From 01efcfaea43c879a068cd22c5bf1c36483754c76 Mon Sep 17 00:00:00 2001
From: Rick Carlino <rick.carlino@gmail.com>
Date: Wed, 4 Oct 2017 15:03:55 -0500
Subject: [PATCH] Add AUD claim to JWTs

---
 app/controllers/api/tokens_controller.rb      |  6 ++++-
 app/models/celery_script_settings_bag.rb      | 10 ++++----
 .../tokens/tokens_controller_create_spec.rb   | 23 ++++++++++++++++++-
 3 files changed, 32 insertions(+), 7 deletions(-)

diff --git a/app/controllers/api/tokens_controller.rb b/app/controllers/api/tokens_controller.rb
index 44d9ba445..ac13399e5 100644
--- a/app/controllers/api/tokens_controller.rb
+++ b/app/controllers/api/tokens_controller.rb
@@ -26,10 +26,14 @@ module Api
 
     def guess_aud_claim
       when_farmbot_os { return AbstractJwtToken::BOT_AUD }
-      return AbstractJwtToken::HUMAN_AUD if request.xhr?
+      return AbstractJwtToken::HUMAN_AUD if xhr?
       AbstractJwtToken::UNKNOWN_AUD
     end
 
+    def xhr? # I only wrote this because `request.xhr?` refused to be stubbed
+      request.xhr?
+    end
+
     def if_properly_formatted
       user = params.as_json.deep_symbolize_keys.fetch(:user, {})
       # If data handling for this method gets any more complicated,
diff --git a/app/models/celery_script_settings_bag.rb b/app/models/celery_script_settings_bag.rb
index 45071dc0b..9e27a2819 100644
--- a/app/models/celery_script_settings_bag.rb
+++ b/app/models/celery_script_settings_bag.rb
@@ -5,8 +5,7 @@
 # the rug. Shoving configuration into a module is not a design pattern. Feedback
 # welcome for refactoring of this code.
 module CeleryScriptSettingsBag
-  DIGITAL, ANALOG       = 0, 1
-  ALLOWED_PIN_MODES     = [DIGITAL, ANALOG]
+  ALLOWED_PIN_MODES     = [DIGITAL = 0, ANALOG = 1]
   ALLOWED_RPC_NODES     = %w(home emergency_lock emergency_unlock read_status
                              sync check_updates power_off reboot toggle_pin
                              config_update calibrate execute move_absolute
@@ -133,9 +132,6 @@ module CeleryScriptSettingsBag
       .defineArg(:_then,           [:execute, :nothing])
       .defineArg(:_else,           [:execute, :nothing])
       .defineArg(:url,             [String])
-      .defineNode(:install_farmware,[:url])
-      .defineNode(:update_farmware, [:package])
-      .defineNode(:remove_farmware, [:package])
       .defineNode(:nothing,        [])
       .defineNode(:tool,           [:tool_id])
       .defineNode(:coordinate,     [:x, :y, :z])
@@ -174,6 +170,10 @@ module CeleryScriptSettingsBag
       .defineNode(:take_photo,        [], [])
       .defineNode(:data_update,       [:value], [:pair])
       .defineNode(:point,             [:pointer_type, :pointer_id], [])
+      .defineNode(:install_farmware,  [:url])
+      .defineNode(:update_farmware,   [:package])
+      .defineNode(:remove_farmware,   [:package])
+      .defineNode(:install_first_party_farmware, [:url])
   # Given an array of allowed values and a CeleryScript AST node, will DETERMINE
   # if the node contains a legal value. Throws exception and invalidates if not.
   def self.within(array, node)
diff --git a/spec/controllers/api/tokens/tokens_controller_create_spec.rb b/spec/controllers/api/tokens/tokens_controller_create_spec.rb
index 5b2151de8..c9eda010e 100644
--- a/spec/controllers/api/tokens/tokens_controller_create_spec.rb
+++ b/spec/controllers/api/tokens/tokens_controller_create_spec.rb
@@ -29,7 +29,7 @@ describe Api::TokensController do
       expect(before).to eq(after)
     end
 
-    it 'bumps last_saw_api when it is a bot' do
+    it 'bumps last_saw_api and issues BOT AUD when it is a bot' do
       ua = "FARMBOTOS/99.99.99 (RPI3) RPI3 (1.1.1)"
       allow(request).to receive(:user_agent).and_return(ua)
       request.env["HTTP_USER_AGENT"] = ua
@@ -39,6 +39,27 @@ describe Api::TokensController do
       after = user.device.reload.last_saw_api
       expect(after).to be
       expect(after).to be > before
+      expect(json.dig(:token, :unencoded, :aud)).to be
+      expect(json.dig(:token, :unencoded, :aud))
+        .to eq(AbstractJwtToken::BOT_AUD)
+    end
+
+    it "issues a 'HUMAN' AUD to browsers" do
+      payload = {user: {email: user.email, password: "password"}}
+      allow_any_instance_of(Api::TokensController)
+        .to receive(:xhr?).and_return(true)
+      post :create, params: payload
+      expect(json.dig(:token, :unencoded, :aud)).to be
+      expect(json.dig(:token, :unencoded, :aud))
+        .to eq(AbstractJwtToken::HUMAN_AUD)
+    end
+
+    it "issues a '?' AUD to all others" do
+      payload = {user: {email: user.email, password: "password"}}
+      post :create, params: payload
+      expect(json.dig(:token, :unencoded, :aud)).to be
+      expect(json.dig(:token, :unencoded, :aud))
+        .to eq(AbstractJwtToken::UNKNOWN_AUD)
     end
   end
 end