Rename Ret.ApiToken -> Ret.Api.Token

Hubs-Foundation · Oct 16, 2020 · 69902c7 · 69902c7
1 parent f96f226
commit 69902c7
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 15 deletions.
diff --git a/config/dev.exs b/config/dev.exs
@@ -187,7 +187,7 @@ config :ret, Ret.Guardian,
   secret_key: "47iqPEdWcfE7xRnyaxKDLt9OGEtkQG3SycHBEMOuT2qARmoESnhc76IgCUjaQIwX",
   ttl: {12, :weeks}
 
-config :ret, Ret.ApiToken,
+config :ret, Ret.Api.Token,
   secret_key: "sLqNm8eWf4gtzmaZXUyn5qI93levlvBnX4hqCM9HraDM00QMnVvtQGAQ4S56q3fe",
   ttl: {2, :weeks}
 

diff --git a/lib/ret/api_token.ex → lib/ret/api/token.ex b/lib/ret/api_token.ex → lib/ret/api/token.ex
@@ -1,4 +1,4 @@
-defmodule Ret.ApiToken do
+defmodule Ret.Api.Token do
   @moduledoc """
   ApiTokens determine what actions are allowed to be taken via the public API.
   """

diff --git a/lib/ret/api_token_secret_fetcher.ex b/lib/ret/api_token_secret_fetcher.ex
@@ -2,10 +2,10 @@
 defmodule Ret.ApiTokenSecretFetcher do
   @moduledoc false
   def fetch_signing_secret(_mod, _opts) do
-    {:ok, Application.get_env(:ret, Ret.ApiToken)[:secret_key] |> JOSE.JWK.from_oct()}
+    {:ok, Application.get_env(:ret, Ret.Api.Token)[:secret_key] |> JOSE.JWK.from_oct()}
   end
 
   def fetch_verifying_secret(_mod, _token_headers, _opts) do
-    {:ok, Application.get_env(:ret, Ret.ApiToken)[:secret_key] |> JOSE.JWK.from_oct()}
+    {:ok, Application.get_env(:ret, Ret.Api.Token)[:secret_key] |> JOSE.JWK.from_oct()}
   end
 end
diff --git a/lib/ret/hub.ex b/lib/ret/hub.ex
@@ -664,8 +664,8 @@ defmodule Ret.Hub do
 end
 
 # # TODO: Canada Can implementation for api token
-# defimpl Canada.Can, for: Ret.ApiToken do
-#   def can?(%Ret.ApiToken{} = token, :view_room, %Hub{} = hub) do
+# defimpl Canada.Can, for: Ret.Api.Token do
+#   def can?(%Ret.Api.Token{} = token, :view_room, %Hub{} = hub) do
 #     hub.entry_mode.public || token.claims.superuser
 #   end
 # end
@@ -818,3 +818,15 @@ defimpl Canada.Can, for: Atom do
 
   def can?(_, _, _), do: false
 end
+
+defimpl Canada.Can, for: {resource, scopes} do
+  def can?({:reticulum_app_token, scopes}, :update_room, room) do
+    Scopes.ensure_has_scope(scopes, Scopes.write_rooms())
+    && can?(resource, :update_room, room)
+  end
+end
+
+defimpl Canada.Can, for: :reticulum_app_token do
+  def can?(_, :access_admin_panel, _), do: false
+  def can?(_, _, %Hub{}), do: true
+end
diff --git a/lib/ret_web/plugs/api_token_auth_pipeline.ex b/lib/ret_web/plugs/api_token_auth_pipeline.ex
@@ -2,7 +2,7 @@ defmodule RetWeb.ApiTokenAuthPipeline do
   @moduledoc false
   use Guardian.Plug.Pipeline,
     otp_app: :ret,
-    module: Ret.ApiToken,
+    module: Ret.Api.Token,
     error_handler: RetWeb.ApiTokenAuthErrorHandler
 
   plug(Guardian.Plug.VerifyHeader, halt: false)

diff --git a/test/ret/api_token_test.exs b/test/ret/api_token_test.exs
@@ -15,15 +15,15 @@ defmodule Ret.ApiTokenTest do
 
   test "Api tokens encode default permissions" do
     {:ok, token, _claims} = Generator.gen_token()
-    {:ok, claims} = Guardian.decode_and_verify(Ret.ApiToken, token)
+    {:ok, claims} = Guardian.decode_and_verify(Ret.Api.Token, token)
     assert Map.get(claims, "rooms_mutation_create_room")
     assert Map.get(claims, "rooms_mutation_update_room") === false
   end
 
   test "Api tokens generated with an account encode more permissions" do
     account = Ret.Account.find_or_create_account_for_email("test@mozilla.com")
     {:ok, token, _claims} = Generator.gen_token_for_account(account)
-    {:ok, claims} = Guardian.decode_and_verify(Ret.ApiToken, token)
+    {:ok, claims} = Guardian.decode_and_verify(Ret.Api.Token, token)
     assert Map.get(claims, "rooms_mutation_create_room")
     assert Map.get(claims, "rooms_mutation_update_room")
   end
@@ -32,25 +32,25 @@ defmodule Ret.ApiTokenTest do
     {:ok, token, _claims} = Generator.gen_token()
     [%{jwt: jwt}] = Repo.all(token_query())
     assert jwt == token
-    {:ok, _claims} = Guardian.decode_and_verify(Ret.ApiToken, token)
+    {:ok, _claims} = Guardian.decode_and_verify(Ret.Api.Token, token)
 
-    Guardian.revoke(Ret.ApiToken, token)
+    Guardian.revoke(Ret.Api.Token, token)
     assert Enum.empty?(Repo.all(token_query()))
 
-    {:error, :token_not_found} = Guardian.decode_and_verify(Ret.ApiToken, token)
+    {:error, :token_not_found} = Guardian.decode_and_verify(Ret.Api.Token, token)
   end
 
   test "Api tokens can be associated with an account" do
     account = Ret.Account.find_or_create_account_for_email("test@mozilla.com")
     {:ok, token, _claims} = Generator.gen_token_for_account(account)
-    {:ok, resource, _claims} = Guardian.resource_from_token(Ret.ApiToken, token)
+    {:ok, resource, _claims} = Guardian.resource_from_token(Ret.Api.Token, token)
     assert resource.account_id === account.account_id
   end
 
   test "Revoked tokens cannot recover accounts" do
     account = Ret.Account.find_or_create_account_for_email("test@mozilla.com")
     {:ok, token, _claims} = Generator.gen_token_for_account(account)
-    Guardian.revoke(Ret.ApiToken, token)
-    {:error, :token_not_found} = Guardian.resource_from_token(Ret.ApiToken, token)
+    Guardian.revoke(Ret.Api.Token, token)
+    {:error, :token_not_found} = Guardian.resource_from_token(Ret.Api.Token, token)
   end
 end