application_controller.rb

class ApplicationController < ActionController::API
  include ActionController::Serialization
  include DeviseTokenAuth::Concerns::SetUserByToken
  include Pundit
  include PublicActivity::StoreController

  # tracking user in papertrail
  before_action :set_paper_trail_whodunnit

  # check if client application is allowed to consumes the API.
  before_action :allow_client_application, if: -> { Feature.active?(:allow_client_application) }

  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  # protect_from_forgery with: :null_session
  before_action :configure_permitted_parameters, if: :devise_controller?
  rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized

  # ensure *current_user* can be called in PublicActivity models
  # helper_method :current_user
  # hide_action :current_user

  protected

  def configure_permitted_parameters
    registration_params = [:name, :email, :description, :avatar, :password, :password_confirmation, :current_password, :terms_of_service]
    devise_parameter_sanitizer.permit :sign_up, keys: registration_params
    devise_parameter_sanitizer.permit :account_update, keys: registration_params
  end

  private

  def allow_client_application
    app = Application.find_or_initialize_by(application_id: request.headers["PortalMEC-AppID"].to_s)
    user_not_authorized if app.domain != request.domain
  end

  def user_not_authorized
    render status: :unauthorized
  end
end