Add token authentication to Active Storage controllers [SCI-5123]

app/controllers/active_storage/custom_base_controller.rb

@@ -3,6 +3,10 @@
 # The base controller for all ActiveStorage controllers.
 module ActiveStorage
   class CustomBaseController < ApplicationController
+    include TokenAuthentication
     include ActiveStorage::SetCurrent
+
+    prepend_before_action :authenticate_request!, if: -> { request.headers['Authorization'].present? }
+    skip_before_action :authenticate_user!, if: -> { current_user.present? }
   end
 end

app/controllers/api/api_controller.rb

@@ -2,8 +2,8 @@
 
 module Api
   class ApiController < ActionController::API
-    attr_reader :iss
-    attr_reader :token
+    include TokenAuthentication
+
     attr_reader :current_user
 
     before_action :authenticate_request!, except: %i(status health)
@@ -53,45 +53,5 @@ module Api
       end
       render json: response, status: :ok
     end
-
-    private
-
-    def azure_jwt_auth
-      return unless iss =~ %r{windows.net/|microsoftonline.com/}
-      token_payload, = Api::AzureJwt.decode(token)
-      @current_user = User.from_azure_jwt_token(token_payload)
-      unless current_user
-        raise JWT::InvalidPayload, I18n.t('api.core.no_azure_user_mapping')
-      end
-    end
-
-    def authenticate_request!
-      @token = request.headers['Authorization']&.sub('Bearer ', '')
-      unless @token
-        raise JWT::VerificationError, I18n.t('api.core.missing_token')
-      end
-
-      @iss = CoreJwt.read_iss(token)
-      raise JWT::InvalidPayload, I18n.t('api.core.no_iss') unless @iss
-
-      Extends::API_PLUGABLE_AUTH_METHODS.each do |auth_method|
-        method(auth_method).call
-        return true if current_user
-      end
-
-      # Default token implementation
-      unless iss == Rails.configuration.x.core_api_token_iss
-        raise JWT::InvalidPayload, I18n.t('api.core.wrong_iss')
-      end
-      payload = CoreJwt.decode(token)
-      @current_user = User.find_by_id(payload['sub'])
-      unless current_user
-        raise JWT::InvalidPayload, I18n.t('api.core.no_user_mapping')
-      end
-    end
-
-    def auth_params
-      params.permit(:grant_type, :email, :password)
-    end
   end
 end

app/controllers/application_controller.rb

@@ -1,5 +1,5 @@
 class ApplicationController < ActionController::Base
-  acts_as_token_authentication_handler_for User
+  acts_as_token_authentication_handler_for User, unless: -> { current_user.present? }
   # Prevent CSRF attacks by raising an exception.
   # For APIs, you may want to use :null_session instead.
   protect_from_forgery with: :exception, prepend: true

app/controllers/concerns/token_authentication.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+module TokenAuthentication
+  extend ActiveSupport::Concern
+
+  private
+
+  def azure_jwt_auth
+    return unless @token_iss.match?(%r{windows.net/|microsoftonline.com/})
+
+    token_payload, = Api::AzureJwt.decode(@token)
+    @current_user = User.from_azure_jwt_token(token_payload)
+    raise JWT::InvalidPayload, I18n.t('api.core.no_azure_user_mapping') unless current_user
+  end
+
+  def authenticate_request!
+    @token = request.headers['Authorization']&.sub('Bearer ', '')
+    raise JWT::VerificationError, I18n.t('api.core.missing_token') unless @token
+
+    @token_iss = Api::CoreJwt.read_iss(@token)
+    raise JWT::InvalidPayload, I18n.t('api.core.no_iss') unless @token_iss
+
+    Extends::API_PLUGABLE_AUTH_METHODS.each do |auth_method|
+      method(auth_method).call
+      return true if current_user
+    end
+
+    # Default token implementation
+    unless @token_iss == Rails.configuration.x.core_api_token_iss
+      raise JWT::InvalidPayload, I18n.t('api.core.wrong_iss')
+    end
+
+    payload = Api::CoreJwt.decode(@token)
+    @current_user = User.find_by(id: payload['sub'])
+    raise JWT::InvalidPayload, I18n.t('api.core.no_user_mapping') unless current_user
+  end
+end