BigW Consortium Gitlab

api_guard.rb 5.24 KB
Newer Older
Valery Sizov committed
1 2 3 4
# Guard API with OAuth 2.0 Access Token

require 'rack/oauth2'

5 6 7
module API
  module APIGuard
    extend ActiveSupport::Concern
Valery Sizov committed
8

9 10 11 12
    included do |base|
      # OAuth2 Resource Server Authentication
      use Rack::OAuth2::Server::Resource::Bearer, 'The API' do |request|
        # The authenticator only fetches the raw token string
Valery Sizov committed
13

14 15 16
        # Must yield access token to store it in the env
        request.access_token
      end
Valery Sizov committed
17

18
      helpers HelperMethods
Valery Sizov committed
19

20 21
      install_error_responders(base)
    end
Valery Sizov committed
22

23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57
    # Helper Methods for Grape Endpoint
    module HelperMethods
      # Invokes the doorkeeper guard.
      #
      # If token is presented and valid, then it sets @current_user.
      #
      # If the token does not have sufficient scopes to cover the requred scopes,
      # then it raises InsufficientScopeError.
      #
      # If the token is expired, then it raises ExpiredError.
      #
      # If the token is revoked, then it raises RevokedError.
      #
      # If the token is not found (nil), then it raises TokenNotFoundError.
      #
      # Arguments:
      #
      #   scopes: (optional) scopes required for this guard.
      #           Defaults to empty array.
      #
      def doorkeeper_guard!(scopes: [])
        if (access_token = find_access_token).nil?
          raise TokenNotFoundError

        else
          case validate_access_token(access_token, scopes)
          when Oauth2::AccessTokenValidationService::INSUFFICIENT_SCOPE
            raise InsufficientScopeError.new(scopes)
          when Oauth2::AccessTokenValidationService::EXPIRED
            raise ExpiredError
          when Oauth2::AccessTokenValidationService::REVOKED
            raise RevokedError
          when Oauth2::AccessTokenValidationService::VALID
            @current_user = User.find(access_token.resource_owner_id)
          end
Valery Sizov committed
58 59 60
        end
      end

61 62 63 64 65
      def doorkeeper_guard(scopes: [])
        if access_token = find_access_token
          case validate_access_token(access_token, scopes)
          when Oauth2::AccessTokenValidationService::INSUFFICIENT_SCOPE
            raise InsufficientScopeError.new(scopes)
Valery Sizov committed
66

67 68
          when Oauth2::AccessTokenValidationService::EXPIRED
            raise ExpiredError
Valery Sizov committed
69

70 71
          when Oauth2::AccessTokenValidationService::REVOKED
            raise RevokedError
Valery Sizov committed
72

73 74 75
          when Oauth2::AccessTokenValidationService::VALID
            @current_user = User.find(access_token.resource_owner_id)
          end
Valery Sizov committed
76 77 78
        end
      end

79 80 81
      def current_user
        @current_user
      end
Valery Sizov committed
82

83
      private
Valery Sizov committed
84

85 86 87
      def find_access_token
        @access_token ||= Doorkeeper.authenticate(doorkeeper_request, Doorkeeper.configuration.access_token_methods)
      end
Valery Sizov committed
88

89 90 91
      def doorkeeper_request
        @doorkeeper_request ||= ActionDispatch::Request.new(env)
      end
Valery Sizov committed
92

93 94
      def validate_access_token(access_token, scopes)
        Oauth2::AccessTokenValidationService.validate(access_token, scopes: scopes)
Valery Sizov committed
95 96 97
      end
    end

98 99 100 101 102 103 104 105 106 107 108 109 110
    module ClassMethods
      # Installs the doorkeeper guard on the whole Grape API endpoint.
      #
      # Arguments:
      #
      #   scopes: (optional) scopes required for this guard.
      #           Defaults to empty array.
      #
      def guard_all!(scopes: [])
        before do
          guard! scopes: scopes
        end
      end
Valery Sizov committed
111

112
      private
Valery Sizov committed
113

114 115 116
      def install_error_responders(base)
        error_classes = [ MissingTokenError, TokenNotFoundError,
                          ExpiredError, RevokedError, InsufficientScopeError]
Valery Sizov committed
117

118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153
        base.send :rescue_from, *error_classes, oauth2_bearer_token_error_handler
      end

      def oauth2_bearer_token_error_handler
        Proc.new do |e|
          response =
            case e
            when MissingTokenError
              Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new

            when TokenNotFoundError
              Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
                :invalid_token,
                "Bad Access Token.")

            when ExpiredError
              Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
                :invalid_token,
                "Token is expired. You can either do re-authorization or token refresh.")

            when RevokedError
              Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(
                :invalid_token,
                "Token was revoked. You have to re-authorize from the user.")

            when InsufficientScopeError
              # FIXME: ForbiddenError (inherited from Bearer::Forbidden of Rack::Oauth2)
              # does not include WWW-Authenticate header, which breaks the standard.
              Rack::OAuth2::Server::Resource::Bearer::Forbidden.new(
                :insufficient_scope,
                Rack::OAuth2::Server::Resource::ErrorMethods::DEFAULT_DESCRIPTION[:insufficient_scope],
                { scope: e.scopes })
            end

          response.finish
        end
154
      end
Valery Sizov committed
155 156
    end

157 158 159
    #
    # Exceptions
    #
Valery Sizov committed
160

161
    class MissingTokenError < StandardError; end
Valery Sizov committed
162

163
    class TokenNotFoundError < StandardError; end
Valery Sizov committed
164

165
    class ExpiredError < StandardError; end
Valery Sizov committed
166

167
    class RevokedError < StandardError; end
Valery Sizov committed
168

169 170 171 172 173
    class InsufficientScopeError < StandardError
      attr_reader :scopes
      def initialize(scopes)
        @scopes = scopes
      end
Valery Sizov committed
174 175
    end
  end
176
end