active_record_api-rest 2.0.1 → 2.0.2
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6aa3055720a100f3890c1e90b171c8a23a0a5dd1ac1b8bf76979719fdda6467f
|
4
|
+
data.tar.gz: 9df18916760b462d9e8bf9f9bb109783b8bacdeb997b26a0ad92e47a9c6264ca
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 38dd89d7ce72bc57c673802c007e7a9b2807188e123fd62c6d235f22b35d6f75d50614efead8f349b2829cc840806d9feec3bdf4be7cdb95cc8a863063bb9d15
|
7
|
+
data.tar.gz: 3fdc873b9fc81f5672346b1dce20759f510ec8cc63a32c211cf4001ecf33fbc4ed75873a348802936a3bed8ce91d2c74073710319f38674048af1fff0d1bab4b
|
@@ -7,6 +7,7 @@ module ActiveRecordApi
|
|
7
7
|
protected
|
8
8
|
|
9
9
|
def authorize
|
10
|
+
return true if authenticated_internally?
|
10
11
|
raise BadSessionException.new(controller_name, action_name) if fullmeasure_session.nil?
|
11
12
|
raise AccessDeniedException.new(controller_name, action_name, 'Insufficient permissions') unless can?
|
12
13
|
end
|
@@ -22,13 +23,29 @@ module ActiveRecordApi
|
|
22
23
|
action_name: action_name,
|
23
24
|
params: params,
|
24
25
|
queryable_params: queryable_params,
|
25
|
-
modifiable_params: modifiable_params
|
26
|
+
modifiable_params: modifiable_params
|
26
27
|
)
|
27
28
|
end
|
28
29
|
|
29
30
|
def policy_klass
|
30
31
|
"Policy::#{self.class.name.remove(/Controller$/)}Policy".safe_constantize || "#{self.class.name.remove(/Controller$/)}Policy".safe_constantize || Policy
|
31
32
|
end
|
33
|
+
|
34
|
+
# For internal communication between different APIs, we use a common, rotating
|
35
|
+
# key as authentication token. This allows us to avoid expensive authenticaion
|
36
|
+
# requests and visits to postgres and redis.
|
37
|
+
#
|
38
|
+
# If the incoming request has this token, it's assumed to be originating from
|
39
|
+
# FME APIs and can be marked authenticated.
|
40
|
+
def authenticated_internally?
|
41
|
+
token = request.headers['Authorization']&.split(' ')&.last
|
42
|
+
safe_word = ENV['FME_INTERNAL_API_TOKEN']
|
43
|
+
# Compare the tokens in a time-constant manner, to mitigate
|
44
|
+
# timing attacks.
|
45
|
+
token.present? &&
|
46
|
+
safe_word.present? &&
|
47
|
+
ActiveSupport::SecurityUtils.secure_compare(token, safe_word)
|
48
|
+
end
|
32
49
|
end
|
33
50
|
end
|
34
51
|
end
|
@@ -10,7 +10,7 @@ module ActiveRecordApi
|
|
10
10
|
def index
|
11
11
|
response.headers['x-total'] = models_count
|
12
12
|
response.headers['x-link-next'] = next_url unless next_url.nil?
|
13
|
-
render json: models_full_results.limit(limit).offset(offset).order(:
|
13
|
+
render json: models_full_results.limit(limit).offset(offset).order(id: :asc), each_serializer: serializer
|
14
14
|
end
|
15
15
|
|
16
16
|
def show
|
@@ -90,7 +90,7 @@ module ActiveRecordApi
|
|
90
90
|
model_klass: model_klass,
|
91
91
|
controller_name: controller_name,
|
92
92
|
params: params,
|
93
|
-
action_name: action_name
|
93
|
+
action_name: action_name
|
94
94
|
)
|
95
95
|
end
|
96
96
|
|
@@ -99,7 +99,7 @@ module ActiveRecordApi
|
|
99
99
|
action_name: action_name,
|
100
100
|
request: request,
|
101
101
|
parameters: parameters,
|
102
|
-
total_count: models_count
|
102
|
+
total_count: models_count
|
103
103
|
)
|
104
104
|
end
|
105
105
|
end
|
@@ -2,7 +2,7 @@ module ActiveRecordApi
|
|
2
2
|
module Rest
|
3
3
|
class Parameters
|
4
4
|
include ActiveAttr::Model
|
5
|
-
attr_accessor :model_klass, :params, :controller_name, :action_name
|
5
|
+
attr_accessor :model_klass, :params, :controller_name, :action_name
|
6
6
|
|
7
7
|
def modifiable_params
|
8
8
|
@modifiable ||= params.permit!.to_h.select! { |key, _value| valid_params(modifiable_names).include?(key.to_sym) }
|
@@ -14,7 +14,7 @@ module ActiveRecordApi
|
|
14
14
|
|
15
15
|
def valid_params(base_params)
|
16
16
|
base_valid_params = base_params + ['organization_id'] + [:organization_id] + ['id'] + [:id]
|
17
|
-
|
17
|
+
clean(base_valid_params)
|
18
18
|
end
|
19
19
|
|
20
20
|
def limit
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: active_record_api-rest
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0.
|
4
|
+
version: 2.0.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Full Measure Education
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-04-28 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: bundler
|