feature(api): add ensure_token_is_not_expired to api_controller v1 an…

…d v2
adullact · Jan 25, 2024 · 7e85559 · 7e85559
1 parent 28e4e1b
commit 7e85559
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 4 deletions.
diff --git a/app/controllers/api/v2/base_controller.rb b/app/controllers/api/v2/base_controller.rb
@@ -3,6 +3,7 @@ class API::V2::BaseController < ApplicationController
   skip_before_action :setup_tracking
   before_action :authenticate_from_token
   before_action :ensure_authorized_network, if: -> { @api_token.present? }
+  before_action :ensure_token_is_not_expired, if: -> { @api_token.present? }
 
   before_action do
     Current.browser = 'api'
@@ -54,4 +55,10 @@ def ensure_authorized_network
       render json: { errors: ["request issued from a forbidden network. Add #{address.to_string}/#{address.prefix} to your allowed adresses in your /profil"] }, status: :forbidden
     end
   end
+
+  def ensure_token_is_not_expired
+    if @api_token.expired?
+      render json: { errors: ['token expired'] }, status: :unauthorized
+    end
+  end
 end
diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb
@@ -2,6 +2,7 @@ class APIController < ApplicationController
   before_action :default_format_json
   before_action :authenticate_from_token
   before_action :ensure_authorized_network, if: -> { @api_token.present? }
+  before_action :ensure_token_is_not_expired, if: -> { @api_token.present? }
 
   before_action do
     Current.browser = 'api'
@@ -41,4 +42,10 @@ def ensure_authorized_network
       render json: { errors: ["request issued from a forbidden network. Add #{address.to_string}/#{address.prefix} to your allowed adresses in your /profil"] }, status: :forbidden
     end
   end
+
+  def ensure_token_is_not_expired
+    if @api_token.expired?
+      render json: { errors: ['token expired'] }, status: :unauthorized
+    end
+  end
 end
diff --git a/app/models/api_token.rb b/app/models/api_token.rb
@@ -71,6 +71,10 @@ def forbidden_network?(ip)
     authorized_networks.none? { |range| range.include?(ip) }
   end
 
+  def expired?
+    expires_at&.past?
+  end
+
   class << self
     def generate(administrateur)
       plain_token = generate_unique_secure_token

diff --git a/spec/controllers/api/v2/base_controller_spec.rb b/spec/controllers/api/v2/base_controller_spec.rb
@@ -1,5 +1,5 @@
 describe API::V2::BaseController, type: :controller do
-  describe 'ensure_authorized_network' do
+  describe 'ensure_authorized_network and token_is_not_expired' do
     let(:admin) { create(:administrateur) }
     let(:token_bearer_couple) { APIToken.generate(admin) }
     let(:token) { token_bearer_couple[0] }
@@ -18,7 +18,23 @@
     describe 'GET #index' do
       subject { get :fake_action }
 
-      context 'when no authorized networks are defined' do
+      context 'when no authorized networks are defined and the token is not expired' do
+        it { is_expected.to have_http_status(:ok) }
+      end
+
+      context 'when the token is expired' do
+        before do
+          token.update!(expires_at: 1.day.ago)
+        end
+
+        it { is_expected.to have_http_status(:unauthorized) }
+      end
+
+      context 'when this is precisely the day the token expires' do
+        before do
+          token.update!(expires_at: Time.zone.today)
+        end
+
         it { is_expected.to have_http_status(:ok) }
       end
 

diff --git a/spec/controllers/api_controller_spec.rb b/spec/controllers/api_controller_spec.rb
@@ -40,7 +40,7 @@
     end
   end
 
-  describe 'ensure_authorized_network' do
+  describe 'ensure_authorized_network and token is not expired' do
     let(:admin) { create(:administrateur) }
     let(:token_bearer_couple) { APIToken.generate(admin) }
     let(:token) { token_bearer_couple[0] }
@@ -59,10 +59,18 @@
     describe 'GET #index' do
       subject { get :fake_action }
 
-      context 'when no authorized networks are defined' do
+      context 'when no authorized networks are defined and the token is not expired' do
         it { is_expected.to have_http_status(:ok) }
       end
 
+      context 'when the token is expired' do
+        before do
+          token.update!(expires_at: 1.day.ago)
+        end
+
+        it { is_expected.to have_http_status(:unauthorized) }
+      end
+
       context 'when a single authorized network is defined' do
         before do
           token.update!(authorized_networks: [IPAddr.new('192.168.1.0/24')])