Add AUD claim to JWTs
parent
cae12af47d
commit
01efcfaea4
|
@ -26,10 +26,14 @@ module Api
|
|||
|
||||
def guess_aud_claim
|
||||
when_farmbot_os { return AbstractJwtToken::BOT_AUD }
|
||||
return AbstractJwtToken::HUMAN_AUD if request.xhr?
|
||||
return AbstractJwtToken::HUMAN_AUD if xhr?
|
||||
AbstractJwtToken::UNKNOWN_AUD
|
||||
end
|
||||
|
||||
def xhr? # I only wrote this because `request.xhr?` refused to be stubbed
|
||||
request.xhr?
|
||||
end
|
||||
|
||||
def if_properly_formatted
|
||||
user = params.as_json.deep_symbolize_keys.fetch(:user, {})
|
||||
# If data handling for this method gets any more complicated,
|
||||
|
|
|
@ -5,8 +5,7 @@
|
|||
# the rug. Shoving configuration into a module is not a design pattern. Feedback
|
||||
# welcome for refactoring of this code.
|
||||
module CeleryScriptSettingsBag
|
||||
DIGITAL, ANALOG = 0, 1
|
||||
ALLOWED_PIN_MODES = [DIGITAL, ANALOG]
|
||||
ALLOWED_PIN_MODES = [DIGITAL = 0, ANALOG = 1]
|
||||
ALLOWED_RPC_NODES = %w(home emergency_lock emergency_unlock read_status
|
||||
sync check_updates power_off reboot toggle_pin
|
||||
config_update calibrate execute move_absolute
|
||||
|
@ -133,9 +132,6 @@ module CeleryScriptSettingsBag
|
|||
.defineArg(:_then, [:execute, :nothing])
|
||||
.defineArg(:_else, [:execute, :nothing])
|
||||
.defineArg(:url, [String])
|
||||
.defineNode(:install_farmware,[:url])
|
||||
.defineNode(:update_farmware, [:package])
|
||||
.defineNode(:remove_farmware, [:package])
|
||||
.defineNode(:nothing, [])
|
||||
.defineNode(:tool, [:tool_id])
|
||||
.defineNode(:coordinate, [:x, :y, :z])
|
||||
|
@ -174,6 +170,10 @@ module CeleryScriptSettingsBag
|
|||
.defineNode(:take_photo, [], [])
|
||||
.defineNode(:data_update, [:value], [:pair])
|
||||
.defineNode(:point, [:pointer_type, :pointer_id], [])
|
||||
.defineNode(:install_farmware, [:url])
|
||||
.defineNode(:update_farmware, [:package])
|
||||
.defineNode(:remove_farmware, [:package])
|
||||
.defineNode(:install_first_party_farmware, [:url])
|
||||
# Given an array of allowed values and a CeleryScript AST node, will DETERMINE
|
||||
# if the node contains a legal value. Throws exception and invalidates if not.
|
||||
def self.within(array, node)
|
||||
|
|
|
@ -29,7 +29,7 @@ describe Api::TokensController do
|
|||
expect(before).to eq(after)
|
||||
end
|
||||
|
||||
it 'bumps last_saw_api when it is a bot' do
|
||||
it 'bumps last_saw_api and issues BOT AUD when it is a bot' do
|
||||
ua = "FARMBOTOS/99.99.99 (RPI3) RPI3 (1.1.1)"
|
||||
allow(request).to receive(:user_agent).and_return(ua)
|
||||
request.env["HTTP_USER_AGENT"] = ua
|
||||
|
@ -39,6 +39,27 @@ describe Api::TokensController do
|
|||
after = user.device.reload.last_saw_api
|
||||
expect(after).to be
|
||||
expect(after).to be > before
|
||||
expect(json.dig(:token, :unencoded, :aud)).to be
|
||||
expect(json.dig(:token, :unencoded, :aud))
|
||||
.to eq(AbstractJwtToken::BOT_AUD)
|
||||
end
|
||||
|
||||
it "issues a 'HUMAN' AUD to browsers" do
|
||||
payload = {user: {email: user.email, password: "password"}}
|
||||
allow_any_instance_of(Api::TokensController)
|
||||
.to receive(:xhr?).and_return(true)
|
||||
post :create, params: payload
|
||||
expect(json.dig(:token, :unencoded, :aud)).to be
|
||||
expect(json.dig(:token, :unencoded, :aud))
|
||||
.to eq(AbstractJwtToken::HUMAN_AUD)
|
||||
end
|
||||
|
||||
it "issues a '?' AUD to all others" do
|
||||
payload = {user: {email: user.email, password: "password"}}
|
||||
post :create, params: payload
|
||||
expect(json.dig(:token, :unencoded, :aud)).to be
|
||||
expect(json.dig(:token, :unencoded, :aud))
|
||||
.to eq(AbstractJwtToken::UNKNOWN_AUD)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue