Skip to content

Commit

Permalink
Require JWT token authorization
Browse files Browse the repository at this point in the history 
Drop basic authorization
  • Loading branch information
@jcoyne
jcoyne committed May 28, 2019
1 parent 96fde3c commit d5258e5
Show file tree
Hide file tree
Showing 6 changed files with 18 additions and 34 deletions.
19 changes: 6 additions & 13 deletions app/controllers/application_controller.rb
View file
@@ -1,26 +1,22 @@
# frozen_string_literal: true

class ApplicationController < ActionController::API
include ActionController::HttpAuthentication::Basic::ControllerMethods
include ActionController::MimeResponds

http_basic_authenticate_with name: Settings.dor.service_user,
password: Settings.dor.service_password

before_action :check_auth_token

# Since Basic auth is already using the Authorization header, we'll use something
# Since Basic auth was already using the Authorization header, we used something
# non-standard:
TOKEN_HEADER = 'X-Auth'

private

# In the transition period, we are going to check auth tokens, but we won't
# require them. We will continue to use BasicAuth.
# Later we will ensurer that the tokens are present and remove BasicAuth
# Ensure a valid token is present, or renders "401: Not Authorized"
def check_auth_token
token = decoded_auth_token
Honeybadger.context(invoked_by: token[:sub]) if token
return render json: { error: 'Not Authorized' }, status: 401 unless token

Honeybadger.context(invoked_by: token[:sub])
end

def decoded_auth_token
Expand All @@ -33,10 +29,7 @@ def decoded_auth_token
end

def http_auth_header
if request.headers[TOKEN_HEADER].blank?
Honeybadger.notify("no #{TOKEN_HEADER} token was provided by #{request.remote_ip}")
return
end
return if request.headers[TOKEN_HEADER].blank?

request.headers[TOKEN_HEADER].split(' ').last
end
Expand Down
2 changes: 0 additions & 2 deletions config/settings.yml
View file
Expand Up @@ -42,8 +42,6 @@ cleanup:
local_export_home: '/dor/export'

dor:
service_user: 'user'
service_password: 'password'
hmac_secret: 'my$ecretK3y'

release:
Expand Down
11 changes: 4 additions & 7 deletions spec/requests/authorization_spec.rb
View file
Expand Up @@ -3,9 +3,6 @@
require 'rails_helper'

RSpec.describe 'Authorization' do
let(:user) { Settings.dor.service_user }
let(:password) { Settings.dor.service_password }
let(:basic_auth) { ActionController::HttpAuthentication::Basic.encode_credentials(user, password) }
let(:object) { instance_double(Dor::Item, current_version: '5') }

before do
Expand All @@ -17,9 +14,9 @@
context 'without a bearer token' do
it 'Logs tokens to honeybadger' do
get '/v1/objects/druid:mk420bs7601/versions/current',
headers: { 'Authorization' => basic_auth }
expect(response.body).to eq '5'
expect(Honeybadger).to have_received(:notify).with('no X-Auth token was provided by 127.0.0.1')
headers: {}
expect(response.body).to eq '{"error":"Not Authorized"}'
expect(response).to be_unauthorized
end
end

Expand All @@ -29,7 +26,7 @@

it 'Logs tokens to honeybadger' do
get '/v1/objects/druid:mk420bs7601/versions/current',
headers: { 'Authorization' => basic_auth, 'X-Auth' => "Bearer #{jwt}" }
headers: { 'X-Auth' => "Bearer #{jwt}" }
expect(response.body).to eq '5'
expect(Honeybadger).not_to have_received(:notify)
expect(Honeybadger).to have_received(:context).with(invoked_by: 'argo')
Expand Down
7 changes: 3 additions & 4 deletions spec/requests/metadata_refresh_spec.rb
View file
Expand Up @@ -3,9 +3,8 @@
require 'rails_helper'

RSpec.describe 'Refresh metadata' do
let(:user) { Settings.dor.service_user }
let(:password) { Settings.dor.service_password }
let(:basic_auth) { ActionController::HttpAuthentication::Basic.encode_credentials(user, password) }
let(:payload) { { sub: 'argo' } }
let(:jwt) { JWT.encode(payload, Settings.dor.hmac_secret, 'HS256') }
let(:object) { Dor::Item.new(pid: 'druid:1234') }

before do
Expand All @@ -16,7 +15,7 @@

it 'updates the metadata and saves the changes' do
post '/v1/objects/druid:mk420bs7601/refresh_metadata',
headers: { 'Authorization' => basic_auth }
headers: { 'X-Auth' => "Bearer #{jwt}" }
expect(response).to be_successful
expect(RefreshMetadataAction).to have_received(:run).with(object)
expect(object).to have_received(:save)
Expand Down
9 changes: 4 additions & 5 deletions spec/requests/metadata_spec.rb
View file
Expand Up @@ -3,9 +3,8 @@
require 'rails_helper'

RSpec.describe 'Display metadata' do
let(:user) { Settings.dor.service_user }
let(:password) { Settings.dor.service_password }
let(:basic_auth) { ActionController::HttpAuthentication::Basic.encode_credentials(user, password) }
let(:payload) { { sub: 'argo' } }
let(:jwt) { JWT.encode(payload, Settings.dor.hmac_secret, 'HS256') }
let(:object) { Dor::Item.new(pid: 'druid:1234') }

before do
Expand All @@ -16,7 +15,7 @@
describe 'dublin core' do
it 'returns the DC xml' do
get '/v1/objects/druid:mk420bs7601/metadata/dublin_core',
headers: { 'Authorization' => basic_auth }
headers: { 'X-Auth' => "Bearer #{jwt}" }
expect(response).to be_successful
expect(response.body).to include '<dc:title>Hello</dc:title>'
end
Expand All @@ -25,7 +24,7 @@
describe 'descriptive' do
it 'returns the DC xml' do
get '/v1/objects/druid:mk420bs7601/metadata/descriptive',
headers: { 'Authorization' => basic_auth }
headers: { 'X-Auth' => "Bearer #{jwt}" }
expect(response).to be_successful
expect(response.body).to be_equivalent_to <<~XML
<mods xmlns="http://www.loc.gov/mods/v3" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="3.6" xsi:schemaLocation="http://www.loc.gov/mods/v3 http://www.loc.gov/standards/mods/v3/mods-3-6.xsd">
Expand Down
4 changes: 1 addition & 3 deletions spec/support/auth_helper.rb
View file
Expand Up @@ -2,8 +2,6 @@

module AuthHelper
def login
user = Settings.dor.service_user
pass = Settings.dor.service_password
request.env['HTTP_AUTHORIZATION'] = ActionController::HttpAuthentication::Basic.encode_credentials(user, pass)
allow(controller).to receive(:check_auth_token)
end
end

0 comments on commit d5258e5

Please sign in to comment.