Merge pull request #2776 from basecamp/bearer-token-json-only
Restrict bearer token authentication to JSON requests
This commit is contained in:
@@ -57,10 +57,14 @@ module Authentication
|
|||||||
|
|
||||||
def authenticate_by_bearer_token
|
def authenticate_by_bearer_token
|
||||||
if request.authorization.to_s.include?("Bearer")
|
if request.authorization.to_s.include?("Bearer")
|
||||||
authenticate_or_request_with_http_token do |token|
|
if request.format.json?
|
||||||
if identity = Identity.find_by_permissable_access_token(token, method: request.method)
|
authenticate_or_request_with_http_token do |token|
|
||||||
Current.identity = identity
|
if identity = Identity.find_by_permissable_access_token(token, method: request.method)
|
||||||
|
Current.identity = identity
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
else
|
||||||
|
request_http_token_authentication
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|||||||
@@ -145,6 +145,26 @@ class UsersControllerTest < ActionDispatch::IntegrationTest
|
|||||||
assert_response :no_content
|
assert_response :no_content
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "bearer token does not authenticate HTML requests" do
|
||||||
|
sign_in_as :jason
|
||||||
|
sign_out
|
||||||
|
|
||||||
|
bearer = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:jasons_api_token).token}" }
|
||||||
|
get user_path(users(:jason)), env: bearer
|
||||||
|
|
||||||
|
assert_response :unauthorized
|
||||||
|
end
|
||||||
|
|
||||||
|
test "bearer token authenticates JSON requests" do
|
||||||
|
sign_in_as :jason
|
||||||
|
sign_out
|
||||||
|
|
||||||
|
bearer = { "HTTP_AUTHORIZATION" => "Bearer #{identity_access_tokens(:jasons_api_token).token}" }
|
||||||
|
get user_path(users(:jason)), env: bearer, as: :json
|
||||||
|
|
||||||
|
assert_response :success
|
||||||
|
end
|
||||||
|
|
||||||
test "index avoids N+1 queries on identity" do
|
test "index avoids N+1 queries on identity" do
|
||||||
sign_in_as :kevin
|
sign_in_as :kevin
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user