openstax_api 5.4.1 → 5.4.2

Sign up to get free protection for your applications and to get access to all the features.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/app/controllers/openstax/api/v1/api_controller.rb +35 -10
  3. data/lib/openstax/api/version.rb +1 -1
  4. data/spec/controllers/openstax/api/v1/api_controller_spec.rb +21 -3
  5. data/spec/dummy/db/test.sqlite3 +0 -0
  6. data/spec/dummy/log/test.log +4472 -0
  7. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 1dc5b2c90e25d34d79c536abcff2d88f983664cb
4
- data.tar.gz: ed966473c4626c179c7f003d1bae2fa0fb1f2a77
3
+ metadata.gz: fe4d093b6653d00d111551c80f7da820b55c26b2
4
+ data.tar.gz: 565ebe49772bf335c96888b845b79a350729d653
5
5
  SHA512:
6
- metadata.gz: e7e9a454aae1dbd6ea4aa9cb886dcd78dc85ed29ef05efd1c21defae4b735e74317eee3d87044c6c7d7e68f0bb3ffa80b40cdda4376904c11c852d7c06f9b892
7
- data.tar.gz: ec778b17bb2069b387c4091167c4c0ff3c33779c34fa7d495193474445e7a83e4fd59dafdc35af86732af358da29e5c2ac33751863a7b847d687652c59a2556b
6
+ metadata.gz: b63f46064aba41549ba4da1c313105f9a183ee48b77798c3e126912e37309c9e455ceff695f0b467c0a5bce7db3a12030c4261b70520d1099fdd9767c24269df
7
+ data.tar.gz: 5eaa288ed181f73230f274c71783827fc0a055af6a52c3907091f4778a82f0424e7eda89a1a7618edbf88d39932959f2079b2c4694c4fa1da4c8b7234e771f43
data/app/controllers/openstax/api/v1/api_controller.rb CHANGED
@@ -8,25 +8,29 @@ module OpenStax
8
8
  include OpenStax::Api::Roar
9
9
  include OpenStax::Api::Apipie
10
10
 
11
- before_action :doorkeeper_authorize!, :unless => :session_user?
12
- skip_before_filter :verify_authenticity_token, :unless => :session_user?
13
-
14
11
  respond_to :json
15
12
 
13
+ # Always force JSON requests and send the Date header in the response
16
14
  before_filter :force_json_content_type
17
15
  after_filter :set_date_header
18
16
 
17
+ # Doorkeeper is used and CSRF protection is disabled only if a token is present
18
+ before_filter :doorkeeper_authorize!, if: :token_user?
19
+ skip_before_filter :verify_authenticity_token, if: :token_user?
20
+
21
+ # CORS is enabled unless the user is logged in via a cookie
22
+ before_filter :set_cors_preflight_headers, unless: :session_user?
23
+ after_filter :set_cors_headers, unless: :session_user?
24
+
19
25
  # Keep old current_user method so we can use it
20
- alias_method :current_session_user,
21
- OpenStax::Api.configuration.current_user_method
26
+ alias_method :current_session_user, OpenStax::Api.configuration.current_user_method
22
27
 
23
28
  # Ensure we will never again confuse human users and api users
24
29
  undef_method OpenStax::Api.configuration.current_user_method
25
30
 
26
31
  # Always return an ApiUser
27
32
  def current_api_user
28
- @current_api_user ||= ApiUser.new(doorkeeper_token,
29
- lambda { current_session_user })
33
+ @current_api_user ||= ApiUser.new(doorkeeper_token, lambda { current_session_user })
30
34
  end
31
35
 
32
36
  def current_application
@@ -40,11 +44,14 @@ module OpenStax
40
44
  protected
41
45
 
42
46
  def session_user?
43
- !!current_session_user && doorkeeper_token.blank?
47
+ !current_session_user.nil? && \
48
+ (!current_session_user.respond_to?(:is_anonymous?) || \
49
+ !current_session_user.is_anonymous?) && \
50
+ doorkeeper_token.nil?
44
51
  end
45
52
 
46
- def set_date_header
47
- response.date = Time.now unless response.date?
53
+ def token_user?
54
+ !doorkeeper_token.nil?
48
55
  end
49
56
 
50
57
  def force_json_content_type
@@ -53,6 +60,24 @@ module OpenStax
53
60
  request.env['action_dispatch.request.content_type'] = 'application/json'
54
61
  end
55
62
 
63
+ def set_date_header
64
+ response.date = Time.now unless response.date?
65
+ end
66
+
67
+ def set_cors_preflight_headers
68
+ if request.method == 'OPTIONS'
69
+ headers['Access-Control-Allow-Origin'] = '*'
70
+ headers['Access-Control-Allow-Methods'] = 'GET, HEAD, POST, PUT, PATCH, DELETE, OPTIONS'
71
+ headers['Access-Control-Max-Age'] = '1728000'
72
+
73
+ render :text => '', :content_type => 'text/plain'
74
+ end
75
+ end
76
+
77
+ def set_cors_headers
78
+ headers['Access-Control-Allow-Origin'] = '*'
79
+ end
80
+
56
81
  end
57
82
 
58
83
  end
data/lib/openstax/api/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module OpenStax
2
2
  module Api
3
- VERSION = "5.4.1"
3
+ VERSION = "5.4.2"
4
4
  end
5
5
  end
data/spec/controllers/openstax/api/v1/api_controller_spec.rb CHANGED
@@ -106,11 +106,29 @@ module OpenStax
106
106
  get 'dummy'
107
107
  expect(Time.parse(response.headers['Date'])).to be_within(1.second).of(Time.now)
108
108
  end
109
+ end
110
+
111
+ context 'cors' do
112
+ before(:each) do
113
+ instance_variable_set('@controller', dummy_controller)
114
+ end
115
+
116
+ it 'sets the CORS headers for anonymous users' do
117
+ get 'dummy'
118
+ expect(response.headers['Access-Control-Allow-Origin']).to eq '*'
119
+ end
120
+
121
+ it 'sets the CORS headers for token users' do
122
+ token = Doorkeeper::AccessToken.create!.token
123
+ @request.headers['Authorization'] = "Bearer #{token}"
124
+ get 'dummy'
125
+ expect(response.headers['Access-Control-Allow-Origin']).to eq '*'
126
+ end
109
127
 
110
- it 'does not set the Date header for unsuccessful API calls' do
128
+ it 'does not set the CORS headers for session users' do
129
+ @controller.present_user = user
111
130
  get 'dummy'
112
- expect(response.headers['WWW-Authenticate']).to include "error=\"invalid_token\""
113
- expect(response.headers).not_to have_key('Date')
131
+ expect(response.headers['Access-Control-Allow-Origin']).to be_nil
114
132
  end
115
133
  end
116
134
 
data/spec/dummy/db/test.sqlite3 CHANGED
Binary file