scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-09-07 21:55:20 +08:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #4881 from artoscinote/ma_SCI_7631

Browse source 
Throw error when authenticating with revoked tokens [SCI-7631]
This commit is contained in:
artoscinote 2023-02-07 13:39:03 +01:00 committed by GitHub
commit 77b4a557f1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 91 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
app/controllers/concerns/token_authentication.rb
View file

@ -17,6 +17,8 @@ module TokenAuthentication
@token = request.headers['Authorization']&.sub('Bearer ', '')
raise JWT::VerificationError, I18n.t('api.core.missing_token') unless @token
check_token_revocation!
@token_iss = Api::CoreJwt.read_iss(@token)
raise JWT::InvalidPayload, I18n.t('api.core.no_iss') unless @token_iss
@ -34,4 +36,10 @@ module TokenAuthentication
@current_user = User.find_by(id: payload['sub'])
raise JWT::InvalidPayload, I18n.t('api.core.no_user_mapping') unless current_user
end
def check_token_revocation!
if Doorkeeper::AccessToken.where.not(revoked_at: nil).exists?(token: @token)
raise JWT::VerificationError, I18n.t('api.core.expired_token')
end
end
end

17
app/controllers/doorkeeper/access_tokens_controller.rb Normal file
View file

@ -0,0 +1,17 @@
# frozen_string_literal: true
module Doorkeeper
class AccessTokensController < ApplicationController
before_action :find_token
def revoke
@token.revoke
end
private
def find_token
@token = current_user.access_tokens.find(params[:id])
end
end
end

2
config/routes.rb
View file

@ -3,6 +3,8 @@ Rails.application.routes.draw do
skip_controllers :applications, :authorized_applications, :token_info
end
post 'access_tokens/revoke', to: 'doorkeeper/access_tokens#revoke'
# Addons
def draw(routes_name)

36
spec/controllers/concerns/token_authentication_spec.rb Normal file
View file

@ -0,0 +1,36 @@
# frozen_string_literal: true
require 'rails_helper'
class TokenAuthenticatedController
attr_accessor :token, :current_user
include TokenAuthentication
def request
OpenStruct.new(
headers: { 'Authorization' => "Bearer #{@token}" }
)
end
end
describe TokenAuthentication do
let(:test_controller_instance) { TokenAuthenticatedController.new }
let(:user) { create :user }
let(:access_token) {
user.access_tokens.create(
expires_in: 7500
)
}
describe '#authenticate_request' do
it "rejects revoked token" do
test_controller_instance.token = access_token.token
test_controller_instance.current_user = user
access_token.revoke
expect { test_controller_instance.send(:authenticate_request!) }.to raise_error(JWT::VerificationError)
end
end
end

28
spec/controllers/doorkeeper/access_tokens_controller_spec.rb Normal file
View file

@ -0,0 +1,28 @@
# frozen_string_literal: true
require 'rails_helper'
describe Doorkeeper::AccessTokensController, type: :controller do
login_user
let!(:access_token) do
subject.current_user.access_tokens.create(expires_in: 7500)
end
describe 'POST revoke' do
let(:params) do
{
id: access_token.id
}
end
let(:action) do
put :revoke, params: params
end
it 'revokes the access token' do
action
expect(access_token.reload.revoked_at).to_not be_nil
end
end
end