked`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`response.headers['X-WOPI-Lock'] = @asset.lock`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`else`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`response.headers['X-WOPI-Lock'] = ''`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`end`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`render nothing: :true, status: 200 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`end`
			`end`
Refactor WopiController 2016-09-23 16:27:30 +08:00
			`# TODO: When should we extract file text?`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`def put_file`
			`@asset.with_lock do`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`lock = request.headers['X-WOPI-Lock']`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`if @asset.is_locked`
			`if @asset.lock == lock`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`logger.warn 'WOPI: replacing file'`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`@asset.update_contents(request.body)`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`response.headers['X-WOPI-ItemVersion'] = @asset.version`
			`render nothing: :true, status: 200 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`else`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`logger.warn 'WOPI: wrong lock used to try and modify file'`
			`response.headers['X-WOPI-Lock'] = @asset.lock`
			`render nothing: :true, status: 409 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`end`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`elsif !@asset.file_file_size.nil? && @asset.file_file_size.zero?`
			`logger.warn 'WOPI: initializing empty file'`
			`@asset.update_contents(request.body)`
			`response.headers['X-WOPI-ItemVersion'] = @asset.version`
			`render nothing: :true, status: 200 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`else`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`logger.warn 'WOPI: trying to modify unlocked file'`
			`response.headers['X-WOPI-Lock'] = ''`
			`render nothing: :true, status: 409 and return`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`end`
			`end`
			`end`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00
			`def load_vars`
			`@asset = Asset.find_by_id(params[:id])`
			`if @asset.nil?`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`render nothing: :true, status: 404 and return`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00			`else`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`logger.warn 'Found asset'`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00			`step_assoc = @asset.step`
			`result_assoc = @asset.result`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`@assoc = step_assoc unless step_assoc.nil?`
			`@assoc = result_assoc unless result_assoc.nil?`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00
			`if @assoc.class == Step`
			`@protocol = @asset.step.protocol`
			`else`
			`@my_module = @assoc.my_module`
			`end`
			`end`
			`end`

			`private`

Refactor WopiController 2016-09-23 16:27:30 +08:00			`def authenticate_user_from_token!`
			`wopi_token = params[:access_token]`
			`if wopi_token.nil?`
			`logger.warn 'WOPI: nil wopi token'`
			`render nothing: :true, status: 401 and return`
			`end`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00
Refactor WopiController 2016-09-23 16:27:30 +08:00			`@user = User.find_by_valid_wopi_token(wopi_token)`
			`if @user.nil?`
			`logger.warn 'WOPI: no user with this token found'`
			`render nothing: :true, status: 401 and return`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00			`end`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`logger.warn 'WOPI: user found by token'`

			`# TODO: check if the user can do anything with the file`
			`end`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00
Refactor WopiController 2016-09-23 16:27:30 +08:00			`def verify_proof!`
			`token = params[:access_token].encode('utf-8')`
			`timestamp = request.headers['X-WOPI-TimeStamp'].to_i`
			`signed_proof = request.headers['X-WOPI-Proof']`
			`signed_proof_old = request.headers['X-WOPI-ProofOld']`
			`url = request.original_url.upcase.encode('utf-8')`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00
Refactor WopiController 2016-09-23 16:27:30 +08:00			`if convert_to_unix_timestamp(timestamp) + 20.minutes >= Time.now`
			`if get_discovery.verify_proof(token, timestamp, signed_proof,`
			`signed_proof_old, url)`
			`logger.warn 'WOPI: proof verification: successful'`
			`else`
			`logger.warn 'WOPI: proof verification: not verified'`
			`render nothing: :true, status: 500 and return`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00			`end`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`else`
			`logger.warn 'WOPI: proof verification: timestamp too old; ' +`
			`timestamp.to_s`
			`render nothing: :true, status: 500 and return`
Initial commit of WOPI integration 2016-08-03 21:31:25 +08:00			`end`
Refactor WopiController 2016-09-23 16:27:30 +08:00			`rescue => e`
			`logger.warn 'WOPI: proof verification: failed; ' + e.message`
			`render nothing: :true, status: 500 and return`
			`end`
Add basic WOPI proof checking Still missing validation of timestamp. Remove web_console gem for testing. Add relevant tests from manual for WOPI proof. 2016-09-22 19:19:35 +08:00			`end`