openstax_api 5.4.1 → 5.4.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/app/controllers/openstax/api/v1/api_controller.rb +35 -10
  3. data/lib/openstax/api/version.rb +1 -1
  4. data/spec/controllers/openstax/api/v1/api_controller_spec.rb +21 -3
  5. data/spec/dummy/db/test.sqlite3 +0 -0
  6. data/spec/dummy/log/test.log +4472 -0
  7. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 1dc5b2c90e25d34d79c536abcff2d88f983664cb
4
- data.tar.gz: ed966473c4626c179c7f003d1bae2fa0fb1f2a77
3
+ metadata.gz: fe4d093b6653d00d111551c80f7da820b55c26b2
4
+ data.tar.gz: 565ebe49772bf335c96888b845b79a350729d653
5
5
  SHA512:
6
- metadata.gz: e7e9a454aae1dbd6ea4aa9cb886dcd78dc85ed29ef05efd1c21defae4b735e74317eee3d87044c6c7d7e68f0bb3ffa80b40cdda4376904c11c852d7c06f9b892
7
- data.tar.gz: ec778b17bb2069b387c4091167c4c0ff3c33779c34fa7d495193474445e7a83e4fd59dafdc35af86732af358da29e5c2ac33751863a7b847d687652c59a2556b
6
+ metadata.gz: b63f46064aba41549ba4da1c313105f9a183ee48b77798c3e126912e37309c9e455ceff695f0b467c0a5bce7db3a12030c4261b70520d1099fdd9767c24269df
7
+ data.tar.gz: 5eaa288ed181f73230f274c71783827fc0a055af6a52c3907091f4778a82f0424e7eda89a1a7618edbf88d39932959f2079b2c4694c4fa1da4c8b7234e771f43
data/app/controllers/openstax/api/v1/api_controller.rb CHANGED
@@ -8,25 +8,29 @@ module OpenStax
8
8
  include OpenStax::Api::Roar
9
9
  include OpenStax::Api::Apipie
10
10
 
11
- before_action :doorkeeper_authorize!, :unless => :session_user?
12
- skip_before_filter :verify_authenticity_token, :unless => :session_user?
13
-
14
11
  respond_to :json
15
12
 
13
+ # Always force JSON requests and send the Date header in the response
16
14
  before_filter :force_json_content_type
17
15
  after_filter :set_date_header
18
16
 
17
+ # Doorkeeper is used and CSRF protection is disabled only if a token is present
18
+ before_filter :doorkeeper_authorize!, if: :token_user?
19
+ skip_before_filter :verify_authenticity_token, if: :token_user?
20
+
21
+ # CORS is enabled unless the user is logged in via a cookie
22
+ before_filter :set_cors_preflight_headers, unless: :session_user?
23
+ after_filter :set_cors_headers, unless: :session_user?
24
+
19
25
  # Keep old current_user method so we can use it
20
- alias_method :current_session_user,
21
- OpenStax::Api.configuration.current_user_method
26
+ alias_method :current_session_user, OpenStax::Api.configuration.current_user_method
22
27
 
23
28
  # Ensure we will never again confuse human users and api users
24
29
  undef_method OpenStax::Api.configuration.current_user_method
25
30
 
26
31
  # Always return an ApiUser
27
32
  def current_api_user
28
- @current_api_user ||= ApiUser.new(doorkeeper_token,
29
- lambda { current_session_user })
33
+ @current_api_user ||= ApiUser.new(doorkeeper_token, lambda { current_session_user })
30
34
  end
31
35
 
32
36
  def current_application
@@ -40,11 +44,14 @@ module OpenStax
40
44
  protected
41
45
 
42
46
  def session_user?
43
- !!current_session_user && doorkeeper_token.blank?
47
+ !current_session_user.nil? && \
48
+ (!current_session_user.respond_to?(:is_anonymous?) || \
49
+ !current_session_user.is_anonymous?) && \
50
+ doorkeeper_token.nil?
44
51
  end
45
52
 
46
- def set_date_header
47
- response.date = Time.now unless response.date?
53
+ def token_user?
54
+ !doorkeeper_token.nil?
48
55
  end
49
56
 
50
57
  def force_json_content_type
@@ -53,6 +60,24 @@ module OpenStax
53
60
  request.env['action_dispatch.request.content_type'] = 'application/json'
54
61
  end
55
62
 
63
+ def set_date_header
64
+ response.date = Time.now unless response.date?
65
+ end
66
+
67
+ def set_cors_preflight_headers
68
+ if request.method == 'OPTIONS'
69
+ headers['Access-Control-Allow-Origin'] = '*'
70
+ headers['Access-Control-Allow-Methods'] = 'GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS'
71
+ headers['Access-Control-Max-Age'] = '1728000'
72
+
73
+ render :text => '', :content_type => 'text/plain'
74
+ end
75
+ end
76
+
77
+ def set_cors_headers
78
+ headers['Access-Control-Allow-Origin'] = '*'
79
+ end
80
+
56
81
  end
57
82
 
58
83
  end
data/lib/openstax/api/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module OpenStax
2
2
  module Api
3
- VERSION = "5.4.1"
3
+ VERSION = "5.4.2"
4
4
  end
5
5
  end
data/spec/controllers/openstax/api/v1/api_controller_spec.rb CHANGED
@@ -106,11 +106,29 @@ module OpenStax
106
106
  get 'dummy'
107
107
  expect(Time.parse(response.headers['Date'])).to be_within(1.second).of(Time.now)
108
108
  end
109
+ end
110
+
111
+ context 'cors' do
112
+ before(:each) do
113
+ instance_variable_set('@controller', dummy_controller)
114
+ end
115
+
116
+ it 'sets the CORS headers for anonymous users' do
117
+ get 'dummy'
118
+ expect(response.headers['Access-Control-Allow-Origin']).to eq '*'
119
+ end
120
+
121
+ it 'sets the CORS headers for token users' do
122
+ token = Doorkeeper::AccessToken.create!.token
123
+ @request.headers['Authorization'] = "Bearer #{token}"
124
+ get 'dummy'
125
+ expect(response.headers['Access-Control-Allow-Origin']).to eq '*'
126
+ end
109
127
 
110
- it 'does not set the Date header for unsuccessful API calls' do
128
+ it 'does not set the CORS headers for session users' do
129
+ @controller.present_user = user
111
130
  get 'dummy'
112
- expect(response.headers['WWW-Authenticate']).to include "error=\"invalid_token\""
113
- expect(response.headers).not_to have_key('Date')
131
+ expect(response.headers['Access-Control-Allow-Origin']).to be_nil
114
132
  end
115
133
  end
116
134
 
data/spec/dummy/db/test.sqlite3 CHANGED
Binary file