openstax_api 6.1.3 → 6.1.4

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 57a6247d1ad8974140b45a536e202885b414edd0
4
- data.tar.gz: d1a5fc0bf9914fc80a0d918c626c724845bb5bde
3
+ metadata.gz: 746db2fb6fe3b25aec0676babf6d00b1622a85f7
4
+ data.tar.gz: c0d44680151a75c935572ea92b3431590dd0732e
5
5
  SHA512:
6
- metadata.gz: 011756671636f13220eeb97087e34421ea745c768f6b38be18660dd46aef806f366fb8266997d7a54eb6f04685afe65ddeb0e52543119d3651d0fce85eed57dd
7
- data.tar.gz: 4dbdcdd75837ba612884f158bb6de95caaead124ae535b61c167969c92e612923a25adc7686e529fd430f18a636311bdf301ec8692ea921526bf6c609d837676
6
+ metadata.gz: c4e10fd4dd99e9ced00339b7ccb3a33b1f55509e6e284fa1f0d18232e4e72cb0cbd6c714720fe66a29c1d62322f3f7aea0d7bc5151974cf8cd3c0a29c03377fd
7
+ data.tar.gz: fb12ad71bc8c88482d23418f70ff1fead6a1e7dfb1e57bc5bf6c62c59a48a4815292a1e5f8279bbdc0f2a524c3bebd706e9c5ce030ede71ac853132eb09ea43e
@@ -27,11 +27,12 @@ module OpenStax
27
27
  before_filter :doorkeeper_authorize!, if: :token_user?
28
28
 
29
29
  # Except for users logged in via a cookie, we can disable CSRF protection and enable CORS
30
- skip_before_filter :verify_authenticity_token, unless: :session_user?
30
+ skip_before_filter :verify_authenticity_token, unless: :local_session_user?
31
+ skip_before_filter :authenticate_user!, only: :options
31
32
  skip_before_filter :verify_authenticity_token, only: :options
32
- before_filter :set_cors_preflight_headers, only: :options
33
- before_filter :set_cors_headers
34
- after_filter :set_cors_headers
33
+
34
+ before_filter :maybe_set_cors_headers
35
+ after_filter :maybe_set_cors_headers
35
36
 
36
37
  # Keep old current_user method so we can use it
37
38
  alias_method :current_session_user, OpenStax::Api.configuration.current_user_method
@@ -58,6 +59,11 @@ module OpenStax
58
59
 
59
60
  protected
60
61
 
62
+ # A session user who is not using CORS
63
+ def local_session_user?
64
+ session_user? && !request.headers.include?("HTTP_ORIGIN")
65
+ end
66
+
61
67
  def session_user?
62
68
  !current_session_user.nil? && \
63
69
  (!current_session_user.respond_to?(:is_anonymous?) || \
@@ -75,21 +81,21 @@ module OpenStax
75
81
  request.env['action_dispatch.request.content_type'] = 'application/json'
76
82
  end
77
83
 
84
+ # Rails 3.x lacks response.date. Remove `respond_to?` check after update
78
85
  def set_date_header
79
- response.date = Time.now unless response.date?
86
+ response.date = Time.now if response.respond_to?(:date) and not response.date?
80
87
  end
81
88
 
82
- def set_cors_preflight_headers
89
+ def maybe_set_cors_headers
90
+ # only set headers if browser indicates it's using CORS by setting the ORIGIN
91
+ return unless request.headers["HTTP_ORIGIN"]
83
92
  headers['Access-Control-Allow-Origin'] = validated_cors_origin
93
+ headers['Access-Control-Allow-Credentials'] = 'true'
84
94
  headers['Access-Control-Allow-Methods'] = 'GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS'
85
95
  headers['Access-Control-Allow-Headers'] = 'X-Requested-With, X-Prototype-Version, X-CSRF-Token, Token, Authorization, Content-Type'
86
96
  headers['Access-Control-Max-Age'] = '86400'
87
97
  end
88
98
 
89
- def set_cors_headers
90
- headers['Access-Control-Allow-Origin'] = validated_cors_origin
91
- end
92
-
93
99
  def validated_cors_origin
94
100
  if OpenStax::Api.configuration.validate_cors_origin &&
95
101
  OpenStax::Api.configuration.validate_cors_origin[ request ]
@@ -35,7 +35,7 @@ module OpenStax
35
35
  # If not, we're in case #1 above and the User should be
36
36
  # retrieved from the non_doorkeeper_user_proc.
37
37
  @user ||= @doorkeeper_token ? \
38
- USER_CLASS.find_by(id: @doorkeeper_token.try(:resource_owner_id)) : \
38
+ USER_CLASS.where(id: @doorkeeper_token.try(:resource_owner_id)).first : \
39
39
  @non_doorkeeper_user_proc.call
40
40
  end
41
41
 
@@ -1,5 +1,5 @@
1
1
  module OpenStax
2
2
  module Api
3
- VERSION = "6.1.3"
3
+ VERSION = "6.1.4"
4
4
  end
5
5
  end
@@ -115,7 +115,7 @@ module OpenStax
115
115
 
116
116
  it 'sets the CORS headers for anonymous users' do
117
117
  get 'dummy'
118
- expect(response.headers['Access-Control-Allow-Origin']).to eq ''
118
+ expect(response.headers['Access-Control-Allow-Origin']).to be_nil
119
119
  expect(response.headers['Access-Control-Allow-Credentials']).to be_nil
120
120
  end
121
121
 
@@ -123,14 +123,14 @@ module OpenStax
123
123
  token = Doorkeeper::AccessToken.create!.token
124
124
  @request.headers['Authorization'] = "Bearer #{token}"
125
125
  get 'dummy'
126
- expect(response.headers['Access-Control-Allow-Origin']).to eq ''
126
+ expect(response.headers['Access-Control-Allow-Origin']).to be_nil
127
127
  expect(response.headers['Access-Control-Allow-Credentials']).to be_nil
128
128
  end
129
129
 
130
130
  it 'sets the CORS headers for session users (the browser should block the request due to no Access-Control-Allow-Credentials header)' do
131
131
  @controller.present_user = user
132
132
  get 'dummy'
133
- expect(response.headers['Access-Control-Allow-Origin']).to eq ''
133
+ expect(response.headers['Access-Control-Allow-Origin']).to be_nil
134
134
  expect(response.headers['Access-Control-Allow-Credentials']).to be_nil
135
135
  end
136
136
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: openstax_api
3
3
  version: !ruby/object:Gem::Version
4
- version: 6.1.3
4
+ version: 6.1.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Dante Soares
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2015-12-16 00:00:00.000000000 Z
12
+ date: 2016-05-05 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: rails