Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problem with svg token #1222

Open
wants to merge 24 commits into
base: karol-tmp
Choose a base branch
from
Open

Problem with svg token #1222

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
541fdbe
try with svg_token (wip)
karoltravis Jan 13, 2022
f6111f5
svg_token in serialize_user
karoltravis Jan 14, 2022
63e0c8b
fix and puts
karoltravis Jan 21, 2022
c19a5da
debugging
karoltravis Jan 25, 2022
d2a2da6
fix
karoltravis Jan 25, 2022
aae16fc
debugging
karoltravis Jan 26, 2022
5e59b42
debugging
karoltravis Jan 27, 2022
8c44b96
proper token checking in respond_with
karoltravis Jan 27, 2022
100c823
debugging
karoltravis Jan 27, 2022
083f804
debugging
karoltravis Jan 27, 2022
def21aa
fix
karoltravis Jan 27, 2022
5cacf98
fix
karoltravis Jan 27, 2022
b475a04
refactoring
karoltravis Jan 27, 2022
995c1d5
comment removed
karoltravis Jan 27, 2022
88e6148
narrowed rspec
karoltravis Jan 27, 2022
34f30f1
debugging
karoltravis Jan 27, 2022
d0b18f2
debugging
karoltravis Jan 27, 2022
9425929
tests changed
karoltravis Jan 27, 2022
4b6c9ec
tests changed
karoltravis Jan 27, 2022
235f716
change in .travis.yml removed
karoltravis Feb 4, 2022
e43d772
token type in db
karoltravis Feb 4, 2022
edbd5f6
default type autofill
karoltravis Feb 4, 2022
974e348
fix
karoltravis Feb 4, 2022
bcbae44
type -> purpose
karoltravis Feb 4, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion lib/travis/api/app/endpoint/authorization.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,9 @@ def update_first_login(user)

def serialize_user(user)
rendered = Travis::Api::Serialize.data(user, version: :v2)
rendered['user'].merge('token' => user.tokens.first.try(:token).to_s)
rendered['user'].merge!('token' => user.default_tokens.first.try(:token).to_s)
rendered['user'].merge!('svg_token' => user.svg_token.to_s)
rendered['user']
end

def oauth_endpoint
Expand Down
24 changes: 22 additions & 2 deletions lib/travis/api/app/helpers/respond_with.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ def body(value = nil, options = {}, &block)
end

private

def respond(resource, options)
resource = apply_service_responder(resource, options)
response = nil
Expand All @@ -41,13 +40,34 @@ def respond(resource, options)
acceptable_formats.find do |accept|
responders.find do |const|
responder = const.new(self, resource, options.dup.merge(accept: accept))
response = responder.apply if responder.apply?
if responder.apply?
if token_proper?(responder)
response = responder.apply
else
halt 403, 'access denied'
end
end
end
end

response || (resource ? error(406) : error(404))
end

def token_proper?(responder)
return true unless params[:token] # it means that ScopeCheck granted access basing on other proper token

acceptable = acceptable_tokens(responder)
token = Token.find_by_token(params[:token])
acceptable.include?(token.try(:purpose_symbol))
end

def acceptable_tokens(responder)
case(responder)
when Travis::Api::App::Responders::Badge then [:svg]
else [:default]
end
end

def prettify_result?
!params[:pretty].nil? && (params[:pretty].downcase == 'true' || params[:pretty].to_i > 0)
end
Expand Down
4 changes: 4 additions & 0 deletions lib/travis/model/token.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ class Token < Travis::Model

serialize :token, Travis::Model::EncryptedColumn.new(disable: true)

def purpose_symbol
purpose.try(:to_sym) || :default
end

protected

def generate_token
Expand Down
23 changes: 20 additions & 3 deletions lib/travis/model/user.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ class User < Travis::Model

before_create :set_as_recent
after_create :create_a_token
after_create :create_svg_token
before_save :track_previous_changes

serialize :github_scopes
Expand All @@ -40,7 +41,16 @@ def with_email(email_address)
end

def token
tokens.first.try(:token)
tokens.find { |t| t.try(:purpose_symbol) == :default}.try(:token)
end

def svg_token
token = tokens.find { |t| t.try(:purpose_symbol) == :svg} || create_svg_token
token.try(:token)
end

def default_tokens
self.tokens.select { |token| token.try(:purpose_symbol) == :default }
end

def to_json
Expand Down Expand Up @@ -162,8 +172,15 @@ def inspect
github_oauth_token ? super.gsub(github_oauth_token, '[REDACTED]') : super
end

def create_a_token
self.tokens.create!
def create_a_token(purpose = :default)
token = self.tokens.create!
token.purpose = purpose.to_s
token.save!
token
end

def create_svg_token
create_a_token(:svg)
end

protected
Expand Down
20 changes: 10 additions & 10 deletions spec/auth/v1/repo_status_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,13 +79,13 @@
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.png' }
end

describe 'GET /repos/%{repo.slug}?token=%{user.token} Accept image/svg+xml' do
describe 'GET /repos/%{repo.slug}?token=%{user.svg_token} Accept image/svg+xml' do
let(:accept) { 'image/svg+xml' }
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.svg' }
end

describe 'GET /repos/%{repo.slug}.svg?token=%{user.token}' do
describe 'GET /repos/%{repo.slug}.svg?token=%{user.svg_token}' do
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.svg' }
end
Expand Down Expand Up @@ -184,13 +184,13 @@
it(:without_permission) { should auth status: 200, type: :img, file: 'passing.png' }
end

describe 'GET /repos/%{repo.slug}?token=%{user.token} Accept image/svg+xml' do
describe 'GET /repos/%{repo.slug}?token=%{user.svg_token} Accept image/svg+xml' do
let(:accept) { 'image/svg+xml' }
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
end

describe 'GET /repos/%{repo.slug}.svg?token=%{user.token}' do
describe 'GET /repos/%{repo.slug}.svg?token=%{user.svg_token}' do
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
end
Expand Down Expand Up @@ -289,13 +289,13 @@
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.png' }
end

describe 'GET /repos/%{repo.slug}?token=%{user.token} Accept image/svg+xml' do
describe 'GET /repos/%{repo.slug}?token=%{user.svg_token} Accept image/svg+xml' do
let(:accept) { 'image/svg+xml' }
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.svg' }
end

describe 'GET /repos/%{repo.slug}.svg?token=%{user.token}' do
describe 'GET /repos/%{repo.slug}.svg?token=%{user.svg_token}' do
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.svg' }
end
Expand Down Expand Up @@ -400,13 +400,13 @@
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.png' }
end

describe 'GET /repos/%{repo.slug}?token=%{user.token} Accept image/svg+xml' do
describe 'GET /repos/%{repo.slug}?token=%{user.svg_token} Accept image/svg+xml' do
let(:accept) { 'image/svg+xml' }
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.svg' }
end

describe 'GET /repos/%{repo.slug}.svg?token=%{user.token}' do
describe 'GET /repos/%{repo.slug}.svg?token=%{user.svg_token}' do
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.svg' }
end
Expand Down Expand Up @@ -505,13 +505,13 @@
it(:without_permission) { should auth status: 200, type: :img, file: 'passing.png' }
end

describe 'GET /repos/%{repo.slug}?token=%{user.token} Accept image/svg+xml' do
describe 'GET /repos/%{repo.slug}?token=%{user.svg_token} Accept image/svg+xml' do
let(:accept) { 'image/svg+xml' }
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
end

describe 'GET /repos/%{repo.slug}.svg?token=%{user.token}' do
describe 'GET /repos/%{repo.slug}.svg?token=%{user.svg_token}' do
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
end
Expand Down
20 changes: 10 additions & 10 deletions spec/auth/v2.1/repo_status_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,13 +79,13 @@
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.png' }
end

describe 'GET /repos/%{repo.slug}?token=%{user.token} Accept image/svg+xml' do
describe 'GET /repos/%{repo.slug}?token=%{user.svg_token} Accept image/svg+xml' do
let(:accept) { 'image/svg+xml' }
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.svg' }
end

describe 'GET /repos/%{repo.slug}.svg?token=%{user.token}' do
describe 'GET /repos/%{repo.slug}.svg?token=%{user.svg_token}' do
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.svg' }
end
Expand Down Expand Up @@ -184,13 +184,13 @@
it(:without_permission) { should auth status: 200, type: :img, file: 'passing.png' }
end

describe 'GET /repos/%{repo.slug}?token=%{user.token} Accept image/svg+xml' do
describe 'GET /repos/%{repo.slug}?token=%{user.svg_token} Accept image/svg+xml' do
let(:accept) { 'image/svg+xml' }
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
end

describe 'GET /repos/%{repo.slug}.svg?token=%{user.token}' do
describe 'GET /repos/%{repo.slug}.svg?token=%{user.svg_token}' do
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
end
Expand Down Expand Up @@ -289,13 +289,13 @@
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.png' }
end

describe 'GET /repos/%{repo.slug}?token=%{user.token} Accept image/svg+xml' do
describe 'GET /repos/%{repo.slug}?token=%{user.svg_token} Accept image/svg+xml' do
let(:accept) { 'image/svg+xml' }
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.svg' }
end

describe 'GET /repos/%{repo.slug}.svg?token=%{user.token}' do
describe 'GET /repos/%{repo.slug}.svg?token=%{user.svg_token}' do
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.svg' }
end
Expand Down Expand Up @@ -400,13 +400,13 @@
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.png' }
end

describe 'GET /repos/%{repo.slug}?token=%{user.token} Accept image/svg+xml' do
describe 'GET /repos/%{repo.slug}?token=%{user.svg_token} Accept image/svg+xml' do
let(:accept) { 'image/svg+xml' }
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.svg' }
end

describe 'GET /repos/%{repo.slug}.svg?token=%{user.token}' do
describe 'GET /repos/%{repo.slug}.svg?token=%{user.svg_token}' do
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.svg' }
end
Expand Down Expand Up @@ -505,13 +505,13 @@
it(:without_permission) { should auth status: 200, type: :img, file: 'passing.png' }
end

describe 'GET /repos/%{repo.slug}?token=%{user.token} Accept image/svg+xml' do
describe 'GET /repos/%{repo.slug}?token=%{user.svg_token} Accept image/svg+xml' do
let(:accept) { 'image/svg+xml' }
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
end

describe 'GET /repos/%{repo.slug}.svg?token=%{user.token}' do
describe 'GET /repos/%{repo.slug}.svg?token=%{user.svg_token}' do
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
end
Expand Down
20 changes: 10 additions & 10 deletions spec/auth/v2/repo_status_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,13 +79,13 @@
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.png' }
end

describe 'GET /repos/%{repo.slug}?token=%{user.token} Accept image/svg+xml' do
describe 'GET /repos/%{repo.slug}?token=%{user.svg_token} Accept image/svg+xml' do
let(:accept) { 'image/svg+xml' }
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.svg' }
end

describe 'GET /repos/%{repo.slug}.svg?token=%{user.token}' do
describe 'GET /repos/%{repo.slug}.svg?token=%{user.svg_token}' do
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.svg' }
end
Expand Down Expand Up @@ -184,13 +184,13 @@
it(:without_permission) { should auth status: 200, type: :img, file: 'passing.png' }
end

describe 'GET /repos/%{repo.slug}?token=%{user.token} Accept image/svg+xml' do
describe 'GET /repos/%{repo.slug}?token=%{user.svg_token} Accept image/svg+xml' do
let(:accept) { 'image/svg+xml' }
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
end

describe 'GET /repos/%{repo.slug}.svg?token=%{user.token}' do
describe 'GET /repos/%{repo.slug}.svg?token=%{user.svg_token}' do
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
end
Expand Down Expand Up @@ -289,13 +289,13 @@
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.png' }
end

describe 'GET /repos/%{repo.slug}?token=%{user.token} Accept image/svg+xml' do
describe 'GET /repos/%{repo.slug}?token=%{user.svg_token} Accept image/svg+xml' do
let(:accept) { 'image/svg+xml' }
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.svg' }
end

describe 'GET /repos/%{repo.slug}.svg?token=%{user.token}' do
describe 'GET /repos/%{repo.slug}.svg?token=%{user.svg_token}' do
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.svg' }
end
Expand Down Expand Up @@ -400,13 +400,13 @@
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.png' }
end

describe 'GET /repos/%{repo.slug}?token=%{user.token} Accept image/svg+xml' do
describe 'GET /repos/%{repo.slug}?token=%{user.svg_token} Accept image/svg+xml' do
let(:accept) { 'image/svg+xml' }
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.svg' }
end

describe 'GET /repos/%{repo.slug}.svg?token=%{user.token}' do
describe 'GET /repos/%{repo.slug}.svg?token=%{user.svg_token}' do
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'unknown.svg' }
end
Expand Down Expand Up @@ -505,13 +505,13 @@
it(:without_permission) { should auth status: 200, type: :img, file: 'passing.png' }
end

describe 'GET /repos/%{repo.slug}?token=%{user.token} Accept image/svg+xml' do
describe 'GET /repos/%{repo.slug}?token=%{user.svg_token} Accept image/svg+xml' do
let(:accept) { 'image/svg+xml' }
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
end

describe 'GET /repos/%{repo.slug}.svg?token=%{user.token}' do
describe 'GET /repos/%{repo.slug}.svg?token=%{user.svg_token}' do
it(:with_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
it(:without_permission) { should auth status: 200, type: :img, file: 'passing.svg' }
end
Expand Down