model_driven_api 2.3.10 → 2.3.16

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 190f87343976c6c393f9b2c80163ddc403b2575fd2c8fcceb125ef1996e7532a
-  data.tar.gz: e393facfcd2b11ac2af44df2f5602074e2da1ee48974dbb2fdec6d4f346c837e
+  metadata.gz: 6f42b6fcf4138560f8e183c7f02e10854836f7e04247bbe8bb96cdf3b3299324
+  data.tar.gz: 1ea8b0e0819840b9f443c06d77f5b175c510085ea435aed509968bf87f2cf2ef
 SHA512:
-  metadata.gz: b4f9083c41e709a64d99278f84594d28ac94175983678c01b2b08124facf2ccf3264808034a1c30eac3d2801a763807ffc480bbc4ab17afe929216b3ce096ece
-  data.tar.gz: 25e8013e5421b51b5fdce2d444fabdb5f66bc9e4805df7c2761646b43a0058dabf70ed7e11d2e36494740c0d5966ea300a4351a4f16754837caf0f23826a7b7e
+  metadata.gz: dcb26da2904c349a2749d30ec86011b2712847c0fbfd7577bbc02bcb549e1d2bc05425c5beb609c62784dae0ae3f25a2272a240707ec9647d5e8f3a97c59034a
+  data.tar.gz: e4f5477ef79bfe582465ba72a25b984b248d9a2f0b28bf35ad16e4dca4ad104eaa96bd1487df95b0ad7476593544a0fef8c010418b99d6bffc7f8b2012972baa

data/app/commands/authenticate_user.rb

@@ -6,26 +6,42 @@ class AuthenticateUser
     end
     prepend SimpleCommand
     
-    def initialize(email, password)
-        @email = email
-        @password = password
+    def initialize(*args)
+        if !args.email.blank? && !args.password.blank?
+            @email = args.email
+            @password = args.password
+        elsif !args.access_token.blank?
+            @access_token = args.access_token
+        end
     end
     
     def call
-        JsonWebToken.encode(user_id: api_user.id) if api_user
+        if !api_user.blank? && result = JsonWebToken.encode(user_id: api_user.id)
+            # The token is created and the api_user exists => Invalidating all the previous tokens
+            # Since this is a new login and I don't care from where it comes, new logins always
+            # Invalidate older tokens
+            UsedToken.where(user_id: api_user.id).update(valid: false)
+            return result
+        end
+        nil
     end
     
     private
     
-    attr_accessor :email, :password
+    attr_accessor :email, :password, :access_token
     
     def api_user
-        user = User.find_by_email(email)
+        if !email.blank? && !password.blank?
+            user = User.find_by(email: email)
+            
+            # Verify the password. You can create a blank method for now.
+            raise AccessDenied if user.blank? && user.authenticate(password).blank?
+        elsif !access_token.blank?
+            user = User.find_by(access_token: access_token)
+        end
+
         raise AccessDenied unless user.present?
         
-        # Verify the password. You can create a blank method for now.
-        raise AccessDenied if user.authenticate(password).blank?
-        
         return user
     end
     

data/app/controllers/api/v2/application_controller.rb

@@ -113,7 +113,8 @@ class Api::V2::ApplicationController < ActionController::API
             resource = "custom_action_#{params[:do]}"
             raise NoMethodError unless @model.respond_to?(resource)
             # return true, MultiJson.dump(params[:id].blank? ? @model.send(resource, params) : @model.send(resource, params[:id].to_i, params))
-            return true, MultiJson.dump(@model.send(resource, params))
+            puts json_attrs
+            return true, @model.send(resource, params).to_json(json_attrs)
         end
         # if it's here there is no custom action in the request querystring
         return false
@@ -127,15 +128,12 @@ class Api::V2::ApplicationController < ActionController::API
     end
     
     def authenticate_request
-        # puts request.headers.inspect
         @current_user = nil
-        # puts "Are there wbehooks headers to check for? #{Settings.ns(:security).allowed_authorization_headers}"
         Settings.ns(:security).allowed_authorization_headers.split(",").each do |header|
             # puts "Found header #{header}: #{request.headers[header.underscore.dasherize]}" 
             check_authorization("Authorize#{header}".constantize.call(request.headers, request.raw_post)) if request.headers[header.underscore.dasherize]
         end
         
-        # This is the default one, if the header doesn't have a valid form for one of the other Auth methods, then use this Auth Class
         check_authorization AuthorizeApiRequest.call(request.headers) unless @current_user
         return unauthenticated!(OpenStruct.new({message: @auth_errors})) unless @current_user
         
@@ -160,7 +158,7 @@ class Api::V2::ApplicationController < ActionController::API
         # has precedence over if you have setup the json_attrs in the model concern
         from_params = params[:a].deep_symbolize_keys unless params[:a].blank? 
         from_params = params[:json_attrs].deep_symbolize_keys unless params[:json_attrs].blank?
-        from_params.presence || @model.json_attrs.presence || @json_attrs.presence || {} rescue {}
+        from_params.presence || @json_attrs.presence || @model.json_attrs.presence || {} rescue {}
     end
     
     def extract_model

data/app/controllers/api/v2/authentication_controller.rb

@@ -2,7 +2,7 @@ class Api::V2::AuthenticationController < ActionController::API
     include ::ApiExceptionManagement
 
     def authenticate
-        command = AuthenticateUser.call(params[:auth][:email], params[:auth][:password])
+        command = !params[:atoken].blank? && User.column_names.include?("access_token") ? AuthenticateUser.call(access_token: params[:atoken]) : AuthenticateUser.call(email: params[:auth][:email], password: params[:auth][:password])
         
         if command.success?
             response.headers['Token'] = command.result

data/app/controllers/api/v2/info_controller.rb

@@ -15,6 +15,13 @@ class Api::V2::InfoController < Api::V2::ApplicationController
     render json: ::Role.all.to_json, status: 200
   end
 
+
+  # api :GET, '/api/v2/info/heartbeat'
+  # Just keeps the session alive by returning a new token
+  def heartbeat
+    head :ok
+  end
+
   # GET '/api/v2/info/translations'
   def translations
     render json: I18n.t(".", locale: (params[:locale].presence || :it)).to_json, status: 200

data/app/models/used_token.rb

@@ -0,0 +1,7 @@
+class UsedToken < ApplicationRecord
+  belongs_to :user, inverse_of: :used_tokens
+
+  rails_admin do
+    visible false
+  end
+end

data/db/migrate/20210519145438_create_used_tokens.rb

@@ -0,0 +1,12 @@
+class CreateUsedTokens < ActiveRecord::Migration[6.0]
+  def change
+    create_table :used_tokens do |t|
+      t.string :token
+      t.references :user, null: false, foreign_key: true
+      t.boolean :valid, default: true
+
+      t.timestamps
+    end
+    add_index :used_tokens, :token, unique: true
+  end
+end

data/lib/concerns/model_driven_api_user.rb

@@ -2,7 +2,7 @@ module ModelDrivenApiUser
     extend ActiveSupport::Concern
     
     included do
-
+        has_many :used_tokens, inverse_of: :user, dependent: :destroy
         ## DSL (AKA what to show in the returned JSON)
         # Use @@json_attrs to drive json rendering for 
         # API model responses (index, show and update ones).

data/lib/json_web_token.rb

@@ -1,14 +1,19 @@
 class JsonWebToken
-    class << self
-      def encode(payload, expiry = 15.minutes.from_now.to_i)
-        ::JWT.encode(payload.merge(exp: expiry), ::Rails.application.credentials.dig(:secret_key_base))
-      end
-      
-      def decode(token)
-        body = ::JWT.decode(token, ::Rails.application.credentials.dig(:secret_key_base))[0]
-        ::HashWithIndifferentAccess.new body
-      rescue
-        nil
-      end
+  class << self
+    def encode(payload, expiry = 15.minutes.from_now.to_i)
+      result = ::JWT.encode(payload.merge(exp: expiry), ::Rails.application.credentials.dig(:secret_key_base).presence||ENV["SECRET_KEY_BASE"])
+      # Store the created token into the DB for later checks if is invalid
+      UsedToken.create(token: result, user_id: payload[:user_id])
+      result
     end
-  end
+    
+    def decode(token)
+      # Check if the passed token is present and valid into the UsedToken 
+      raise "Token is invalidated by new login" unless UsedToken.exists?(token: token, valid: true)
+      body = ::JWT.decode(token, ::Rails.application.credentials.dig(:secret_key_base).presence||ENV["SECRET_KEY_BASE"])[0]
+      ::HashWithIndifferentAccess.new body
+    rescue
+      nil
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: model_driven_api
 version: !ruby/object:Gem::Version
-  version: 2.3.10
+  version: 2.3.16
 platform: ruby
 authors:
 - Gabriele Tassoni
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-03-26 00:00:00.000000000 Z
+date: 2021-05-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: thecore_backend_commons
@@ -139,12 +139,14 @@ files:
 - app/controllers/api/v2/authentication_controller.rb
 - app/controllers/api/v2/info_controller.rb
 - app/controllers/api/v2/users_controller.rb
+- app/models/used_token.rb
 - config/initializers/after_initialize_for_model_driven_api.rb
 - config/initializers/cors_api_thecore.rb
 - config/initializers/knock.rb
 - config/initializers/time_with_zone.rb
 - config/initializers/wrap_parameters.rb
 - config/routes.rb
+- db/migrate/20210519145438_create_used_tokens.rb
 - lib/concerns/api_exception_management.rb
 - lib/concerns/model_driven_api_role.rb
 - lib/concerns/model_driven_api_user.rb
@@ -173,7 +175,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
+rubygems_version: 3.0.3.1
 signing_key: 
 specification_version: 4
 summary: Convention based RoR engine which uses DB schema introspection to create