active_record_api-rest 2.0.1 → 2.0.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (6) hide show
  1. checksums.yaml +4 -4
  2. data/lib/active_record_api/rest/auth/controller.rb +18 -1
  3. data/lib/active_record_api/rest/controller.rb +3 -3
  4. data/lib/active_record_api/rest/parameters.rb +2 -2
  5. data/lib/active_record_api/rest/version.rb +1 -1
  6. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 651a4dbcd6458363f53f7927e065962ab7128a4bb5a10f2992692d930bd524b9
4
- data.tar.gz: 9cf183d70bf89d81fd01cddae62cb651dbabc6ffb4ce8486f62cc00452908b84
3
+ metadata.gz: 6aa3055720a100f3890c1e90b171c8a23a0a5dd1ac1b8bf76979719fdda6467f
4
+ data.tar.gz: 9df18916760b462d9e8bf9f9bb109783b8bacdeb997b26a0ad92e47a9c6264ca
5
5
  SHA512:
6
- metadata.gz: 49d775122abd877d98846e40e7bf51fb6f5d19302858bdee3d40d34caf0cb6b07dde5a42abff6278d1106b94981d3129934c460727b0fcf597d0342d7fed6bdc
7
- data.tar.gz: 7371ba23cc2adadc3f7b8e3efbf099c6694546a03b68695b0ec11e3707f0bd91634a14629b30b1b8d4ddec25b3f60905db2071abec2e39ccbb6b4ea0a6dcd5a9
6
+ metadata.gz: 38dd89d7ce72bc57c673802c007e7a9b2807188e123fd62c6d235f22b35d6f75d50614efead8f349b2829cc840806d9feec3bdf4be7cdb95cc8a863063bb9d15
7
+ data.tar.gz: 3fdc873b9fc81f5672346b1dce20759f510ec8cc63a32c211cf4001ecf33fbc4ed75873a348802936a3bed8ce91d2c74073710319f38674048af1fff0d1bab4b
data/lib/active_record_api/rest/auth/controller.rb CHANGED
@@ -7,6 +7,7 @@ module ActiveRecordApi
7
7
  protected
8
8
 
9
9
  def authorize
10
+ return true if authenticated_internally?
10
11
  raise BadSessionException.new(controller_name, action_name) if fullmeasure_session.nil?
11
12
  raise AccessDeniedException.new(controller_name, action_name, 'Insufficient permissions') unless can?
12
13
  end
@@ -22,13 +23,29 @@ module ActiveRecordApi
22
23
  action_name: action_name,
23
24
  params: params,
24
25
  queryable_params: queryable_params,
25
- modifiable_params: modifiable_params,
26
+ modifiable_params: modifiable_params
26
27
  )
27
28
  end
28
29
 
29
30
  def policy_klass
30
31
  "Policy::#{self.class.name.remove(/Controller$/)}Policy".safe_constantize || "#{self.class.name.remove(/Controller$/)}Policy".safe_constantize || Policy
31
32
  end
33
+
34
+ # For internal communication between different APIs, we use a common, rotating
35
+ # key as authentication token. This allows us to avoid expensive authenticaion
36
+ # requests and visits to postgres and redis.
37
+ #
38
+ # If the incoming request has this token, it's assumed to be originating from
39
+ # FME APIs and can be marked authenticated.
40
+ def authenticated_internally?
41
+ token = request.headers['Authorization']&.split(' ')&.last
42
+ safe_word = ENV['FME_INTERNAL_API_TOKEN']
43
+ # Compare the tokens in a time-constant manner, to mitigate
44
+ # timing attacks.
45
+ token.present? &&
46
+ safe_word.present? &&
47
+ ActiveSupport::SecurityUtils.secure_compare(token, safe_word)
48
+ end
32
49
  end
33
50
  end
34
51
  end
data/lib/active_record_api/rest/controller.rb CHANGED
@@ -10,7 +10,7 @@ module ActiveRecordApi
10
10
  def index
11
11
  response.headers['x-total'] = models_count
12
12
  response.headers['x-link-next'] = next_url unless next_url.nil?
13
- render json: models_full_results.limit(limit).offset(offset).order(:id => :asc), each_serializer: serializer
13
+ render json: models_full_results.limit(limit).offset(offset).order(id: :asc), each_serializer: serializer
14
14
  end
15
15
 
16
16
  def show
@@ -90,7 +90,7 @@ module ActiveRecordApi
90
90
  model_klass: model_klass,
91
91
  controller_name: controller_name,
92
92
  params: params,
93
- action_name: action_name,
93
+ action_name: action_name
94
94
  )
95
95
  end
96
96
 
@@ -99,7 +99,7 @@ module ActiveRecordApi
99
99
  action_name: action_name,
100
100
  request: request,
101
101
  parameters: parameters,
102
- total_count: models_count,
102
+ total_count: models_count
103
103
  )
104
104
  end
105
105
  end
data/lib/active_record_api/rest/parameters.rb CHANGED
@@ -2,7 +2,7 @@ module ActiveRecordApi
2
2
  module Rest
3
3
  class Parameters
4
4
  include ActiveAttr::Model
5
- attr_accessor :model_klass, :params, :controller_name, :action_name, :additional_valid_params
5
+ attr_accessor :model_klass, :params, :controller_name, :action_name
6
6
 
7
7
  def modifiable_params
8
8
  @modifiable ||= params.permit!.to_h.select! { |key, _value| valid_params(modifiable_names).include?(key.to_sym) }
@@ -14,7 +14,7 @@ module ActiveRecordApi
14
14
 
15
15
  def valid_params(base_params)
16
16
  base_valid_params = base_params + ['organization_id'] + [:organization_id] + ['id'] + [:id]
17
- return clean(base_valid_params)
17
+ clean(base_valid_params)
18
18
  end
19
19
 
20
20
  def limit
data/lib/active_record_api/rest/version.rb CHANGED
@@ -2,6 +2,6 @@
2
2
 
3
3
  module ActiveRecordApi
4
4
  module Rest
5
- VERSION = '2.0.1'.freeze
5
+ VERSION = '2.0.2'.freeze
6
6
  end
7
7
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: active_record_api-rest
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.0.1
4
+ version: 2.0.2
5
5
  platform: ruby
6
6
  authors:
7
7
  - Full Measure Education
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2020-10-22 00:00:00.000000000 Z
11
+ date: 2022-04-28 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler