RubyGems - active_record_api-rest - Versions diffs - 2.0.1 → 2.0.2 - Mend

active_record_api-rest 2.0.1 → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

checksums.yaml +4 -4
data/lib/active_record_api/rest/auth/controller.rb +18 -1
data/lib/active_record_api/rest/controller.rb +3 -3
data/lib/active_record_api/rest/parameters.rb +2 -2
data/lib/active_record_api/rest/version.rb +1 -1
metadata +2 -2

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 651a4dbcd6458363f53f7927e065962ab7128a4bb5a10f2992692d930bd524b9
-  data.tar.gz: 9cf183d70bf89d81fd01cddae62cb651dbabc6ffb4ce8486f62cc00452908b84
+  metadata.gz: 6aa3055720a100f3890c1e90b171c8a23a0a5dd1ac1b8bf76979719fdda6467f
+  data.tar.gz: 9df18916760b462d9e8bf9f9bb109783b8bacdeb997b26a0ad92e47a9c6264ca
 SHA512:
-  metadata.gz: 49d775122abd877d98846e40e7bf51fb6f5d19302858bdee3d40d34caf0cb6b07dde5a42abff6278d1106b94981d3129934c460727b0fcf597d0342d7fed6bdc
-  data.tar.gz: 7371ba23cc2adadc3f7b8e3efbf099c6694546a03b68695b0ec11e3707f0bd91634a14629b30b1b8d4ddec25b3f60905db2071abec2e39ccbb6b4ea0a6dcd5a9
+  metadata.gz: 38dd89d7ce72bc57c673802c007e7a9b2807188e123fd62c6d235f22b35d6f75d50614efead8f349b2829cc840806d9feec3bdf4be7cdb95cc8a863063bb9d15
+  data.tar.gz: 3fdc873b9fc81f5672346b1dce20759f510ec8cc63a32c211cf4001ecf33fbc4ed75873a348802936a3bed8ce91d2c74073710319f38674048af1fff0d1bab4b

data/lib/active_record_api/rest/auth/controller.rb CHANGED Viewed

@@ -7,6 +7,7 @@ module ActiveRecordApi
         protected
         def authorize
+          return true if authenticated_internally?
           raise BadSessionException.new(controller_name, action_name) if fullmeasure_session.nil?
           raise AccessDeniedException.new(controller_name, action_name, 'Insufficient permissions') unless can?
         end
@@ -22,13 +23,29 @@ module ActiveRecordApi
             action_name: action_name,
             params: params,
             queryable_params: queryable_params,
-            modifiable_params: modifiable_params,
+            modifiable_params: modifiable_params
           )
         end
         def policy_klass
           "Policy::#{self.class.name.remove(/Controller$/)}Policy".safe_constantize || "#{self.class.name.remove(/Controller$/)}Policy".safe_constantize || Policy
         end
+        # For internal communication between different APIs, we use a common, rotating
+        # key as authentication token. This allows us to avoid expensive authenticaion
+        # requests and visits to postgres and redis.
+        #
+        # If the incoming request has this token, it's assumed to be originating from
+        # FME APIs and can be marked authenticated.
+        def authenticated_internally?
+          token = request.headers['Authorization']&.split(' ')&.last
+          safe_word = ENV['FME_INTERNAL_API_TOKEN']
+          # Compare the tokens in a time-constant manner, to mitigate
+          # timing attacks.
+          token.present? &&
+            safe_word.present? &&
+            ActiveSupport::SecurityUtils.secure_compare(token, safe_word)
+        end
       end
     end
   end

data/lib/active_record_api/rest/controller.rb CHANGED Viewed

@@ -10,7 +10,7 @@ module ActiveRecordApi
       def index
         response.headers['x-total'] = models_count
         response.headers['x-link-next'] = next_url unless next_url.nil?
-        render json: models_full_results.limit(limit).offset(offset).order(:id => :asc), each_serializer: serializer
+        render json: models_full_results.limit(limit).offset(offset).order(id: :asc), each_serializer: serializer
       end
       def show
@@ -90,7 +90,7 @@ module ActiveRecordApi
           model_klass: model_klass,
           controller_name: controller_name,
           params: params,
-          action_name: action_name,
+          action_name: action_name
         )
       end
@@ -99,7 +99,7 @@ module ActiveRecordApi
           action_name: action_name,
           request: request,
           parameters: parameters,
-          total_count: models_count,
+          total_count: models_count
         )
       end
     end

data/lib/active_record_api/rest/parameters.rb CHANGED Viewed

@@ -2,7 +2,7 @@ module ActiveRecordApi
   module Rest
     class Parameters
       include ActiveAttr::Model
-      attr_accessor :model_klass, :params, :controller_name, :action_name, :additional_valid_params
+      attr_accessor :model_klass, :params, :controller_name, :action_name
       def modifiable_params
         @modifiable ||= params.permit!.to_h.select! { |key, _value| valid_params(modifiable_names).include?(key.to_sym) }
@@ -14,7 +14,7 @@ module ActiveRecordApi
       def valid_params(base_params)
         base_valid_params = base_params + ['organization_id'] + [:organization_id] + ['id'] + [:id]
-        return clean(base_valid_params)
+        clean(base_valid_params)
       end
       def limit

data/lib/active_record_api/rest/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module ActiveRecordApi
   module Rest
-    VERSION = '2.0.1'.freeze
+    VERSION = '2.0.2'.freeze
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: active_record_api-rest
 version: !ruby/object:Gem::Version
-  version: 2.0.1
+  version: 2.0.2
 platform: ruby
 authors:
 - Full Measure Education
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2020-10-22 00:00:00.000000000 Z
+date: 2022-04-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler