[API] don't store ID tokens in DB

fix #6857
2016-08-13 01:25:32 +03:00 · 2016-08-13 01:25:32 +03:00 · 9546fddb9e
commit 9546fddb9e
parent 3942dca08f
5 changed files with 23 additions and 30 deletions
--- a/app/controllers/api/openid_connect/authorizations_controller.rb
+++ b/app/controllers/api/openid_connect/authorizations_controller.rb
@ -53,7 +53,6 @@ module Api
      def reset_auth(auth)
        return unless auth
        auth.o_auth_access_tokens.destroy_all
-        auth.id_tokens.destroy_all
        auth.code_used = false
        auth.save
      end
--- a/app/models/api/openid_connect/authorization.rb
+++ b/app/models/api/openid_connect/authorization.rb
@ -12,7 +12,6 @@ module Api
      serialize :scopes, JSON

      has_many :o_auth_access_tokens, dependent: :destroy
-      has_many :id_tokens, dependent: :destroy

      before_validation :setup, on: :create

@ -50,7 +49,7 @@ module Api
      end

      def create_id_token
-        id_tokens.create!(nonce: nonce)
+        IdToken.new(self, nonce)
      end

      def self.find_by_client_id_user_and_scopes(client_id, user, scopes)
--- a/db/migrate/20160813115514_remove_id_tokens.rb
+++ b/db/migrate/20160813115514_remove_id_tokens.rb
@ -0,0 +1,7 @@
+require_relative "20150714055110_create_id_tokens"
+
+class RemoveIdTokens < ActiveRecord::Migration
+  def change
+    revert CreateIdTokens
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.

-ActiveRecord::Schema.define(version: 20160810230114) do
+ActiveRecord::Schema.define(version: 20160813115514) do

  create_table "account_deletions", force: :cascade do |t|
    t.string   "diaspora_handle", limit: 255
@ -160,16 +160,6 @@ ActiveRecord::Schema.define(version: 20160810230114) do
  add_index "conversations", ["author_id"], name: "conversations_author_id_fk", using: :btree
  add_index "conversations", ["guid"], name: "index_conversations_on_guid", unique: true, length: {"guid"=>191}, using: :btree

-  create_table "id_tokens", force: :cascade do |t|
-    t.integer  "authorization_id", limit: 4
-    t.datetime "expires_at"
-    t.string   "nonce",            limit: 255
-    t.datetime "created_at",                   null: false
-    t.datetime "updated_at",                   null: false
-  end
-
-  add_index "id_tokens", ["authorization_id"], name: "index_id_tokens_on_authorization_id", using: :btree
-
  create_table "invitation_codes", force: :cascade do |t|
    t.string   "token",      limit: 255
    t.integer  "user_id",    limit: 4
@ -661,7 +651,6 @@ ActiveRecord::Schema.define(version: 20160810230114) do
  add_foreign_key "conversation_visibilities", "conversations", name: "conversation_visibilities_conversation_id_fk", on_delete: :cascade
  add_foreign_key "conversation_visibilities", "people", name: "conversation_visibilities_person_id_fk", on_delete: :cascade
  add_foreign_key "conversations", "people", column: "author_id", name: "conversations_author_id_fk", on_delete: :cascade
-  add_foreign_key "id_tokens", "authorizations"
  add_foreign_key "like_signatures", "likes", name: "like_signatures_like_id_fk", on_delete: :cascade
  add_foreign_key "like_signatures", "signature_orders", name: "like_signatures_signature_orders_id_fk"
  add_foreign_key "likes", "people", column: "author_id", name: "likes_author_id_fk", on_delete: :cascade
--- a/app/models/api/openid_connect/id_token.rb
+++ b/app/models/api/openid_connect/id_token.rb
@ -25,15 +25,12 @@ require "uri"

 module Api
  module OpenidConnect
-    class IdToken < ActiveRecord::Base
-      belongs_to :authorization
-
-      before_validation :setup, on: :create
-
-      default_scope { where("expires_at >= ?", Time.zone.now.utc) }
-
-      def setup
-        self.expires_at = 30.minutes.from_now
+    class IdToken
+      def initialize(authorization, nonce)
+        @authorization = authorization
+        @nonce = nonce
+        @created_at = Time.current
+        @expires_at = 30.minutes.from_now
      end

      def to_jwt(options={})
@ -42,6 +39,8 @@ module Api
        end
      end

+      private
+
      def to_response_object(options={})
        OpenIDConnect::ResponseObject::IdToken.new(claims).tap do |id_token|
          id_token.code = options[:code] if options[:code]
@ -54,17 +53,17 @@ module Api
        @claims ||= {
          iss:       AppConfig.environment.url,
          sub:       sub,
-          aud:       authorization.o_auth_application.client_id,
-          exp:       expires_at.to_i,
-          iat:       created_at.to_i,
-          auth_time: authorization.user.current_sign_in_at.to_i,
-          nonce:     nonce,
+          aud:       @authorization.o_auth_application.client_id,
+          exp:       @expires_at.to_i,
+          iat:       @created_at.to_i,
+          auth_time: @authorization.user.current_sign_in_at.to_i,
+          nonce:     @nonce,
          acr:       0
        }
      end

      def build_sub
-        Api::OpenidConnect::SubjectIdentifierCreator.create(authorization)
+        Api::OpenidConnect::SubjectIdentifierCreator.create(@authorization)
      end
    end
  end