Merge pull request #6975 from cmrd-senya/6857-misscoped-destroy
[API] don't store ID tokens in DB
This commit is contained in:
Jonne Haß
GitHub
commit
3dd2f2159c
5 changed files with 23 additions and 30 deletions
|
|
@ -53,7 +53,6 @@ module Api
|
||||||
def reset_auth(auth)
|
def reset_auth(auth)
|
||||||
return unless auth
|
return unless auth
|
||||||
auth.o_auth_access_tokens.destroy_all
|
auth.o_auth_access_tokens.destroy_all
|
||||||
auth.id_tokens.destroy_all
|
|
||||||
auth.code_used = false
|
auth.code_used = false
|
||||||
auth.save
|
auth.save
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,6 @@ module Api
|
||||||
serialize :scopes, JSON
|
serialize :scopes, JSON
|
||||||
|
|
||||||
has_many :o_auth_access_tokens, dependent: :destroy
|
has_many :o_auth_access_tokens, dependent: :destroy
|
||||||
has_many :id_tokens, dependent: :destroy
|
|
||||||
|
|
||||||
before_validation :setup, on: :create
|
before_validation :setup, on: :create
|
||||||
|
|
||||||
|
|
@ -50,7 +49,7 @@ module Api
|
||||||
end
|
end
|
||||||
|
|
||||||
def create_id_token
|
def create_id_token
|
||||||
id_tokens.create!(nonce: nonce)
|
IdToken.new(self, nonce)
|
||||||
end
|
end
|
||||||
|
|
||||||
def self.find_by_client_id_user_and_scopes(client_id, user, scopes)
|
def self.find_by_client_id_user_and_scopes(client_id, user, scopes)
|
||||||
|
|
|
||||||
7
db/migrate/20160813115514_remove_id_tokens.rb
Normal file
7
db/migrate/20160813115514_remove_id_tokens.rb
Normal file
|
|
@ -0,0 +1,7 @@
|
||||||
|
require_relative "20150714055110_create_id_tokens"
|
||||||
|
|
||||||
|
class RemoveIdTokens < ActiveRecord::Migration
|
||||||
|
def change
|
||||||
|
revert CreateIdTokens
|
||||||
|
end
|
||||||
|
end
|
||||||
13
db/schema.rb
13
db/schema.rb
|
|
@ -11,7 +11,7 @@
|
||||||
#
|
#
|
||||||
# It's strongly recommended that you check this file into your version control system.
|
# It's strongly recommended that you check this file into your version control system.
|
||||||
|
|
||||||
ActiveRecord::Schema.define(version: 20160810230114) do
|
ActiveRecord::Schema.define(version: 20160813115514) do
|
||||||
|
|
||||||
create_table "account_deletions", force: :cascade do |t|
|
create_table "account_deletions", force: :cascade do |t|
|
||||||
t.string "diaspora_handle", limit: 255
|
t.string "diaspora_handle", limit: 255
|
||||||
|
|
@ -160,16 +160,6 @@ ActiveRecord::Schema.define(version: 20160810230114) do
|
||||||
add_index "conversations", ["author_id"], name: "conversations_author_id_fk", using: :btree
|
add_index "conversations", ["author_id"], name: "conversations_author_id_fk", using: :btree
|
||||||
add_index "conversations", ["guid"], name: "index_conversations_on_guid", unique: true, length: {"guid"=>191}, using: :btree
|
add_index "conversations", ["guid"], name: "index_conversations_on_guid", unique: true, length: {"guid"=>191}, using: :btree
|
||||||
|
|
||||||
create_table "id_tokens", force: :cascade do |t|
|
|
||||||
t.integer "authorization_id", limit: 4
|
|
||||||
t.datetime "expires_at"
|
|
||||||
t.string "nonce", limit: 255
|
|
||||||
t.datetime "created_at", null: false
|
|
||||||
t.datetime "updated_at", null: false
|
|
||||||
end
|
|
||||||
|
|
||||||
add_index "id_tokens", ["authorization_id"], name: "index_id_tokens_on_authorization_id", using: :btree
|
|
||||||
|
|
||||||
create_table "invitation_codes", force: :cascade do |t|
|
create_table "invitation_codes", force: :cascade do |t|
|
||||||
t.string "token", limit: 255
|
t.string "token", limit: 255
|
||||||
t.integer "user_id", limit: 4
|
t.integer "user_id", limit: 4
|
||||||
|
|
@ -661,7 +651,6 @@ ActiveRecord::Schema.define(version: 20160810230114) do
|
||||||
add_foreign_key "conversation_visibilities", "conversations", name: "conversation_visibilities_conversation_id_fk", on_delete: :cascade
|
add_foreign_key "conversation_visibilities", "conversations", name: "conversation_visibilities_conversation_id_fk", on_delete: :cascade
|
||||||
add_foreign_key "conversation_visibilities", "people", name: "conversation_visibilities_person_id_fk", on_delete: :cascade
|
add_foreign_key "conversation_visibilities", "people", name: "conversation_visibilities_person_id_fk", on_delete: :cascade
|
||||||
add_foreign_key "conversations", "people", column: "author_id", name: "conversations_author_id_fk", on_delete: :cascade
|
add_foreign_key "conversations", "people", column: "author_id", name: "conversations_author_id_fk", on_delete: :cascade
|
||||||
add_foreign_key "id_tokens", "authorizations"
|
|
||||||
add_foreign_key "like_signatures", "likes", name: "like_signatures_like_id_fk", on_delete: :cascade
|
add_foreign_key "like_signatures", "likes", name: "like_signatures_like_id_fk", on_delete: :cascade
|
||||||
add_foreign_key "like_signatures", "signature_orders", name: "like_signatures_signature_orders_id_fk"
|
add_foreign_key "like_signatures", "signature_orders", name: "like_signatures_signature_orders_id_fk"
|
||||||
add_foreign_key "likes", "people", column: "author_id", name: "likes_author_id_fk", on_delete: :cascade
|
add_foreign_key "likes", "people", column: "author_id", name: "likes_author_id_fk", on_delete: :cascade
|
||||||
|
|
|
||||||
|
|
@ -25,15 +25,12 @@ require "uri"
|
||||||
|
|
||||||
module Api
|
module Api
|
||||||
module OpenidConnect
|
module OpenidConnect
|
||||||
class IdToken < ActiveRecord::Base
|
class IdToken
|
||||||
belongs_to :authorization
|
def initialize(authorization, nonce)
|
||||||
|
@authorization = authorization
|
||||||
before_validation :setup, on: :create
|
@nonce = nonce
|
||||||
|
@created_at = Time.current
|
||||||
default_scope { where("expires_at >= ?", Time.zone.now.utc) }
|
@expires_at = 30.minutes.from_now
|
||||||
|
|
||||||
def setup
|
|
||||||
self.expires_at = 30.minutes.from_now
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def to_jwt(options={})
|
def to_jwt(options={})
|
||||||
|
|
@ -42,6 +39,8 @@ module Api
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
private
|
||||||
|
|
||||||
def to_response_object(options={})
|
def to_response_object(options={})
|
||||||
OpenIDConnect::ResponseObject::IdToken.new(claims).tap do |id_token|
|
OpenIDConnect::ResponseObject::IdToken.new(claims).tap do |id_token|
|
||||||
id_token.code = options[:code] if options[:code]
|
id_token.code = options[:code] if options[:code]
|
||||||
|
|
@ -54,17 +53,17 @@ module Api
|
||||||
@claims ||= {
|
@claims ||= {
|
||||||
iss: AppConfig.environment.url,
|
iss: AppConfig.environment.url,
|
||||||
sub: sub,
|
sub: sub,
|
||||||
aud: authorization.o_auth_application.client_id,
|
aud: @authorization.o_auth_application.client_id,
|
||||||
exp: expires_at.to_i,
|
exp: @expires_at.to_i,
|
||||||
iat: created_at.to_i,
|
iat: @created_at.to_i,
|
||||||
auth_time: authorization.user.current_sign_in_at.to_i,
|
auth_time: @authorization.user.current_sign_in_at.to_i,
|
||||||
nonce: nonce,
|
nonce: @nonce,
|
||||||
acr: 0
|
acr: 0
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
def build_sub
|
def build_sub
|
||||||
Api::OpenidConnect::SubjectIdentifierCreator.create(authorization)
|
Api::OpenidConnect::SubjectIdentifierCreator.create(@authorization)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
Loading…
Reference in a new issue