Permalink
Browse files

Created authorized index route for submissions

  • Loading branch information...
hermanzdosilovic committed Sep 22, 2017
1 parent e32d9c8 commit b2377b6e47ed75890fbc9bce8e919047e3f57cc6
View
@@ -8,6 +8,7 @@ gem 'enumerations', '~> 2.1'
gem 'puma', '~> 3.0'
gem 'rack-cors', require: 'rack/cors'
gem 'resque', '~> 1.26'
gem 'will_paginate', '~> 3.1'
group :development do
gem 'annotate', '~> 2.7'
View
@@ -185,6 +185,7 @@ GEM
websocket-driver (0.6.5)
websocket-extensions (>= 0.1.0)
websocket-extensions (0.1.2)
will_paginate (3.1.6)
PLATFORMS
ruby
@@ -205,6 +206,7 @@ DEPENDENCIES
resque (~> 1.26)
rspec-rails (~> 3.5)
shoulda-matchers (~> 3.1)
will_paginate (~> 3.1)
BUNDLED WITH
1.14.6
1.15.4
@@ -39,11 +39,30 @@ def status
private
def authenticate_request
return unless Rails.application.secrets.authn_token.present?
authn_token = (request.headers[Rails.application.secrets.authn_header] || params[Rails.application.secrets.authn_header]).to_s
Rails.application.secrets.authn_token.split.each do |value|
return if ActiveSupport::SecurityUtils.secure_compare(value, authn_token)
head :unauthorized if safe_compare(Rails.application.secrets.authn_token, Rails.application.secrets.authn_header)
end
def authorize_request
head :forbidden unless Rails.application.secrets.authz_token.present?
head :forbidden if safe_compare(Rails.application.secrets.authz_token, Rails.application.secrets.authz_header)
end
def safe_compare(token, header)
return false unless token.present?
provided_token = (request.headers[header] || params[header]).to_s
token.split.each do |value|
return false if ActiveSupport::SecurityUtils.secure_compare(value, provided_token)
end
head :unauthorized
true
end
def pagination_dict(collection)
{
current_page: collection.current_page,
next_page: collection.next_page,
prev_page: collection.previous_page,
total_pages: collection.total_pages,
total_count: collection.total_entries
}
end
end
@@ -1,4 +1,31 @@
class SubmissionsController < ApplicationController
before_action :authorize_request, only: [:index]
def index
render_invalid_field_error and return if has_invalid_field
page = params[:page].try(:to_i) || 1
per_page = params[:per_page].try(:to_i) || Submission.per_page
if page <= 0
render json: { error: "invalid page: #{page}" }, status: :bad_request
return
elsif per_page < 0
render json: { error: "invalid per_page: #{per_page}" }, status: :bad_request
return
end
submissions = Submission.paginate(page: page, per_page: per_page)
serializable_submissions = ActiveModelSerializers::SerializableResource.new(
submissions, { each_serializer: SubmissionSerializer, fields: requested_fields }
)
render json: {
submissions: serializable_submissions.as_json,
meta: pagination_dict(submissions)
}
end
def show
render_invalid_field_error and return if has_invalid_field
render json: Submission.find_by!(token: params[:token]), base64_encoded: params[:base64_encoded] == "true", fields: requested_fields
@@ -85,24 +112,12 @@ def render_invalid_field_error
def self.default_fields
@@default_fields = [
:stdout,
:status,
:created_at,
:finished_at,
:token,
:time,
:memory,
:stderr,
:token,
:number_of_runs,
:cpu_time_limit,
:cpu_extra_time,
:wall_time_limit,
:memory_limit,
:stack_limit,
:max_processes_and_or_threads,
:enable_per_process_and_thread_time_limit,
:enable_per_process_and_thread_memory_limit,
:max_file_size
:stdout,
:compile_output,
:status,
]
end
end
View
@@ -66,6 +66,10 @@ class Submission < ApplicationRecord
enumeration :status
default_scope { order(created_at: :desc) }
self.per_page = 20
def source_code
return nil if super.nil?
@decoded_source_code ||= Base64.decode64(self[:source_code])
View
@@ -1,6 +1,6 @@
Rails.application.routes.draw do
root 'home#docs'
resources :submissions, only: [:show, :create], param: :token
resources :submissions, only: [:index, :show, :create], param: :token
resources :languages, only: [:index]
resources :statuses, only: [:index]
get 'system_info', to: 'application#system_info'
View
@@ -1,6 +1,8 @@
default: &default
authn_header: <%= ENV["AUTHN_HEADER"].presence || "X-Auth-Token" %>
authn_token: <%= ENV["AUTHN_TOKEN"].to_s.strip %>
authz_header: <%= ENV["AUTHZ_HEADER"].presence || "X-Auth-User" %>
authz_token: <%= ENV["AUTHZ_TOKEN"].to_s.strip %>
development:
<<: *default
View
@@ -40,6 +40,28 @@ AUTHN_HEADER=
AUTHN_TOKEN=
###############################################################################
# Authorization
###############################################################################
# Protected API calls can be issued with (AUTHZ_HEADER, AUTHZ_TOKEN) pair.
# To see exactly which API calls are protected with authorization tokens
# please read the docs at https://api.judge0.com.
# API authorization ensures that only specified users call protected API calls.
# For example let AUTHZ_HEADER=X-Judge0-User and AUTHZ_TOKEN=mySecretToken.
# Then user should authorize be sending this in headers or query parameters in
# each request, e.g.: https://api.judge0.com/system_info?X-Judge0-User=mySecretToken
# Note that if you enabled authentication, then user should also send valid
# authentication token.
# Specify authorization header name.
# Default: X-Auth-User
AUTHZ_HEADER=
# Specify valid authorization tokens.
# Default: empty - authorization is disabled, protected API calls cannot be issued
AUTHZ_TOKEN=
###############################################################################
# Workers
###############################################################################

0 comments on commit b2377b6

Please sign in to comment.