allowing only registered client applications

ce6c97bd · Mauricio Giacomini Girardello · e40f9471 · ce6c97bd · ce6c97bd · ce6c97bd
Commit ce6c97bd authored 8 years ago by Mauricio Giacomini Girardello
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -7,6 +7,9 @@ class ApplicationController < ActionController::API
  # tracking user in papertrail
  before_filter :set_paper_trail_whodunnit

+  # check if client application is allowed to consumes the API.
+  before_filter :allow_client_application
+
  # Prevent CSRF attacks by raising an exception.
  # For APIs, you may want to use :null_session instead.
  # protect_from_forgery with: :null_session
@@ -35,6 +38,11 @@ class ApplicationController < ActionController::API

  private

+  def allow_client_application
+    app = Application.find_by_application_id(request.headers["PortalMEC-AppID"])
+    user_not_authorized if (app.try(:domain) != request.domain) || app.nil?
+  end
+
  def user_not_authorized
    render nothing: true, status: :unauthorized
  end

--- a/app/models/application.rb
+++ b/app/models/application.rb
+class Application < ActiveRecord::Base
+  belongs_to :user
+
+  validates :domain, presence: true, uniqueness: true
+  validates :application_id, presence: true, uniqueness: true
+  before_create :generate_application_id
+
+  private
+
+  def generate_application_id
+    self.application_id = SecureRandom.uuid
+  end
+end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -53,18 +53,15 @@ class User < ActiveRecord::Base
  has_many :bookmark_collections, through: :bookmarks, source: :bookmarkable, source_type: 'Collection'
  has_many :bookmark_learning_objects, through: :bookmarks, source: :bookmarkable, source_type: 'LearningObject'
  has_many :bookmarks
-
  has_many :collections, as: :owner
-
  has_many :learning_objects, as: :publisher
-
  has_many :views
  has_many :downloads
  has_many :likes
  has_many :shares
  has_many :follows
-
  has_many :reviews
+  has_many :applications

  after_create :default_role


--- a/config/routes.rb
+++ b/config/routes.rb
@@ -74,11 +74,13 @@ Rails.application.routes.draw do
        resource :upload, module: 'learning_objects', only: :create
      end
    end
+
    resources :institutions, concerns: :deletable do
      member do
        get :users, to: 'institutions#users'
      end
    end
+
    resources :complaints, only: [:index, :create], concerns: :deletable
    resources :languages, except: [:new, :edit]
    resources :licenses, except: [:new, :edit]

--- a/db/migrate/20160517140326_create_applications.rb
+++ b/db/migrate/20160517140326_create_applications.rb
+class CreateApplications < ActiveRecord::Migration
+  def change
+    create_table :applications do |t|
+      t.string :name
+      t.string :domain
+      t.string :application_id
+      t.belongs_to :user, index: true, foreign_key: true
+
+      t.timestamps null: false
+    end
+    add_index :applications, :domain, unique: true
+    add_index :applications, :application_id, unique: true
+  end
+end
--- a/test/fixtures/applications.yml
+++ b/test/fixtures/applications.yml
+# Read about fixtures at http://api.rubyonrails.org/classes/ActiveRecord/FixtureSet.html
+
+one:
+  name: MyString
+  domain: MyString
+  application_id: MyString
+  user_id: 
+
+two:
+  name: MyString
+  domain: MyString
+  application_id: MyString
+  user_id: 
--- a/test/models/application_test.rb
+++ b/test/models/application_test.rb
+require 'test_helper'
+
+class ApplicationTest < ActiveSupport::TestCase
+  # test "the truth" do
+  #   assert true
+  # end
+end