openstax_api 6.1.3 → 6.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 57a6247d1ad8974140b45a536e202885b414edd0
-  data.tar.gz: d1a5fc0bf9914fc80a0d918c626c724845bb5bde
+  metadata.gz: 746db2fb6fe3b25aec0676babf6d00b1622a85f7
+  data.tar.gz: c0d44680151a75c935572ea92b3431590dd0732e
 SHA512:
-  metadata.gz: 011756671636f13220eeb97087e34421ea745c768f6b38be18660dd46aef806f366fb8266997d7a54eb6f04685afe65ddeb0e52543119d3651d0fce85eed57dd
-  data.tar.gz: 4dbdcdd75837ba612884f158bb6de95caaead124ae535b61c167969c92e612923a25adc7686e529fd430f18a636311bdf301ec8692ea921526bf6c609d837676
+  metadata.gz: c4e10fd4dd99e9ced00339b7ccb3a33b1f55509e6e284fa1f0d18232e4e72cb0cbd6c714720fe66a29c1d62322f3f7aea0d7bc5151974cf8cd3c0a29c03377fd
+  data.tar.gz: fb12ad71bc8c88482d23418f70ff1fead6a1e7dfb1e57bc5bf6c62c59a48a4815292a1e5f8279bbdc0f2a524c3bebd706e9c5ce030ede71ac853132eb09ea43e

data/app/controllers/openstax/api/v1/api_controller.rb

@@ -27,11 +27,12 @@ module OpenStax
         before_filter :doorkeeper_authorize!, if: :token_user?
 
         # Except for users logged in via a cookie, we can disable CSRF protection and enable CORS
-        skip_before_filter :verify_authenticity_token, unless: :session_user?
+        skip_before_filter :verify_authenticity_token, unless: :local_session_user?
+        skip_before_filter :authenticate_user!, only: :options
         skip_before_filter :verify_authenticity_token, only: :options
-        before_filter :set_cors_preflight_headers, only: :options
-        before_filter :set_cors_headers
-        after_filter :set_cors_headers
+
+        before_filter :maybe_set_cors_headers
+        after_filter  :maybe_set_cors_headers
 
         # Keep old current_user method so we can use it
         alias_method :current_session_user, OpenStax::Api.configuration.current_user_method
@@ -58,6 +59,11 @@ module OpenStax
 
         protected
 
+        # A session user who is not using CORS
+        def local_session_user?
+          session_user? && !request.headers.include?("HTTP_ORIGIN")
+        end
+
         def session_user?
           !current_session_user.nil? && \
           (!current_session_user.respond_to?(:is_anonymous?) || \
@@ -75,21 +81,21 @@ module OpenStax
           request.env['action_dispatch.request.content_type'] = 'application/json'
         end
 
+        # Rails 3.x lacks response.date.  Remove `respond_to?` check after update
         def set_date_header
-          response.date = Time.now unless response.date?
+          response.date = Time.now if response.respond_to?(:date) and not response.date?
         end
 
-        def set_cors_preflight_headers
+        def maybe_set_cors_headers
+          # only set headers if browser indicates it's using CORS by setting the ORIGIN
+          return unless request.headers["HTTP_ORIGIN"]
           headers['Access-Control-Allow-Origin'] = validated_cors_origin
+          headers['Access-Control-Allow-Credentials'] = 'true'
           headers['Access-Control-Allow-Methods'] = 'GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS'
           headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-Prototype-Version, X-CSRF-Token, Token, Authorization, Content-Type'
           headers['Access-Control-Max-Age'] = '86400'
         end
 
-        def set_cors_headers
-          headers['Access-Control-Allow-Origin'] = validated_cors_origin
-        end
-
         def validated_cors_origin
           if OpenStax::Api.configuration.validate_cors_origin &&
              OpenStax::Api.configuration.validate_cors_origin[ request ]

data/app/models/openstax/api/api_user.rb

@@ -35,7 +35,7 @@ module OpenStax
         # If not, we're in case #1 above and the User should be
         # retrieved from the non_doorkeeper_user_proc.
         @user ||= @doorkeeper_token ? \
-                    USER_CLASS.find_by(id: @doorkeeper_token.try(:resource_owner_id)) : \
+                    USER_CLASS.where(id: @doorkeeper_token.try(:resource_owner_id)).first : \
                     @non_doorkeeper_user_proc.call
       end
 

data/lib/openstax/api/version.rb

@@ -1,5 +1,5 @@
 module OpenStax
   module Api
-    VERSION = "6.1.3"
+    VERSION = "6.1.4"
   end
 end

data/spec/controllers/openstax/api/v1/api_controller_spec.rb

@@ -115,7 +115,7 @@ module OpenStax
 
           it 'sets the CORS headers for anonymous users' do
             get 'dummy'
-            expect(response.headers['Access-Control-Allow-Origin']).to eq ''
+            expect(response.headers['Access-Control-Allow-Origin']).to be_nil
             expect(response.headers['Access-Control-Allow-Credentials']).to be_nil
           end
 
@@ -123,14 +123,14 @@ module OpenStax
             token = Doorkeeper::AccessToken.create!.token
             @request.headers['Authorization'] = "Bearer #{token}"
             get 'dummy'
-            expect(response.headers['Access-Control-Allow-Origin']).to eq ''
+            expect(response.headers['Access-Control-Allow-Origin']).to be_nil
             expect(response.headers['Access-Control-Allow-Credentials']).to be_nil
           end
 
           it 'sets the CORS headers for session users (the browser should block the request due to no Access-Control-Allow-Credentials header)' do
             @controller.present_user = user
             get 'dummy'
-            expect(response.headers['Access-Control-Allow-Origin']).to eq ''
+            expect(response.headers['Access-Control-Allow-Origin']).to be_nil
             expect(response.headers['Access-Control-Allow-Credentials']).to be_nil
           end
         end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: openstax_api
 version: !ruby/object:Gem::Version
-  version: 6.1.3
+  version: 6.1.4
 platform: ruby
 authors:
 - Dante Soares
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-12-16 00:00:00.000000000 Z
+date: 2016-05-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails